Where Should Firewalls Be Placed In A Business Network?
Enterprise Firewalls: A Guide To Placement In Business Networks
Firewalls are an essential component of any business network. They act as a filter between the network and any external traffic, serving as the first line of defense against outside threats.
Enterprise firewall configuration, however, is a bit more complicated than working with standard consumer-grade firewalls. Unlike personal firewalls, which run as software alongside the host operating system, business firewalls run on a dedicated machine somewhere in the network. This means that the placement of a business firewall within network topology matters far more.
What Can Enterprise Firewalls Do For A Business Network?
An enterprise firewall may take the form of a router with firewall features, or a dedicated firewall device that connects to the network. At their most basic, enterprise firewalls prevent untrusted traffic from making their way to the machines on a network.
For example, if a company hosts its website on its own network, then the firewall will allow outside traffic to-and-from the company website servers but will block unauthorized traffic to and from internal computers with sensitive data. This functionality can help prevent hackers from stealing company data and can stop the spread of malware that replicates across company networks.
Firewalls can also help prevent denial-of-service (DoS) attacks. This is especially true of firewalls with “stateful inspection” features that allow them to analyze traffic in real-time – they’ll be able to see trends and patterns in traffic, and adjust settings accordingly. By mitigating the impact of DoS attacks, firewalls can help ensure business continuity even during a major cyberattack.
With the right setup, a business can create a so-called demilitarized zone (DMZ), or a zone within the company network that contains public-facing services. The DMZ may contain mail, FTP, and VoIP servers, as well as the company website.
Many larger business networks implement multiple firewalls in their network, creating a variety of “zones” of access, such as multiple demilitarized zones and zones of varying access levels. This sort of zoning can help keep the business network alive and quarantine malware that is spreading.
How Does This Translate To Network Topology?
All external traffic must pass through the firewall before it reaches the network. Logically, this means that the firewall should be placed between the internet and the network.
One of the most basic configurations would be a router that connects to a wide area network (WAN), then a firewall that connects to the router, filtering all traffic before distributing it throughout the network. For additional security, you can opt to run the router’s onboard firewall features before sending it to the firewall, though you may incur a performance hit.
It’s not difficult to create a demilitarized zone using this setup. The firewall would be connected to the WAN, the DMZ, and the company network. Traffic to the internal network would be isolated from traffic to the DMZ using the firewall’s security policies. The problem with this configuration is that only one device handles traffic filtering – if it’s compromised for any reason, then the internal network can be compromised as well.
A more secure approach would be to use a configuration with two firewalls. In this case, the first firewall is the outermost device, and becomes known as the “perimeter firewall.” It connects to the WAN as normal and sends traffic to the DMZ network. Then, a second router, the internal firewall, receives internal traffic passing through the DMZ and filters it into the internal network.
The latter approach is even more secure if firewalls from different vendors are used. This way, a security flaw in one device can’t be exploited for both devices.
Types Of Business Firewalls
There are different types of firewalls, each with their own purpose in a network.
These simple firewalls inspect the headers of every network packet, checking for their origin and destination. They have excellent performance and consume few resources, but are trivial to bypass and can be overwhelmed by DoS attacks.
Similar firewalls, known as circuit-level gateways, inspect the legitimacy of the TCP handshake rather than the headers of each packet. They’re also fairly simplistic and easy to circumvent, but also run very efficiently.
These are more complex firewalls that analyze the content of packets, not just the header. By analyzing the protocols that the packets use, they can more effectively filter packets and control access from different types of traffic.
Stateful inspection gateways can analyze traffic at several levels, and even use insight gathered over time to make filtering decisions. They’re highly advanced and can prevent a wider array of threats than the other firewall types, but they’re also resource-intensive.
Ensuring Your Network Security
Looking to set up a secure business network with the right firewall infrastructure? Contact Network Coverage now for a free consultation and we can discuss how to meet your needs.