At a high level, firewalls are positioned to create a protective barrier between external, potentially dangerous traffic sources and internal networks as well as within the enterprise perimeter, between segmented parts of a network. Firewalls should be placed throughout these segmented networks to ensure comprehensive protection across large enterprise networks.
Firewalls control traffic between:
- External networks (the internet) and internal networks.
- External networks (the internet) and DMZ (demilitarized zone) networks.
- Between internal networks.
Firewalls apply predetermined rules to control network access and can vary greatly in their ability to manage specific network threats. Most enterprise networks will include a mix of firewall types, including basic and multilayer firewall systems with built-in redundancies and advanced security features.
For more information, also see: Why Firewalls are Important for Network Security
Firewall Placement and Network Segmentation
Complex networks are typically considered in terms of network segments, smaller physical or logical components of a larger network. This allows security teams to quickly close off sections of a network if a threat arises and streamlines the management of sprawling enterprise network architecture.
For communication to flow between segments, traffic flows through routers or firewalls so that it can be inspected before passing through to other network segments. This strategy adds security redundancies throughout the system and strengthens overall network security.
On a related topic, also see: Top Cybersecurity Software
Firewall Placement for Different Network Segments
These guidelines cover the main types of network segments; most networks will include multiple instances of each of these network connection types.
External networks (the internet) and internal networks
It is highly important to place strong controls on firewalls protecting the internal network from external connections. Not only can malicious attacks occur from outside sources, but data leakage is a significant concern.
As a general rule, net connections should not be allowed from external to internal networks — servers for external servers should reside in DMZs.
External networks (the internet) and DMZ networks
DMZs, or “perimeter networks,” are isolated from other network endpoints and typically contain servers that offer services primarily for external access. Here, firewalls control traffic in and out of each DMZ from both external and internal networks (typically, only a few, specified services must be allowed).
Servers in DMZs are frequently targeted for attacks, so connections between DMZs and internal networks must be strictly managed.
Between internal networks
While internal networks do handle confidential data, connections between these networks can be more permissive than network connections between internal and external traffic. Still, there are unique network threats to consider because sensitive data needs to be transmitted between users frequently. In each network segment, security teams can create a variety of boundaries with varying degrees of security protection.
For more information, also see: Artificial Intelligence in Cybersecurity
Multi-layer firewall placement
As the cyberthreat landscape has become more complex, it’s important for organizations to take a multi-layer firewall approach. This proactive, layered security strategy helps to bridge gaps between network segments to catch threats like malware as they are delivered versus a reactive approach in response to already-deployed attacks.
Multilayer firewalls can add protection from attacks launched through email attachments, adware, links, apps, and file attachments, including malware that frequently changes identifiable characteristics like file name and type. Multilayer firewalls also typically include DNS-level security that protects against network level threats.
Multilayer firewalls rely on dynamic packet filtering to examine incoming data across a network’s active connections. This is a step up from simple packet-scanning firewall protection — note that some firewalls within a multilayer firewall structure may be simple packet-scanning firewalls, but the multilayer firewall is focused on dynamic packet filtering.
A multilayer firewall approach is a convenient, efficient approach that brings multiple firewall technologies together.
Firewall Placement Best Practices
Within a segmented network structure, SOCs identify various security zones, groups of servers and systems with similar security requirements. Organizations typically have a secure internal network zone and an external (untrusted) network zone and intermediate security zones in between.
Firewalls control traffic to and from hosts and these security zones at the IP, port, or application levels. As all organizations require their own unique network architecture, there is no single configuration that would apply to all businesses and networks, but there are best practices that can be applied generally to help guide firewall placement within a segmented network:
- Keep internet-facing servers in separate zones (for example, web servers and email servers) – this can help minimize damage if an internet-facing server is compromised.
- Maintain only one-way traffic between internal zones and demilitarized zones (DMZ) (for example, DMZs used for proxy, email, and web servers).
- Keep web servers and database servers on separate machines – ideally, these should be kept separate and placed in different DMZs.
- Enable direct internet access for users on the internal network through an HTTP proxy server located in the primary DMZ.
- Disallow direct traffic to the internal zone from the internet.
Security teams will also need to establish best practices around firewall maintenance, which can become quite complex and vulnerable to neglect. Every firewall connection should be routinely checked for up-to-date settings and effectiveness. If certain network segments experience unexpected spikes in traffic, it may become necessary to upgrade firewalls protecting those segments to handle the traffic spike while maintaining system performance.
For more information, also see: How to Secure a Network: 9 Steps
Bottom Line: Firewall Placement
Network segmentation is a fundamental security approach to network infrastructure design that adds layered protection throughout large enterprise network environments. Most organizations will install firewalls throughout these segments to handle various connection types (internal communications, internal-to-external traffic, and DMZ traffic).
This comprehensive multi-layered approach adds system-wide protection against a wide range of network threats, including external cyber threats.
As firewalls are placed throughout a segmented network, security teams should follow a standard set of best practices to ensure uniformity throughout. While these practices will vary by organization, it’s best practice that standards focused on how each firewall is part of the overall security architecture should be applied.
Firewalls are one tool in the network security toolbox, and in some ways, these are relatively simple, fundamental elements of a larger network security approach. They are, however, integral and have outsized roles to play even within network security environments that include advanced tech features like AI and network traffic monitoring services. A large percentage of network security vulnerabilities can be stopped at the firewall level.
For more information, also see: What is Big Data Security?