Skip to main content

Firewall placement

Where you place a firewall in your network determines what it can protect and what policies it can enforce. This page explains the most common placement scenarios for a NetFoundry zLAN firewall and the trade-offs of each.

Why placement matters

A firewall is only effective when all traffic between two zones passes through it. Poor placement creates blind spots: traffic that bypasses the firewall is unmonitored and uncontrolled. The right placement depends on what you're protecting and which threats you're most concerned about.

Placement scenarios

Perimeter (edge)

The firewall sits at the boundary between your internal network and an external connection such as the internet or a WAN link. All inbound and outbound traffic crosses the firewall, giving you a single enforcement point for north-south traffic.

This is the most common starting point. It protects the entire internal network from external threats but provides no visibility into traffic between internal segments.

Internal segmentation

The firewall sits between two internal segments, such as a user LAN and a server LAN. Traffic moving laterally between segments crosses the firewall; traffic within a single segment does not.

This limits lateral movement in the event of a compromise. An attacker who gains access to the user LAN cannot reach the server LAN without passing through the firewall.

DMZ (demilitarized zone)

Two firewalls create an intermediate zone for public-facing services. External traffic reaches the DMZ but is blocked from the internal network by a second firewall. Internal users can reach both zones.

Public services (web servers, APIs) run in the DMZ. A breach of a DMZ host does not expose the internal network directly.

On-host (host-based)

The firewall runs on the host itself, controlling traffic at the application layer. The network delivers packets to the host; the firewall decides which ones reach the application.

This provides granular per-host policy and is useful for servers or VMs that need dedicated protection independent of the surrounding network topology.

Combining placements

Most production networks use more than one placement. A common pattern is a perimeter firewall for north-south traffic combined with internal segmentation firewalls between sensitive zones such as finance, engineering, and operations. The placements are additive: each layer handles a different class of threat.