One way to segment the network without introducing another firewall is to use multiple interfaces on the firewall to create several subnets. A design base on this principle is presented in figure, in which the firewall splits the network into three subnets, each dedicated to hosting a particular tier of the application. The firewall is multi homed, which allows administrators to assign a different security policy to each interface.
In this configuration, internet users can directly access only presentation servers, which have access only to middleware servers, which can access only data servers. Juxtapose this design against the architecture of a multitiered application. At the same time, the firewall's rulesbase used to implement access restrictions in this scenario is more complicated than one in which all servers lived ont same subnet. this increases the likelihood that the firewall will be misconfigured, introducing its own risks into this design.
Hosting each tier of an application on a dedicated subnet is a powrful technique because it allows network designers to configure the network in a way that closely matches the application's security requirements, albeit at an added cost of maintaning a more complex firewall rulebase and managing servers located on different subnets. this approach, evident in several design presented in this article, mimics the design of a large ship split into multiple watertight compartments to resist flooding. If one of the sections is compromised, other areas retain a high chance of maintaning their integrity.
Using a single firewall to segment the network is one of the most affordable ways of separating application tiers, but it is now without limitations. A single logical firewall, even if redundant in hardware, present a single point of failure for the design, especilally when it enforces security policy for subnets that host servers of different risk levels. if the firewall is compromised or miconfigured, an intruder could obtain access to all subnets, including the most sensitive segment that hosts data servers. moreover, the firewall may become a performance bottleneck because it needs to examine traffic passing between all subnets. Let's take a look at an alternative design that uses multiple firewalls to eliminate some of these deficiencies.
In this configuration, internet users can directly access only presentation servers, which have access only to middleware servers, which can access only data servers. Juxtapose this design against the architecture of a multitiered application. At the same time, the firewall's rulesbase used to implement access restrictions in this scenario is more complicated than one in which all servers lived ont same subnet. this increases the likelihood that the firewall will be misconfigured, introducing its own risks into this design.
Hosting each tier of an application on a dedicated subnet is a powrful technique because it allows network designers to configure the network in a way that closely matches the application's security requirements, albeit at an added cost of maintaning a more complex firewall rulebase and managing servers located on different subnets. this approach, evident in several design presented in this article, mimics the design of a large ship split into multiple watertight compartments to resist flooding. If one of the sections is compromised, other areas retain a high chance of maintaning their integrity.
Using a single firewall to segment the network is one of the most affordable ways of separating application tiers, but it is now without limitations. A single logical firewall, even if redundant in hardware, present a single point of failure for the design, especilally when it enforces security policy for subnets that host servers of different risk levels. if the firewall is compromised or miconfigured, an intruder could obtain access to all subnets, including the most sensitive segment that hosts data servers. moreover, the firewall may become a performance bottleneck because it needs to examine traffic passing between all subnets. Let's take a look at an alternative design that uses multiple firewalls to eliminate some of these deficiencies.