
This is the Title of the Book, eMatter Edition
Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.
26
|
Chapter 2: Designing Perimeter Networks
issue should be obvious: the firewall should be allowed to use all its available
resources for inspecting and moving packets.
Furthermore, even a painstakingly well-configured and patched application can have
unpublished vulnerabilities. (All vulnerabilities start out unpublished.) The ramifica-
tions of such an application being compromised on a firewall are frightening. Perfor-
mance and security, therefore, are impacted when you run any service on a firewall.
Where, then, to put public services so that they don’t directly or indirectly expose
the internal network and don’t hinder the firewall’s security or performance?
Answer: in a DMZ (demilitarized zone) network.
The “Three-Homed Firewall” DMZ Architecture
At its simplest, a DMZ is any network reachable by the public but isolated from
one’s internal network. Ideally, however, a DMZ is also protected by the firewall.
Figure 2-2 shows my preferred firewall/DMZ architecture.
In Figure 2-2, we have a three-homed host as our firewall. Hosts providing publicly
accessible services are in their own network with a dedicated connection to the fire-
wall, and the rest of the corporate network faces a different firewall interface. If con-
figured properly, the firewall uses different rules in evaluating ...