Using firewalls to separate internal and external networks

The most common and most important use for a firewall is to separate internal networks from the public Internet.

Table 1. External network considerations for firewalls
  Description Implications on Firewalls
Main purpose Connectivity between the protected and public networks. The Firewall selects which traffic is permitted into and out of the internal networks and translates addresses between internal IP addresses and public IP addresses. The Firewall is typically also a VPN endpoint.
Hosts Only equipment directly connected to the public network, such as routers and the Firewall. The communicating hosts in external networks are unknown in many cases. IP address spoofing is a possibility. External hosts can be trusted if they are identified using VPN authentication mechanisms.
Users Access to this network is open, but local access to the hosts is restricted to the administrative staff only. Internal users are known and trusted. Users in public networks are unknown and untrusted. VPN authentication and encryption can be used to allow specific users access from external networks to internal resources.
Traffic volume Varies from low to high, generally the full bandwidth of all Internet links combined. Hardware requirements vary depending on the environment. Clustering allows flexible firewall throughput adjustments. Multi-Link allows High Availability and load balancing for outbound connections. QoS Policies can control the bandwidth use.
Traffic type Any type of traffic can be encountered, especially in incoming traffic.

Some filtering is done by the Internet service provider.

The Firewall controls which traffic is allowed into your networks. It is beyond the Firewall’s control what and how much traffic it receives from the public networks. Advanced inspection checks can be activated on the Firewall and on an external content inspection server depending on the protocol.
Network security Little or no access controls to pre-filter traffic arriving from the Internet. Ensure that the hosts in this network are security-hardened and actively patched against known vulnerabilities. Ensure the Firewall’s policy is as restrictive as possible. Generally, new connections are not allowed from the external to the internal networks (servers for external services are placed in DMZs). After use, disable SSH access to the Firewall’s command line from external networks.