Extra Credits 7: Network Topology Options

While the example illustrated in the article was really a single-segment network topology, there are a number of alternatives that can allow for better security, as well as performance.

Single Firewall

As was outlined in the article, a single firewall either providing a single segment or multi-segment access to the internet. Each segment can be separated from the others by firewall rules. This allows, for example, high value devices to reside on one segment, separated from high risk devices residing on another.

Multi-Firewall

Using multiple small firewalls can completely isolate devices internally. Given how inexpensive a firewall can be, it may be beneficial to completely isolate segments from one another by using a different firewall instance for each segment. Instead of one big firewall machine, for example, several smaller firewall machines, even Raspberry Pis, can be used instead.

This can have a positive impact on several firewall aspects, including improved performance, easier isolation of devices, as well as redundancy in case of failure.

Hybrid

A hybrid approach is simply the multi-firewall approach where individual firewalls can host multiple segments. This is the most robust, and begins to explore the defence in depth strategy of layering firewalls behind other firewalls. While certainly more complex than what is outlined in this article, a number of large commercial firewall installations employ this strategy to isolate and protect different groups and resources within the organization, while still allowing some level of inter-networking.