By David Gewirtz
Unless you've been living under a rock, you know about the need for a firewall to safeguard your computer and your network. But while there's been much discussion about personal firewalls for individuals (and anyone behind a Linksys or NETGEAR router has some level of protection), there's been very little discussion about how to accomplish the same thing at the organizational level.
One of the more interesting challenges is how to route IP traffic to the correct machine behind the firewall if you have multiple machines that need to get the same protocol traffic.
Some illustrations will help to clarify this. Figure A shows a network that might be behind a typical home router.
FIGURE A
The network behind a low-end router will do some port forwarding. (click for larger image)
Most low-end routers and firewalls will forward traffic for a specific port (like port 80, which carries Web traffic) to one specific IP address inside the protected network. However, many corporate networks have multiple machines using a given protocol, and for which traffic must be directed.
ZATZ, for example, has five separate Web servers, each handling a different part of our content management system and all needing to respond to requests on port 80. We also have two separate email servers, our Exchange server and our list server, both needing to respond to requests on port 25.
Figure B shows a simplified version of such a network.
FIGURE B
Multiple IPs route to different machines and different ports. (click for larger image)
In this example, we have three separate networks, the red network, the green network, and the orange network. The red network is the connection to the Internet and is unprotected. The green network is completely protected from the Internet and its clients never appear to be on the network. It's primarily used for client machines and intranet machines that never need to be seen outside.
The orange network is the DMZ (De-Militarized Zone). It's where the outward facing servers exist. However, we want to make sure that the machines on the orange network get their desired traffic while not getting undesirable traffic. In the above example, we have one corporate server getting Web traffic, one list server getting SMTP mail traffic, and the Exchange server which needs to get both Web and SMTP traffic.
Finding a low-cost solution to an expensive problem
We decided to see if we could find a firewall solution that could accomplish this, while handling the load of a typical company, and still remain under $1,000. There are many high-end, standalone firewall appliances that will accomplish this sort of thing, but you'll wind up spending at least $3,000, and often going above $20,000 for something that can handle a real load.
