Look at C2 inside the internal Fredsco network. The figure
shows lines from the client to almost every server. C2 needs to use POP3 to
retrieve mail and SMTP to send mailboth to mail.fredsco.com. C2 needs to browse
the internal and external Fredsco web servers, and you also want to allow C2 to
get to all Internet websites.
Of course, the traffic flows from C2 don't go over the
Internet. What about flows that pass through the Internet? A couple of types of
flows are allowed in this case. C3, which is simply a user somewhere in the
Internet, is allowed to get to the Fredsco website that's appropriate for
external users (www.fredsco.com). Also, the two mail servers are sending packets
to each other so that they can exchange mail.
The lines shown between hosts represent flows, but they also
imply who initiates the flow. The lines mean that packets can go in either
direction between the hosts; otherwise, no useful work could happen. However,
the lines without an arrow on one end mean that that host initiated the flow.
For instance, C2 only has lines without an arrow
on the end near C2, meaning that C2 initiates all the flows shown. The line
between the two mail servers shows arrows on both ends, which means that you
want to allow either mail server to be able to initiate a flow.
Figure 18-2 shows what's
allowed. Now let's consider what's not allowed, in Figure 18-3.
Sections
Comments (0 posted)
Syndication
