Defining network boundaries is a crucial step when setting up a firewall, as it helps you control how data flows between different parts of your network. Properly defined boundaries create distinct zones of trust within your infrastructure, each with different security needs and rules.

The most common network segments are internal, external, and DMZ (demilitarized zone).

Here’s a breakdown of these zones:

Internal, External, and DMZ (demilitarized zone)

1. Internal Network

  • Purpose: The internal network (also known as the private network) is where your organization's critical systems and resources reside. This could include employee devices, databases, internal applications, and servers. It is typically shielded from direct access by external users.
  • Example: Office LAN, data centers, or internal company servers.
  • Firewall Configuration: You’ll want to apply strict rules for inbound traffic to this network, allowing access only from trusted sources. Outbound traffic can be more permissive, but should still be monitored.
  • Goal: Protect sensitive resources from both external and internal threats, ensuring only authorized users or systems have access to these assets.

2. External Network

  • Purpose: This refers to the public or untrusted parts of the network, such as the internet. The external network is the least secure because it includes all entities and users that are not part of your organization.
  • Example: The internet or a partner’s network with limited trust.
  • Firewall Configuration: The firewall should tightly control any inbound traffic from the external network, allowing only authorized requests (e.g., HTTP/HTTPS for web services) into the internal or DMZ networks.
  • Goal: Prevent unauthorized external access while enabling services that must be publicly accessible, such as web servers or email systems.

3. DMZ (Demilitarized Zone)

  • Purpose: The DMZ is a buffer zone between the internal and external networks. It hosts services that need to be accessible to both internal users and external users (e.g., customers, partners), such as public-facing web servers, email servers, and DNS servers. The DMZ allows external access while limiting the exposure of your internal network.
  • Example: Web servers, FTP servers, application gateways, VPN concentrators.
  • Firewall Configuration: The DMZ is protected by two firewalls:
    • One firewall (external) controls traffic between the internet and the DMZ, permitting limited inbound access.
    • Another firewall (internal) controls traffic between the DMZ and the internal network, ensuring that if a DMZ system is compromised, it won’t automatically provide access to internal systems.
  • Goal: Allow limited, controlled access from the internet while minimizing the risk of an external attack reaching your internal network.

Why Defining Network Boundaries is Important?

  • Security Layers: Segregating networks into distinct boundaries (internal, external, DMZ) provides multiple layers of defense, meaning that even if an attacker breaches one zone, it won’t necessarily allow them access to the rest of your systems.
  • Tailored Rules: Different parts of your network have different security needs. The internal network should be tightly controlled, while the DMZ might be more accessible. Defining boundaries lets you apply more granular and specific firewall rules for each zone.
  • Minimizing Attack Surface: By limiting the exposure of your internal network to the outside world, you reduce the number of entry points attackers can exploit.

Example Scenario;

Imagine you are running an e-commerce website:

  • Your web server is placed in the DMZ, as it needs to be publicly accessible.
  • The database server supporting your website remains in the internal network as it contains sensitive customer and business data.
  • Your firewall will allow HTTP/HTTPS traffic from the internet to reach the web server in the DMZ, but not directly to the database.
  • Only the web server in the DMZ can communicate with the database server in the internal network, and that too over specific ports (e.g., MySQL over port 3306).
  • External traffic is blocked from accessing the internal network directly, reducing the risk of attacks.

In short, by defining and protecting network boundaries, you create a safer, more structured network where each segment has tailored security controls to meet its specific needs.