Next
Previous Contents
There are lots of ways to structure your network to protect
your systems using a firewall.
If you have a dedicated connections to the Internet through
a router, you could plug the router directly into your firewall
system. Or, you could go through a hub to provide for full
access servers outside your firewall.
You may be using a dialup service like an ISDN line. In
this case you might use a third network card to provide
provide a filtered DMZ. This gives you full control over
your Internet services and still separates them from your
regular network.
__________
_/\__/\_ | | _______________
| | | Firewall | (LAN) | |
/ Internet \----| System |--(HUB)--| Workstation/s |
\_ _ _ _/ |__________| |_______________|
\/ \/ \/ |
(DMZ)
(HUB)
If there is a router or cable modem between you and the
Internet. If you own the router you could setup some hard
filter rules in the router. If this router is owned by your
ISP so you may not the have the needed controls. You can
ask your ISP to put in filters.
_________ __________
_/\__/\_ | Router | | | _______________
| | | or | (DMZ) | Firewall | (LAN) | |
/ Internet \----|Cable Mdm|--(HUB)--| System |--(HUB)--| Workstation/s |
\_ _ _ _/ |_________| | |__________| |_______________|
\/ \/ \/ |
(Outside)
(Server)
If you need to monitor where users of your network are
going and your network is small, you can intergrate a proxy
server into your firewall. ISP's some times do this to create
interest list of their users to resell to marketing agencies.
__________
_/\__/\_ | Proxy / | _______________
| | | Firewall | (LAN) | |
/ Internet \----| System |--(HUB)--| Workstation/s |
\_ _ _ _/ |__________| |_______________|
\/ \/ \/
You can put the proxy server on your LAN as will. In this
case the firewall should have rules to only allow the proxy
server to connect to the Internet for the services it is
providing. This way the users can get to the Internet only
through the proxy.
__________
_/\__/\_ | | _______________
| | | Firewall | (LAN) | |
/ Internet \----| System |--(HUB)--| Workstation/s |
\_ _ _ _/ |__________| | |_______________|
\/ \/ \/ | ______________
| | |
+----| Proxy Server |
|______________|
If you are going to run a service like YAHOO or maybe SlashDot
you may want to make your system by using redundant routers
and firewalls. (Check out the High Availability HowTo.)
By using a round-robin DNS techniques to provide access
to multipule web servers from one URL and multiple ISP's,
routers and firewalls using High Avaibility technics you
can create a 100% uptime service.
_/\__/\_ _/\__/\_
| | | |
/ ISP #1 \______ (WAN)_____/ Partners \
\_ _ _ _/ | (HUB) \_ _ _ _/
\/ \/ \/ | ___|____ \/ \/ \/
__|___ |_______ |
_/\__/\_ |_____ | |Firewall|| ______
| | | || (DMZ) | System || (LAN) | |
/ ISP #2 \--|Router||--(HUB)--| (VPN) ||--(HUB)--| WS/s |
\_ _ _ _/ |______| | |________| | |______|
\/ \/ \/ | | | ______
| (Outside) (Shared) | | |
------ | (Server) (Server) +----|Proxy |
| WS/s | | |______|
| VPN |-+
|______|
It is easy to let your network get out of hand. Keep control
of every connection. It only takes a user with a modem to
compromise your LAN.
Next Previous
Contents |
