2 cissp ® Official Study Guide Eighth Edition


Firewall Deployment Architectures



Download 19,3 Mb.
Pdf ko'rish
bet460/881
Sana08.04.2023
Hajmi19,3 Mb.
#925879
1   ...   456   457   458   459   460   461   462   463   ...   881
Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

Firewall Deployment Architectures 
There are three commonly recognized fi rewall deployment architectures: single tier, two 
tier, and three tier (also known as multitier). 
As you can see in Figure 11.8 , a single-tier deployment places the private network 
behind a fi rewall, which is then connected through a router to the internet (or some other 
untrusted network). Single-tier deployments are useful against generic attacks only. This 
architecture offers only minimal protection. 
A two-tier deployment architecture may be one of two different designs. One uses a 
fi rewall with three or more interfaces. The other uses two fi rewalls in a series. This allows 
for a DMZ or a publicly accessible extranet. In the fi rst design, the DMZ is located off one 
of the interfaces of the primary fi rewall, while in the second design the DMZ is located 
between the two serial fi rewalls. The DMZ is used to host information server systems to 
which external users should have access. The fi rewall routes traffi c to the DMZ or the 
trusted network according to its strict fi ltering rules. This architecture introduces a moder-
ate level of routing and fi ltering complexity. 

Secure Network Components 
491
F I g u r e 11. 8
Single-, two-, and three-tier firewall deployment architectures
Internet
Router
Firewall
Router
Firewall
Private Network
Single-tier
Internet
Private Network
Two-tier I
DMZ
Router
Firewall
Firewall
Internet
Private Network
Three-tier II
DMZ
Router
Firewall
Firewall
Internet
Two-tier II
DMZ
Private
Network
Router
Firewall
Firewall
Firewall
Internet
Three-tier I
DMZ
Transaction
Subnet
Transaction
Subnet
Private
Network
A three-tier deployment architecture is the deployment of multiple subnets between the 
private network and the internet separated by firewalls. Each subsequent firewall has more 
stringent filtering rules to restrict traffic to only trusted sources. The outermost subnet is 
usually a DMZ. A middle subnet can serve as a transaction subnet where systems needed to 
support complex web applications in the DMZ reside. The third, or back-end, subnet can 
support the private network. This architecture is the most secure of these options; however, 
it is also the most complex to design, implement, and manage.

Download 19,3 Mb.

Do'stlaringiz bilan baham:
1   ...   456   457   458   459   460   461   462   463   ...   881



Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling
kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha

yuklab olish