Hi everybody, Ed Amoroso here. So the building blocks of a demilitarized zone or perimeter network consist basically of a packet filter and application proxy. Those are the two main components that comprise this thing we sort of call a perimeter network. And we're going to look at a few different ways that it can be arranged. There some architectures that makes sense that you ought to be considering as a security engineer when you're trying to protect one network from another which as we said earlier is essentially the definition of a firewall. So, the first option, cheapest, simplest option is you get a router that implements packet filtering natively. And I think that's true just that every router. It's funny, when I first started looking at routers in the late 80s, early 90s, Cisco was a company that was becoming very popular at the time. When they come calling you make a sales call. It was always about the speed of the router, the efficiency of the router, the capacity the router; never security. And then as we started to see some internet security problems pop up, little by little the salespeople would start to mention security, they'd see you perk up after about five or so years we got into the 2000s, when the router companies and vendors would come to visit you, the first thing that they'd talk about is security and then later on talk about capacity and other stuff. So kind of funny, for me very vindicating. But, so, the first architecture involves internet, your LAN, and a router essentially providing packet filtering as the firewall, as the network. So you can have a device, a routing device as your DMZ. Advantage: cheap, simple, easy. Disadvantage: Not much functionality there, right. Not too much you can do to sort of drop or allow packets, but it has its advantage. So that's sort of option one. Option 2, is you can put a packet filter in place and you can hang an application proxy off of it. So routers have multiple interfaces. And the way routers work is they steer traffic right. So one possibility is you steer the traffic through the router to the LAN or from the LAN depending on which direction the packet's headed. Another is the router can make the decision to forward to a proxy to do something at the application level. So that's a second option. What are the advantages? Well, it gives you more capabilities certainly than just a router, but it's little more expensive. And then as you probably have seen, the industry, this firewall industry has packaged that together into basically a product that's done pretty well for a whole bunch of years, either as a piece of hardware that would sit in a rack at a data center or as a virtual appliance that would sit in a cloud operating system as a piece of software, where the interfaces or application programming interfaces, APIs rather than network connections accepting a packet. So that's a second option. Third option, is probably the way almost every big business, every government agency, every military, even more substantive organization would do it. And that's to build something we would call a demilitarized zone or a perimeter network. And the way we do that is we put one router in place facing say the untrusted side of the ecosystem, the internet, you call that your exterior router and then put another router facing your LAN, facing the stuff that you're trying to protect. We call that an interior router. So you an exterior, interior. And those two routers share an interface and that interface, that network is where you can expand and put all kinds of interesting components. You put application proxies. In fact, you can put application firewalls for all kinds of different protocols. You can decide I want to load balance all of the HTTP traffic to this device. I want to load balance email traffic to this device or whatever. It's kind of fun designing these things. You look at the components, snap things together into the network, you can put other things, like an auditing mechanism. We can have like management of log files and audit trails and so on right there on the DMZ with data leakage protection. There's a lot of interesting things you can do. You can get very creative with that perimeter network. So really fundamentally you have these three options: a router, a firewall which potentially includes routing capability, or a network and I think most companies today realize routers are pretty cheap and if you're into virtualization, they're not only cheap they can be software also sitting in a cloud operating system, it's kind of fun. So you put all that together and you come to the conclusion that certainly the pros of a perimeter network are that it is the most flexible, the most powerful, gives you the most options. The disadvantage: it's also going to cost the most money and it will be a little bit of time and effort to manage. So I doubt you would do that for your home, but if you're running a little business or a medium sized business or a big one, then you probably want to think a little bit about a perimeter network. Now to test our understanding of this material, a little quiz here. It turns out that C is probably the best answer. I know all of them you can kind of make a little bit of a case for. You know certainly application level protocols may not be handled at a router, so I'll give you some credit if you maybe picked one of the other ones. But for the most part there's the ability to handle more complex attack scenarios is the reason we build demilitarized zones. That's why we have perimeter networks in the first place. So I hope you enjoy this. I hope you learned something about really the three stages of perimeter network design. We'll dig into this more in some subsequent videos and hopefully you'll stick with us. So I'll see in the next one.
