Please enable JavaScript.

Coggle requires JavaScript to display documents.

Firewall Advanced (Network Segmentation (Network are very permeable…

- - - - Users
        
        Local Users
        
        VLAN dep/ VoIP VLAN
        
        Wireless users
        
        Employee VLAN
        
        Guest VLAN
        
        Remote users
      - Services
        
        Public-faced servers (DMZ)
        
        Private servers
        
        Front-end servers
        
        Back-end servers
    - - VPN Access to different services and servers
- - - - IP Routing:Static routing, RIP, OSPF, BGP
    - - VRRP for Active-backup FW
      - Load balancer, OSPF or DNS Round-Robin for Active-Active FW
  - - - Becoming Spanning Tree Low priority/root bridge A-B FW
      - Multiple Spanning Tree Protocol (MSTP) A-A FW
- - - - FW public (Dyn) IP address/LAN requires private address -> Source NAT
      - User port forwarding (Dest NAT) to access internal server in DMZ/Double NAT
  - - - FW has single public (Static) IP address
      - Branch LAN is a subnet of company private LAN
      - FW acts as VPN tunnel endpoint over internet (ISP MPLS VPN)
      - Static FW drops al Internet traffic but VPN one
  - - - Protect DMZ
      - DMZ Servers have public IP address/No NAT
      - DMZ Can be further segmented for load balancing and isolate public servers
    - - Separates DMZ from Corporate LAN and isolates different VLANs
      - Dedicate or integrated VPN concentrator for branch Offices
    - - Internal and external firewalls may be different vendors
      - Additional FW (Sec GW, Antivirus)
  - - - Static L2 FW
    - - SSL Accelerators + Load balancing proxies and servers
      - Inverse Proxies L7 content analysis
        
        WAF / Proxies in VM
    - - Physical servers with Vos
      - Virtual Switch with ACL for intra-server VM Comms