Before you begin to think about installing a firewall, or any other security device for that matter, you should document what your network looks like. This means generating a map of the network, which illustrates all of the major points of interest, and diagramming how they all logically connect together. Although it is not necessary to document individual workstations, you should document:
Important servers (either individually or as a group)
There are a few automated tools that may be able to help with this. For example, Microsoft Visio provides some automatic mapping functionality. Lumeta seems to be one of the most promising. Their maps of the Internet (available at http://www.lumeta.com/mapping.html) have appeared in magazines such as Wired. There are others, but even if you use one of these tools to generate your map, you'll still need to do some additional manual work to identify all of the points of interest.
Because a firewall is a perimeter-based security device, it is most effective when the number of entry and exit points is limited. The process of documenting these entry points into the network may prompt you to reorganize your network in such a way as to limit the number of entry or exit points. This is not entirely a bad thing.
In a multisite company (i.e., a company that occupies more than one physical location), getting a complete network topology may be difficult or impossible. Someone at each physical location should be responsible for maintaining a local network map. A cloud, or a similar symbol, can represent a remote network. This is what is typically used to represent the Internet.
Once you have a clear understanding of the components in your network, you can begin to determine where the different zones of trust are. Many people tend to think of only two zones: everything outside the firewall and everything inside the firewall. Although this is certainly a start, it is a bit more complicated than that. If you have servers that are externally accessible from the Internet, you could consider creating a demilitarized zone (DMZ) or service network. Servers in the DMZ are typically accessible from any network, so they should be secured at the host and application levels to protect against possible compromise. The purpose of a DMZ is to isolate all servers that are accessible from untrusted sources, like the Internet, so that if someone compromises one of those servers, the intruder will have only limited access to externally accessible servers. Servers in the DMZ should be fortified and secured as much as possible and should have a limited ability to initiate connections to internal systems, if any.
In many networks, there are several levels of trust. For instance, sensitive human resources or accounting functions may take place in a separate part of the network that is inaccessible to all but authorized users. There may be parts of the network that contain users who cannot be trusted, or they may contain machines of unknown danger. For example, there may be experimental sections of the network where it is important to set up servers and machines quickly as well as training labs where "guest" access to parts of the network is provided.
Each network and each situation are different. You may need to interview managers and even individual users to determine where these zones of trust should be. Once you have determined what the zones of trust are, the most effective locations of firewalls will become self-evident.
Keep in mind that a firewall is a device similar to a router in that traffic is passed from one interface to another. Like any router, each interface must be connected to a logically different network. This means that if you want to insert a firewall into an existing network, you must make sure that each physical interface of the firewall is on a unique subnet. There are two notable exceptions to this.
The Nokia IP51, a device no longer sold, supports a bridging mode that allows the same subnet to be on the WAN and LAN interfaces.
IPSO 3.7, used on Nokia platforms, has a transparent mode where two or more interfaces can be connected to the same logical network segment. It does layer 2 forwarding and MAC address learning like an Ethernet bridge would do, but it does not do loop detection or spanning tree. Refer to Resolution 15992 in Nokia's Knowledge Base for more details.
Depending on your existing network, this may mean subnetting existing network space, adding address space, or employing Network Address Translation (NAT). (See Chapter 10 for more information.) For network segments that are accessible only inside the firewall, RFC-1918 address space can be added easily. NAT is only necessary if those segments access a public network like the Internet.
Each zone of trust should also be on a separate physical network. Physically different and unconnected switches or hubs are preferred to virtual LANs (VLANs) on a switch, which are VLAN segments created by software in a switch. The problem with the VLAN approach is that if the switch is misconfigured or somehow compromised, traffic can get from one zone to another without going through the firewall. There is nothing wrong with VLANs?just make sure that a physical switch does not occupy more than one zone of trust.