Systel.com ~ Information Technology Specialist

The internet provides more opportunity than ever before, however with that opportunity comes risk. ICS helps you manage and minimize that risk with integrated firewall and router solutions. Firewalls can play two roles. First, they minimize network intrusions (or hackers) by verifying all traffic passing through them using methods such as “stateful inspection.” Secondly, they can prevent your network’s users from accessing websites or resources that are “inappropriate” for the workplace or educational environment.

Designing a firewall requires that you understand and identify the boundaries between security domains in your network. A network security domain is a contiguous region of a network that operates under a single, uniform security policy. Wherever these domains intersect, there is a potential need for a policy conflict resolution mechanism at that boundary. This is where firewall technology can help.

The most common boundary where firewalls are applied today is between an organization’s internal networks and the Internet. When establishing an Internet firewall, the first thing you must decide is its basic architecture. There are two classes of firewall architectures, which we refer to as the single layer and the multiple layer architectures.

Single Layer Architecture
- One network host is allocated all firewall functions and is connected to each network for which it is to control access. This approach is usually chosen when containing cost is a primary factor or when there are only two networks to interconnect. It has the advantage that everything there is to know about the firewall resides on that one host. In cases where the policy to be implemented is simple and there are few networks being interconnected, this approach can also be very cost-effective to operate and maintain over time. The greatest disadvantage of the single layer approach is its susceptibility to implementation flaws or configuration errors — depending on the type, a single flaw or error might allow firewall penetration.

Multiple Layer Architecture
- the firewall functions are distributed among a small number of hosts, typically connected in series, with DMZ networks between them. This approach is more difficult to design and operate, but can provide substantially greater security by diversifying the defenses you are implementing. Although more costly, we advise using different technology in each of these firewall hosts. This reduces the risk that the same implementation flaws or configuration errors will exist in every layer. The most common design approach for this type of architecture is an Internet firewall composed of two hosts interconnected with one DMZ network.