Firewall Overview; Figure 13-1 Typical Firewall Configuration Before Fwlb - Nortel Web OS Switch Software Application Manual

Web OS 10.0 Application Guide

Firewall Overview

Firewall devices have become indispensable for protecting network resources from unautho-
rized access. Prior to FWLB, however, firewalls could become critical bottlenecks or single
points-of-failure for your network.
As an example, consider the following network:
"Dirty" Public Network

Figure 13-1 Typical Firewall Configuration Before FWLB

One network interface card on the firewall is connected to the public side of the network, often
to an Internet router. This is known as the dirty or untrusted side of the firewall. Another net-
work interface card on the firewall is connected to the side of the network with the resources
that must be protected. This is known as the clean or trusted side of the firewall.
In this simple example, all traffic passing between the dirty, clean, and DMZ networks must
traverse the firewall, which examines each individual packet. The firewall is configured with a
detailed set of rules that determine which types of traffic are allowed and which types are
denied. Heavy traffic can turn the firewall into a serious bottleneck. The firewall is also a sin-
gle point-of-failure device. If it goes out of service, external clients can no longer reach your
services and internal clients can no longer reach the Internet.
Sometimes, a Demilitarized Zone (DMZ) is attached to the firewall or between the Internet and
the firewall. Typically, a DMZ contains its own servers that provide dirty-side clients with
access to services, making it unnecessary for dirty-side traffic to use clean-side resources.
FWLB with Alteon Web switches provides a variety of options that enhance firewall perfor-
mance and resolve typical firewall problems.
n
314 Chapter 13: Firewall Load Balancing
Internet
Firewall "Clean" Private Network
DMZ
Private
Network
212777-A, February 2002