Image alternative text

The most common use of firewalls today... is to enforce a security policy between an organization and the Internet. Most companies appreciate the need for such protection. The primary objective of Internet firewall policies is to protect the organization’s internal networks from unauthorized access by outsiders, and to restrict outsider access to specific hosts and services. A secondary purpose is to control which Internet sites and services may be accessed by internal users.

Organizations may use a firewall to separate from all other employees a workgroup that processes personnel and financial information. When employees and servers are in the same location, the workgroup would be connected to the Trusted interface. The External interface would be connected to the portion of the corporate network all other employees access, and configured suitably: the policies applied to the External network interface keep unwanted parties out, and traffic containing sensitive information, in.

In addition to enforcing policy, interdepartmental firewalls can also help with IP addressing problem. This practice scales very well for an organization that makes many acquisitions or sees a practical benefit to architecting its internal networks so that individual business units and subsidiaries are insulated from addressing and networking changes caused by acquisitions and divestitures. The resulting topology has many interdepartmental firewalls as spokes around the Internet firewall(s), which serves as the hub(s). A unique and finely-tuned security policy can be asserted at each spoke in the hub, beyond the general “Internet” policy asserted at the Internet firewall. It’s actually very cool.

Ideally, VPN technologies like IPsec could be used to create private, authenticated tunnels “end-to-end” between a user and a server he is authorized to access. IPsec, however, imposes a considerable processing overhead that today can only be mitigated by using hardware encryption. By placing an IPsec-capable Firewall directly in front of a server farm, organizations can provide secure communications as close to servers as possible at a lower cost and with no additional processing or administrative overhead at servers.

Using interdepartmental firewalls to support IPsec tunnels isn’t limited to secure remote access for individual employees or business partners. An interdepartmental firewall placed in front of an entire workgroup of authorized users can tunnel securely using IPsec to the firewall protecting the server farm. Firewalls used in this manner allow an organization to concentrate servers in data centers, and even outsource data centers to application or managed service providers without conceding an inch from its security policy.