Using firewalls to separate internal networks
Internal networks are mixed environments with servers and end-user computers. Firewalls restrict traffic between the different internal networks, but traffic within each network is often not secured in any significant way.
| Description | Implications on Firewalls | |
|---|---|---|
| Main purpose | Network services and connectivity for authorized end users. Back-end servers that serve other networks and user groups. | Internal networks transfer confidential data but can be permissive for the traffic within the network. Firewalls can control access between different internal networks to enforce different security levels and prevent some types of network threats. |
| Hosts | Mixed environment consisting of servers, laptops, desktops, network printers, and copiers. | Network communications of the servers and the end-user computers differ in characteristics. Hosts can be actively maintained and patched to reduce some types of risks. Access between networks can be restricted based on the type of host. Firewall logs provide a record of network use and alerts can be configured for unusual connection attempts. |
| Users | Authorized personnel. | Users can be considered trusted, but on various levels. The Firewall authenticates users for access between internal networks that have different security levels. |
| Traffic volume | Varies from low to high. Grows highest at network choke-points in large environments. | Installation at network choke-points often requires high-performance hardware. Clustering can provide load balancing and high availability in critical locations. |
| Traffic type | Diverse, with many different applications communicating within and in/ out of the network. | The Firewall policy must balance users’ demands for a wide range of different services with the need to keep the internal networks safe. Advanced inspection features further inspect permitted communications. |
| Network security | A “trusted network” where the users and the traffic are considered to be authorized. | The Firewall establishes boundaries between networks to protect sensitive data and essential services. Availability of network services sometimes overrides security. |