Network Topology: Placing a Firewall
This guide explains basic network topology concepts and best practices for placing a NetFoundry zLAN firewall within your network.
Why Topology Matters
Proper firewall placement is critical for:
- Securing network boundaries
- Controlling traffic between segments
- Enabling monitoring and policy enforcement
Common Firewall Placement Scenarios
1. Perimeter Firewall (Edge)
Place the firewall between your internal network and the external (Internet or WAN) connection.
graph TD
A[Internet] --> B[Firewall]
B --> C[Internal Network]
Purpose: Protects the entire network from external threats.
2. Segmentation Firewall (Internal)
Place the firewall between different internal segments (e.g., between user LAN and server LAN).
graph TD
A[User LAN] --> B[Firewall]
B --> C[Server LAN]
Purpose: Limits lateral movement and enforces policies between segments.
3. DMZ (Demilitarized Zone)
Use firewalls to create a DMZ for public-facing servers.
graph TD
A[Internet] --> B[Firewall]
B --> C[DMZ]
C --> D[Internal Firewall]
D --> E[Internal Network]
Purpose: Isolates public services from the internal network.
4. Host Protection (On-Host Firewall)
Install the firewall directly on the host you want to protect (e.g., server, VM, or workstation).
graph TD
A[Internet] --> B[Network]
B --> C[Host]
C --> D[Firewall]
D --> E[Applications/Data]
Purpose: Provides granular protection for individual hosts, controlling inbound and outbound traffic at the source. Useful for servers, VMs, or endpoints requiring dedicated security.
Best Practices for Firewall Placement
- Place firewalls at network boundaries and between sensitive segments.
- Use multiple firewalls for layered security (e.g., perimeter + internal).
- Ensure all traffic between segments passes through the firewall.
- Document your topology and update it as the network evolves.