Positioning Firewalls

The Firewall is a perimeter defense, positioned between networks with different security levels.

Firewalls generally control traffic between:

• External networks (the Internet) and your internal networks.
• External networks (the Internet) and DMZ (demilitarized zone) networks.
• Between internal networks (including DMZs).

Firewalls separate the different networks by enforcing rules that control access from one network to another.

Figure: The Firewall in different types of network segments

Not all organizations necessarily have all types of networks that are shown here. One Firewall can cover all enforcement points simultaneously if it is practical in the network environment and compatible with the organization’s security requirements.

In multi-layer deployment, a Firewall can have both layer 2 physical interfaces and layer 3 physical interfaces. Layer 2 interfaces on Firewalls allow the engine to provide the same kind of traffic inspection that is supported on IPS engines and Layer 2 Firewalls.

Figure: The Firewall in a multi-layer deployment

1

Traffic inspection only

2

Routed traffic and traffic inspection

3

Layer 3 physical interface

These interfaces can route traffic.

4

Layer 2 physical interface of the inline IPS interface or inline Layer 2 Firewall interface type

These interfaces cannot route traffic. They can only provide traffic inspection.

5

Layer 2 physical interface of the capture interface type

These interfaces cannot route traffic. They can only provide traffic inspection.

6

DMZ network

7

Department A internal network

8

Department B internal network

9

Internal network

10

External networks