Question

You want to use a packet firewall to protect the Hospital network but you are hesitant to choose the right location among the following: putting it on the web server at DMZ, putting it along with the IDS server, putting it on the screened subnet with DMZ, or putting it on the domain boundary. Recommend the right answer with justification as to why or why not.  

Answer 1

Packet firewall is a type of firewall which district or allowed the packet at the network layer. It means that the packet firewall will check for IP address before allowing or disallowing the packet inside the network. The packet firewall should be kept at a position outside of network boundry which will initially filter all the unwanted packet and the packet now you must move towards the network boundary. Installing firewall on the web server will protect the web server only and it will not protect the unauthorised traffic towards other service such as file server, email server or other network devices such as switch and router inside the network. Packet firewall can be put on the DMZ boundary containing Web Server to isolate web server and filter traffic towards DMZ and Internal secured LAN.

Placing firewall aside the DMZ:

Therefore the best position to place firewall is on the domain boundary. A secondary firewall may be put aside DMZ to protect malicious access to internal router or file server. This way, most of the attacks are mitigated at the DMZ and External firewall only.

Therefore, primary firewall can be put on the domain boundary and secondary firewall, if required can be put aside the DMZ for an extra added layer of security.