=========================
Network Topology Overview
=========================

The following diagram depicts a vastly simplified overview of a single site's
reference network topology architecture.

.. graphviz::

    digraph {
            splines = true;
            overlab = prism;

            edge [color=gray50, fontname=Calibri, fontsize=11];
            node [style=filled, shape=record, fontname=Calibri, fontsize=11];

            "Outer Perimeter Firewalls" [href="../glossary.html#term-outer-perimeter-firewall", target="_top"];
            "Perimeter Networks 1..n" [href="../glossary.html#term-perimeter-network", target="_top"];
            "Inner Perimeter Firewalls" [href="../glossary.html#term-inner-perimeter-firewall", target="_top"];
            "Internal Firewalls" [href="../glossary.html#term-internal-firewall", target="_top"];
            "Load-Balancer (Internal)" [label="Load-Balancer", href="../glossary.html#term-load-balancer", target="_top"];
            "Internal Networks" [href="../glossary.html#term-internal-network", target="_top"];
            "Service Endpoint" [href="../glossary.html#term-service-endpoint", target="_top"];

            "Internet" ->
                "Outer Perimeter Firewalls" ->
                "Perimeter Networks 1..n" ->
                "Inner Perimeter Firewalls" ->
                "Internal Firewalls" ->
                "Load-Balancer (Internal)" ->
                "Internal Networks" ->
                "Service Endpoint";
        }

.. TODO::

    This graphic only expresses inbound traffic. It isn't structured properly.
    Outbound traffic should be taken in to account. Discretionary,
    non-transparent proxies should be used for selected systems. Mandatory
    transparent proxies should be used for all :term:`nodes <node>`.

.. _infra-network-perimeter-firewalls:

Firewalls
=========

Without a differentiation between the function of the
:term:`outer <outer perimeter firewall>` and
:term:`inner <inner perimeter firewall>` perimeter firewalls, there is also no
functional definition of a :term:`perimeter network`.

General recommendations include;

*   Use physical hardware, not virtualized guests, for the
    :term:`outer <outer perimeter firewall>` and
    :term:`inner <inner perimeter firewall>` perimeter firewalls.

*   Use a physically different network interface for failover and redundancy
    traffic, on a completely separate and dedicated VLAN.

*   If switching is required for the external interfaces of the
    :term:`outer perimeter firewalls <outer perimeter firewall>`, use
    physically separate hardware to switch internet traffic, failover and
    redundancy traffic [#]_, and :term:`perimeter network` traffic.

*   Use physically different network interfaces for each
    :term:`perimeter network`, each of them on completely separate and
    dedicated VLANs.

*   Use different network interfaces on the
    :term:`perimeter networks' <perimeter network>` :term:`nodes <node>`, each
    of them on completely separate and dedicated VLANs.

*   Set the default route for the
    :term:`perimeter networks' <perimeter network>` nodes toward the
    :term:`outer perimeter gateway <outer perimeter firewall>`.

*   Provide each of the perimeter networks with its own DNS horizon, through
    :ref:`app-split-dns-horizon`.

*   Provide each perimeter network with documented security assessments.

*   Use PAT, and let the perimeter networks use private IP spaces.

*   Implement :term:`Load-Balancing` for
    :term:`Service Endpoints <service endpoint>` as late as possible.

With the :term:`outer <outer perimeter firewall>` and
:term:`inner <inner perimeter firewall>` perimeter firewalls on physical
hardware, but without the function of an :term:`internal firewall`, there is no
policy enforcement point for the :term:`nodes <node>` in any of the
:term:`internal networks <internal network>` that can be descended on as
high-bandwidth a set of links as the ones that are available to the
:term:`internal firewalls <internal firewall>`.

.. _infra-network-perimeter-networks:

Perimeter Networks 1..n
=======================

Perimeter networks include:

**External Hidden Master Internet-Authoritative DNS Servers**

**External Inbound Mail Exchangers**

    *   Should include only domain-level validation using a static, generated
        table, so that no recipient-level information is available. Hint; use
        ``relay_domains``.

    *   Should apply Anti-Virus.

    *   Should apply Anti-Spam.

    *   Relays on to Internal Mail Exchangers.

    *   Is included with `mynetworks` on Internal Mail Exchangers.

**External Outbound Mail Exchangers**

    *   Includes Internal Mail Exchangers in `mynetworks`.

**External Submission Mail Exchangers**

    *   Used for submission of new messages by users located outside the
        perimeter.

**Reverse IMAP Proxies**

    *   Intelligent reverse proxy for IMAP -- Guam.

**Reverse HTTP Proxies**

    *   Responsible for redirecting unencrypted web traffic to encrypted web
        traffic.

    *   Responsible for filtering traffic using access control, OWASSP,
        ``mod_clamav``.

.. rubric:: Footnotes

.. [#]

    A separate cable, cross-over for interfaces not capable of auto-MDIX, or a
    regular cable for interfaces capable of auto-MDIX, may suffice.