Introduction
This blueprint provides design guidance for firewall and proxy/cache services in an enterprise-class organization, including detailed information about how these services operate. The guidance in this blueprint was used in the test labs to implement the Windows Server System Reference Architecture (WSSRA) test scenarios, which are outlined in the Introduction to Windows Server System Reference Architecture document in this documentation. Additional information about firewalls can be found in the Network Architecture Blueprint and Security Architecture Blueprint. More detailed information about the design for firewall and proxy/cache services is provided in the Implementation Guides. Note: The mechanisms described in this blueprint may be delivered either by use of a physical hardware device (that is, a single- or limited-purpose device) or through the provision of a general purpose server with firewall software. Firewalls are often deployed as hardware devices; however, a firewall can also be implemented as a server and software solution. Similarly, although proxy functionality is often implemented through software, hardware devices are also available for the same purpose. On This Page
Who Should Read This BlueprintThis blueprint is written to meet the requirements of information technology (IT) professionals responsible for the design and deployment of security and network infrastructure in enterprise environments. The reader of this blueprint is expected to have an understanding of the technical details provided in this service-level guidance; however, a service-level expert is not required to follow the enterprise-level discussions and decisions that are made. Knowledge PrerequisitesBefore reading this blueprint, it is expected that the reader be familiar with the basic concepts of the following technologies:
In addition, the knowledge of intrusion methods would be useful, especially if you have been the unfortunate victim of a hacker attack. The “References” section at the end of this blueprint contains addresses of Web sites that provide further information on hacking, security, and intrusion detection. For detailed information on all aspects of security, refer to the following URL: http://www.microsoft.com/technet/security/ Business NeedA reliable firewall and proxy solution is critical to the security of any organization. This section establishes the need for each of these services for any organization. Need for Firewall ServicesEvery organization maintains certain sensitive information that can harm the organization if it falls into the wrong hands. The potential for such harm becomes even higher, and its impact greater, if an organization actively uses the Internet for hosting various applications and services such as:
To provide even the most common of such services, for example e-mail, organizations must connect their internal systems to the Internet. In doing so, these systems become accessible to external sources and, therefore, vulnerable to attacks. Organizations are also subject to the costs that such connections require, including payments to an Internet service provider (ISP) and investments in technologies that can protect their information systems. Clearly, it is important to prevent information system attacks, to legally prosecute those who perpetrate them, and to be as knowledgeable as possible about the risks from different kinds of attacks. Need for Proxy ServicesMany organizations have employees who need fast and regular access to Web content; however, as the amount of Web content grows and the number of these employees increases, the pressure on the IT infrastructure's Internet connectivity can become overwhelming. One possible solution, albeit expensive, is to add more bandwidth. Another solution is to bring the content closer to the employees. In the Web cache or proxy system, frequently accessed Web content is stored on a cache or proxy server within the organization’s internal network. This server maintains a cache of Web objects and attempts, whenever possible, to fulfill future client requests from the cache. Response times for the clients are optimized by the fact that items can be retrieved from a local server rather than from a remote Internet-based source. Caching can be used to distribute content around an internal network or at multiple points of presence (POPs) around the Internet to bring popular content closer to users while saving bandwidth and improving the speed of content delivery. The next logical step for this approach is to move the solution from a reactive mode of operation (that is, it caches data only after the first request) to an active mode where the information is scheduled to be obtained some time before the employees request it (most modern proxy servers can operate in this mode). The server cache can thus be updated at low network utilization times with content that is anticipated to be requested by clients in the organization. Having this content available for access directly from the server cache rather than from the Internet saves bandwidth and improves the user experience. ReferencesFurther information about design and deployment of both firewall and proxy services may be found at the following URLs:
|
Download
Solution Accelerator Notifications Feedback
|
