Where to Place a Firewall in the Network & Why It’s Important

Enterprise Storage Forum content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Firewalls are an essential component of networks and their placement matters. Logically, a firewall is placed between the internet service provider (ISP) and the local area network (LAN) devices. As traffic passes through the firewall monitors that traffic against a set of predetermined rules and controls the access to the network. A firewall functionalities help business networks to prevent hackers from stealing data and also stop the spread of malware and denial-of-service (DoS) attacks.

See below to learn all about popular firewall placements and the importance of selecting the best location for them. 

Popular Firewall Placements

Traditionally, firewalls are inserted inline across a network connection and monitor incoming or outgoing traffic. They help to separate the different networks based on a set of predefined rules, which ensure access control between the networks. Firewalls perform at several network segments of the organization networks. As a perimeter defense, a firewall is positioned between networks with different security levels and generally controls traffic between the external networks and internal networks or external networks and demilitarized zone (DMZ) networks, or even between internal networks.

Popular firewall placements infographics.
Al Mahmud Al Mamun

According to the organization’s network environment and security requirements, a single firewall can cover all enforcement points simultaneously. Multiple firewalls can be used in multi-layer deployment for both physical interfaces (layer 2) and physical interfaces (layer 3). The most basic configuration is a wide area network (WAN) connected to a router, then a firewall filters each traffic and distributes it into the network.

Some firewall placements for a large enterprise to personal use are given below.

Enterprise Networks

Enterprise firewall configurations are a bit more complicated compared to consumer-grade firewalls. The firewalls run on a dedicated machine in the network and placement of a business firewall within network topology is more important. The firewall should be connected to the WAN, DMZ, and company network. To ensure more security they may use a configuration with two firewalls. Where the first firewall is placed after the outermost device that connects to the WAN and passes traffic to the DMZ network, and then, a second firewall receives internal traffic pass through the DMZ into the internal network. Larger businesses implement multiple firewalls in their network that allows the creation of a variety of “zones” of varying access levels.

Enterprise networks infographics.
Al Mahmud Al Mamun

Routed Networks

The firewall resides on the network’s locations just before the traffic enters the router, which is known as the ingress point. Sometimes the firewall co-resides with the router, but placing the firewall after the router is rare for a multipath node because the firewall device must follow each of the multiple egress paths. Most hardware firewall devices contain router capabilities. In switched networks,  a firewall is often part of the switch to enable protection of the switched segments. The onboard firewall features of a router can perform an additional security operation before sending it to the firewall. Companies may deploy a router with firewall features (router with firewall capability), or they can deploy a firewall device connected to the network (or a firewall device).

Routed networks infographics.
Al Mahmud Al Mamun

Parallel Placement

Parallel firewall placement helps to provide greater performance improvements for large networks. If enterprises host their website on their own network, a firewall will enable outside traffic to and from the website servers but will block unauthorized incoming or outgoing traffic through the internal computers based on the basis of security rules. The systems with parallel firewalls may consist of a load balancer and a firewall array, where each firewall in the array is identical. When a data packet arrives it will be sent to one of the firewalls in the array and the load balancer maintains short packet queues.

Parallel firewall placement infographics.
Al Mahmud Al Mamun

Read more: 7 Different Types of Firewalls & Deployment Options Explained

Importance of Selecting Firewall Positioning

The right placement and proper configuration of the firewall are directly related to its performance, resource utilization, and threat prevention. 

Performance Improvement

To ensure the complete cybersecurity of a system it is important to maximize the performance of the firewall for incoming and outgoing traffic. Firewall performance depends on the position where it is placed. By adjusting settings and mitigating the impact of DoS attacks, firewalls can help business continuity to ensure security even during a major cyberattack. Companies can create a DMZ, or a zone with the right setup within the business network; the DMZ may contain public-facing services such as mail, FTP, VoIP servers, as well as the business website. The right configurations of the firewall deliver complete protection by monitoring the trends and patterns in traffic.

Proper Utilization of Resources

At the network-level gateways, the firewalls inspect the headers of each network packet to determine where the packet is coming from and its destination. They have excellent performance and consume few resources. At the application-level gateways, more complex firewalls analyze each content of packets with the header and effectively filter packets and control access to resources by analyzing the protocols. Stateful inspection firewalls analyze traffic at multiple levels of the network and can prevent a wider array of threats but they’re also resource-intensive. The firewall should be placed in the right positions, otherwise, some of the resources can be wasted or the system can be flooded by DoS attacks.

Prevention of DoS Attacks

Generally, a firewall is not designed to scale to the huge number of connections per second (CPS), and it deals with every unique flow according to zone, IP, protocol, and application. So firewall placement plays a critical role to avoid the flooding of counters for DoS attacks. To ensure the best protection against DoS attacks should place the firewalls as close to the resources as possible, which will reduce the session numbers the firewall may handle. Do not place the firewalls in front of dedicated devices and allow those high-volume devices at the first line of defense to mitigate the flood of DoS attacks.

Bottom Line: Where to Place a Firewall in the Network

Firewalls are a necessary part of network security, helping to prevent harmful access to data and resources. Placing a firewall in the right position in the network ensures the safe and efficient use of the system’s resources. 

Many cybersecurity vendors are offering different types of firewalls with state-of-the-art technology and rich functionality. These firewalls provide a deeper level of protection with easy placement and setup. Different types of firewalls are used for different purposes, it is important to place the firewall as per your system requirements so it can run very efficiently. The system with proper firewall configuration and placement has greater control over the network traffic and delivers complete protection of business data against today’s advanced security threats.

Learn more about firewalls in this guide.

Al Mahmud Al Mamun
Al Mahmud Al Mamun
Al Mahmud Al Mamun is a writer for TechnologyAdvice. He earned his B.S. in computer science and engineering from Prime University, Bangladesh. He attained more than 25 diploma courses and 100 certificate courses. His expertise and research interests include artificial intelligence (AI), artificial neural networks, and convolutional neural networks.

Get the Free Newsletter!

Subscribe to Cloud Insider for top news, trends, and analysis.

Latest Articles

15 Software Defined Storage Best Practices

Software Defined Storage (SDS) enables the use of commodity storage hardware. Learn 15 best practices for SDS implementation.

What is Fibre Channel over Ethernet (FCoE)?

Fibre Channel Over Ethernet (FCoE) is the encapsulation and transmission of Fibre Channel (FC) frames over enhanced Ethernet networks, combining the advantages of Ethernet...

9 Types of Computer Memory Defined (With Use Cases)

Computer memory is a term for all of the types of data storage technology that a computer may use. Learn more about the X types of computer memory.