How are a firewall and DMZ positioned in a network?
From Computer Network by Tanenbaum
-
What is the device (let me call it "A") between the DMZ and the internet? Is it the main router of the LAN for the organization?
-
What is the device (let me call it "B") between the device "A" just asked and the firewall? In other words, what is the device that the web server and email server connect to?
Is it the same kind of devices which the two computers in the internal network connect to? Is it a hub? -
Is the firewall not directly connected to device "A", but indirectly via device "B"?
Thanks.
Best Answer
"A" is a router, judging by the symbol. For the DMZ to be effective it should be a firewall.
By symbol, "B" is a cabinet which doesn't tell us anything here. Network-wise it should be a switch. (Repeater) hubs are obsolete. I guess Andy wanted to point out the position of the LAN-protecting firewall here, the rest isn't that important at that point.
Today, all physical links are point-to-point. There must be an concentrator (switch or hub) between the firewall and the edge router for the DMZ servers to attach.
Historically, a firewall only connected your internal network and the Internet. In the meantime the distinction between "internal", "DMZ" and "external" has grown into security zones that all all protected against each other. For instance, you can have clients, servers, VoIP, device management, security, IoT, guests, and so on. Usually the zones are mapped to VLANs on a common physical infrastructure.
Since you can't have a dedicated firewall between each zone pair, often just a single firewall (cluster) is used. Note that current firewalls are much more powerful than even Tanenbaum could imagine in the early 1980s.