Using a Single Firewall Configuration

The least expensive option in a small site configuration is to have one firewall separate Internet browsers, your site, and your internal network. This is possible if the firewall contains three network adapters, each connected to one of the three environments.

One place you might want to use just one firewall is in your development environment. For a figure showing a single firewall configuration, seeĀ Small Site Development Environment.

Advantages of the single firewall solution include the following:

  • The ISP network (containing Web servers and database servers) is separated physically from the other networks, thereby limiting intrusions into the site. If someone is able to exploit any server that is accessible publicly, they do not have direct access to the internal network.

  • There is only one firewall to purchase and manage.

  • The internal network is not dependent upon the Web site environment to function. If the site has network problems, the internal network does not necessarily lose connectivity.

  • This design is implemented easily in an existing architecture where a firewall is already serving to separate the internal network from the Internet. You might only need to add a third network adapter to the existing firewall.

Disadvantages of the single firewall solution include the following:

  • The database servers are not separated from the Web servers. Hypertext Transfer Protocol (HTTP) and Hypertext Transfer Protocol Secure (HTTPS) are the only protocols allowed from the Internet to the Web site.

  • An intruder who gains access to a server in the ISP network might gain access to other servers on the site. Additional security is necessary to protect these servers.

  • Communication between Web servers and database servers travels unprotected within the ISP network.

  • Because Commerce Server Business Desk computers share network traffic with Web servers, you need to run HTTPS on the Business Desk computers to ensure the security of data.

  • Some firewall vendors may not support three interfaces.


All rights reserved.