Nội dung Text: Different Types of Office Requirements
Different Types of Office Requirements
Although every firewall implementation is truly unique, a couple of fundamental designs
from which virtually all firewall designs are created. The first question to ask when
implementing a firewall is whether the firewall is going be located at a central location or
a remote location. When you have answered that question, you need to examine the
resources that need to be protected. With that in mind, the next step is to determine how
many demilitarized zones (DMZs), if any, need to be implemented.
Although most of these design questions are based on protecting internal resources, they
should be equally applied to the question of how the firewall will screen Internet access
for your internal resources, essentially protecting the Internet from your systems, while at
the same time enabling you to restrict and filter the kinds of Internet-based traffic that
will be allowed from your internal resources.
Although referred to as a central office implementation, the key to this implementation is
not necessarily that it exists at the central office. Rather, the central office
implementation refers to an implementation that has a number of common elements:
• A concentration of resources must be protected by the firewall.
• A significant number of internal users need access to external resources through
the firewall (for example, if the firewall handles the majority of the company's
• Technical personnel can actively monitor and manage the firewall because they
are physically located at the same location.
As a result, the central office implementation is applicable in any environment that
matches these elements. For example, many large companies have multiple locations that
would all warrant the central office design, because there may be two or more "hub"
locations with a high concentration of users, resources, and administrators.
The central office implementation is highlighted by an implementation that tends to be
more complex than the remote office implementation and tends to utilize higher end
hardware and software to achieve the objective of protecting resources. For example, the
central office may utilize multiple firewalls in a dual-firewall implementation to protect
resources and may have multiple firewalls implemented in a task-specific fashion. You
might have a separate Internet-screening firewall, web-application firewall, and e-mail-
Central office implementation are also frequently underpinned by more advanced
firewallssuch as Cisco Secure PIX Firewalls, NetScreen, Check Point, or Microsoft ISA
Serveras opposed to smaller Network Address Translation (NAT) routers or small
office/home office (SOHO) firewall products.
As a general rule, the central office implementation tends to provide for the most
hardened and secure firewall implementation.
The remote office implementation tends to revolve around a more simple, point solution
design. As opposed to the central office, remote offices typically have few technical
resources at the location with the expertise required to effectively manage and maintain a
firewall. Remote offices also rarely have internal resources that must be accessed by
remote sources, which means that often the firewall implementation is little more than an
Internet-screening firewall, keeping all Internet sources from accessing internal resources
and restricting Internet access by internal resources.
Although the central office implementation lends itself to protecting literally thousands of
users and resources, the remote office implementation is really only effective at
protecting a relatively small number of users and resources, generally fewer than 100
users and resources. Consequently, the remote office implementation lends itself to the
use of SOHO firewall solutions ranging from lower-end firewalls such as the Cisco PIX
506E, NetScreen 5, or NetScreen 25 all the way down to the basic NAT filtering routers
such as some of the Linksys or D-Link product lines.