tailieunhanh - The Firewall System
To paraphrase Shrek, the network perimeter is like an onion; it has lots of layers. | The Firewall System To paraphrase Shrek the network perimeter is like an onion it has lots of layers. Historically a firewall has always been considered a device. It exists on the network perimeterin many cases it is the network perimeterand is wholly responsible for controlling traffic entering and exiting a protected network. This philosophy is antiquated and no longer a relevant philosophy. Instead a firewall should no longer be considered a device but a system of devices that work in concert to control the flow of traffic into and out of a protected network. In doing so the firewall system implements a layered design that eliminates the reliance of any one device to do all the filtering. This has the effect of eliminating many of the single points of failure that exist in traditional firewall device based implementations. The firewall system layers depend on whether a single- or dual-firewall architecture has been implemented. Single-Firewall System With a single-firewall architecture the firewall system consists of the following layers External router Network segment between the external router and firewall DMZ segment Figure 9-4 depicts this architecture. Figure 9-4. Single Firewall System View full size image At the outermost layer of the firewall system the external router should be the first point of control of traffic entering ingress filtering and exiting egress filtering your network. The only traffic that should be allowed to traverse the router is traffic destined for the firewall or resources being protected by the firewall. This serves two purposes. First it makes it easier to monitor the traffic on the segment between the router and the firewall because only traffic that should be delivered to the firewall should exist on that segment. Second it protects the firewall from any nonpermitted traffic thus helping to ensure that if for some reason the firewall may be vulnerable to an exploit based on that nonpermitted traffic it is stopped by the .
đang nạp các trang xem trước