A final idea and concept that we wanted to present to you about firewalls is if the politics don't allow you to move the firewall simply to protect your servers but you have things that need better access to the internet than you can run through your firewall there's a concept called the science dmz the notion of a science dmz is to remove devices in the path from end users to the internet that interferes with the flow of packets and in this case we have directly off the border router that's connected to your enron uh a switch or possibly another router where you attach either servers or even end users to the border router that has direct access to the internet without going through the firewall i know many of you are somewhat horrified by that that you would put devices on public ips well i will tell you that on my desk at the university of oregon is a computer that's connected at one gigabit to a switch and it has a public ip and there is very little filtering and i've never had that computer broken into let's talk for a minute about your border router for many of you the border router will perform more simplistic functions but the border router is mandatory if you're a dual home if you have two internet connections the only way to properly make that work right is to have a border router that provides functions to move traffic to the two outside connections many campuses and emerging regions will do nat on this border router and this nat function actually somewhat acts as a firewall simply by the fact that unless there's a static nat translation on the border router nobody from the outside world can deliver traffic to any part of your campus network without that device on your campus network first initiating an outbound connection so they cannot attack anything inside your campus network without that machine on the campus initiating outbound connection to the attacker so let's put this all together so you can see we have a border router that connects with isp and you're in we have a science dmz that border router connects is probably performing that functions it connects to your core router the core router serves a firewall that addressing your servers and the core router also drives fiber optic cabling to each of your buildings now some of you might find that you can't really afford fiber to some locations or that it's very difficult because some of your campus is on the other side of a very busy street that you don't own in that case we will serve those remote buildings with wireless it's very important however that you serve those remote buildings as if it were fiber each remote building needs a separate interface on the core router and you simply build a single point-to-point link on the end of that interface out to the remote building a different remote building is a different interface on the core router different ip subnet and a different point-to-point link.

© Produced by Philip Smith and the Network Startup Resource Center, through the University of Oregon.

Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)
This is a human-readable summary of (and not a substitute for) the license. Disclaimer. You are free to: Share — copy and redistribute the material in any medium or format Adapt — remix, transform, and build upon the material The licensor cannot revoke these freedoms as long as you follow the license terms. Under the following terms: Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. NonCommercial — You may not use the material for commercial purposes. No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.