Companies that extend their network outward to include Internet connectivity are often faced with the question of where to place their firewall. The two most frequent spots to place the firewall are either in-house, where security is presumably tightest, or at the Internet service provider (ISP), where it can protect a point-to-point connection between the provider and the company. The question is, which is the better solution for your company?
There are reasons to advocate placement in either position, which ultimately makes the best solution to place a firewall at each location: one firewall at the ISP, and another at the boundary between your Internet services network and your enterprise network. Not all ISPs will manage a firewall for a client, so make sure your ISP agrees to monitor and manage that firewall for you. You may find that the firewall used by the ISP for general traffic is a good first line of defense.
A second firewall between your enterprise network and your ISP creates a higher level of control over network traffic while off-loading the basics to the ISP. You have the added assurance that the ISP firewall is performing through verification of your own firewall monitor logs. The convenience of writing and instantly testing policy rules on your firewall before having your ISP implement them on the second firewall creates a level of confidence that will help eliminate potential sleepless nights spent wondering if you made the
Barrie Sosinsky (firstname.lastname@example.org ) is president of consulting company Sosinsky and Associates (Medfield, MA). He has written extensively on a variety of computer topics. His company specializes in custom software (database and Web-related), training and technical documentation.
This was first published in June 2000