Perimeter networks

How perimeter networks can help

A perimeter network is the network closest to a router that is not under your control. Usually a perimeter network is the final step a packet takes traversing one of your networks on its way to the internet; and conversely the first network encountered by incoming traffic from the Internet. Most administrators create perimeter networks in order to place their firewall in between them and the outside world so that they can filter packet traffic. Most perimeter networks are part of the DMZ (Demilitarized Zone) if they exist at all. However, perimeter networks have some additional utilities that you might want to consider when deciding where to place systems and services.

Any small LAN separated from your other LANs by an internal router and outside LANs by your border router is a perimeter network. A perimeter LAN is the best place to put any service that can improve the reliability and trustworthiness of incoming data. For example, if you wanted to trap for security violations (hacking), your perimeter network might include a honeypot server meant to sustain and report on network probing. Another use of a perimeter network is to separate one type of network traffic from another. You might want to provide a director capability to your networks, perhaps sending HTTP traffic to one server (or set of servers) with mail traffic going to another. Furthermore, any site getting heavy traffic could benefit from a perimeter network that has not only directional capability but load balancing attributes as well. A device like F5 Networks BigIP provides application traffic management of this latter type.

So having a perimeter network lets you better control security, provide more granular access to resources, and can substantially reduce network traffic on your main LANs making all of your other network services work better. For the price of an extra router it is a good practice to establish this type of architectural element.

If you want to read more about perimeter networks, the book "Inside Network Perimeter Security: The Definitive Guide to Firewalls, Virtual Private Networks (VPNs), Routers, and Intrusion Detection Systems" by Norhcutt, et al. may be very useful. For several reader reviews and one place to find this book go to Amazon.com.

Barrie Sosinsky is president of consulting company Sosinsky and Associates (Medfield MA). He has written extensively on a variety of computer topics. His company specializes in custom software (database and Web related), training and technical documentation.

This was last published in May 2004

Dig Deeper on Network management and monitoring

Unified Communications
Mobile Computing
Data Center