Nowadays understanding the data control from/to internal-external traffic is pretty much compulsary. Today I will try to explain this as detailed as I can. First of all how one enterprise traffic architecture looks like?
So .. we have external server/data center connected to a router which is leading to the internal servers/data center.
The arrows show that the traffic flow is passing freely (you can zoom the pictures by clicking on them). This is why we need to secure and to filter the incoming traffic. Usually the outcome is not a problem, let’s say never. But the real threat is the income.
The best practise in my opinion is putting two firewalls – internal and external + DMZ. The drama is where to put the DMZ? In this case we will design our topology with INTERNAL DMZ. Reasons why I choose this:
- traffic from the external and untrusted source passes through two firewalls thus meeting the intention of dual firewalls.
- traffic to the internal network is always more complicated, and has more flows. Consider all of the administration traffic to the servers in the DMZ. Therefore, passing internal traffic through a single firewall reduces the cost of ownership by reducing the numbers rules needed in the firewalls.
- its easier to understand. Because all external flows pass through the external firewalls, it is consistent with operational troubleshooting.
This is only one way for protecting an enterprise network. Later we will review DMZ bridge, external firewall DMZ, DMZ between the firewalls and so on. I will try to explain all the cases but I must note that for me this is the best practise.