The proposed network has three parts (each part could have sub-parts).
-
Internet zone. This consists of machines connected directly to the internet with only the router in between. The router should have access rules to ensure that local IP addresses are really local! This zone contains the DNS slave servers, Mail exchangers, Web accelerator.
-
The Server Zone. This zone which consists of primary servers for the domain. DNS primary server, Mail spool, "Real" Web server(s). We also have the NFS/NIS servers and clients.
-
The Client Zone. This zone which consists of the clients for the internet and the intranet (server zone).
- The authentication gateway. This machine serves multiple
purposes and needs careful configuration. It is connected to
all three zones.
- It decides what connections are permitted from the client zone to the intranet and the internet.
- It decides what connections are permitted from the internet zone to the intranet. Only "RELATED,ESTABLISHED" are usually permitted!
- It decides what connections are permitted from the internet to the client zone. Again usually only "RELATED,ESTABLISHED".
- It may grant additional access if the machine making the connection is "authenticated" in some way (SSH,SSL,...).