Once you decide to place firewalls between your Internet connection and your local systems, there are three rules you should follow. Coincidentally, they are the same rules that apply to buying real estate: location, location, and location. Let's take a look at some firewall strategies.
Obviously, the safest approach is to use a dedicated system with a built-in firewall for all your Internet server services and not to attach that system to your business LAN (see Figure A). Although this approach is very safe, it is also extremely limited because no system on the LAN has any Internet access at all.
An alternate approach is to place the server/firewall on the same LAN as your business systems but restrict the flow of traffic through the server (see Figure B). In this case local systems can go through the server/firewall to access Internet services, but no one can come in from the Internet to the local LAN (unless, of course, someone hacks into your server/firewall and reconfigures it to support two-way traffic).
So what happens if you need to have more than one server involved in Internet services? Putting other Internet servers on the same physical network as the local business systems would be a formula for disaster (see Figure C). Clever hackers can take advantage of the path to your LAN and potentially reach your business systems as well as your servers.
If you do need multiple Internet servers, you should physically separate them from your local business systems (see Figure D). Then you can set up your Internet server/firewall to handle the routing for the local business systems and the local Internet servers differently. Local business systems should have one-way access to the Internet, while the local Internet servers need two-way access. You do, however, run the risk of someone penetrating your firewall and altering router tables to get access to your LAN.
For greater security, a second firewall can be added to the picture (see Figure E). This provides a backup to the first firewall in the event its routing tables are compromised. In other words, even though a hacker may get through the first firewall, the second one will stop--or at least dramatically slow--the intrusion.
As you can see, there are lots of things to consider when you position firewalls in a network. Furthermore, as networks grow larger and more complex, so do the firewall requirements. But regardless of the size and complexity of your network, you should take a hard look at how firewalls can better protect your business information.