tailieunhanh - Single-Firewall Architectures

There are two predominant firewall architectures, the single-firewall and dual-firewall architectures. | Single-Firewall Architectures There are two predominant firewall architectures the single-firewall and dual-firewall architectures. The single-firewall architecture is simpler because it relies on the use of a single firewall device with which to filter and control the flow of traffic. If you elect to go with a single firewall for your firewall implementation you can choose from a few different designs Internet firewall with a single DMZ Internet firewall with multiple DMZs Internet-screening firewall no DMZ Internet Firewall with a Single DMZ The Internet firewall with a single DMZ is the most common firewall architecture because it lends itself to being an all-around general-purpose architecture. With this architecture the firewall has three interfaces an internal interface that is connected to the protected network an external interface that is connected to the Internet and a DMZ interface that is connected to a screened subnet upon which reside the servers and systems that external users need to access. Because the resources on the DMZ segment have to go through the same interface to access both internal or external resources this architecture is frequently referred to as a DMZ-on-a-stick architecture. In this architecture traffic flow is controlled in three directions. Traffic from Internetbased systems is permitted only to resources on the DMZ segment. Internet-based systems can never directly access resources on the internal network. Traffic from DMZ-based systems is permitted both to the Internet as well as to internal resources. In this fashion the DMZ resources can frequently serve as a proxy in the event that data that resides on the internal network is required by the external system. Finally traffic from the internal network is permitted to the DMZ as well as to the external network. In all situations the only traffic that should be allowed is traffic that is explicitly permitted by a corresponding access control list ACL . Figure 9-1 illustrates a .