Home » Firewall Architecture: NGFW, UTM, Micro-Segmentation, Zone-Based Policy, IPS/IDS และ Firewall Design
Firewall Architecture: NGFW, UTM, Micro-Segmentation, Zone-Based Policy, IPS/IDS และ Firewall Design
Firewall Architecture: NGFW, UTM, Micro-Segmentation, Zone-Based Policy, IPS/IDS และ Firewall Design
Firewall Architecture เป็นหัวใจของ network security NGFW (Next-Generation Firewall) ตรวจสอบ traffic ถึง application layer, UTM (Unified Threat Management) รวมหลาย security functions ในตัวเดียว, Micro-Segmentation แบ่ง network เป็น segments ละเอียด, Zone-Based Policy จัดกลุ่ม interfaces เป็น security zones, IPS/IDS ตรวจจับและป้องกัน intrusion และ Firewall Design วางแผนการ deploy ที่ถูกต้อง
Firewall เป็น ด่านแรกและสำคัญที่สุดของ network security: ทุกองค์กรต้องมี firewall แต่ปัญหาคือ 60%+ ของ breaches เกิดจาก misconfigured firewall rules (Gartner) Firewalls วิวัฒนาการจาก packet filter (L3/L4) → stateful inspection → application-aware (NGFW) → cloud-delivered (FWaaS) Modern NGFW ทำได้มากกว่าแค่ allow/deny: application identification, user identity, SSL decryption, IPS, malware sandboxing, URL filtering ทั้งหมดใน single device
Firewall Evolution
| Generation |
Capability |
Limitation |
| Packet Filter (1988) |
Filter by source/dest IP, port, protocol (L3/L4) |
No state tracking — can’t distinguish new vs established connections |
| Stateful Inspection (1994) |
Track connection state — allow return traffic automatically |
Can’t see inside encrypted traffic or identify applications |
| Application Firewall (2004) |
Deep packet inspection — identify applications regardless of port |
Limited threat intelligence, no user awareness |
| NGFW (2009) |
App-ID + User-ID + Content-ID + SSL decrypt + IPS + URL filter |
Performance impact with all features enabled, complex management |
| FWaaS/Cloud (2018) |
Cloud-delivered firewall — scale on demand, global coverage |
Latency (depends on PoP proximity), vendor lock-in |
NGFW vs UTM
| Feature |
NGFW |
UTM |
| Target |
Enterprise/large networks |
SMB/branch offices |
| Performance |
High throughput with features enabled |
Lower throughput — all-in-one compromise |
| Features |
App-ID, user-ID, IPS, SSL decrypt, advanced threat protection |
Firewall + VPN + antivirus + anti-spam + URL filter + IPS |
| Management |
Separate management platform, policy-driven |
Simplified single console — easier for small teams |
| Scalability |
High — modular, cluster, virtual contexts |
Limited — typically single appliance |
| Cost |
Higher (enterprise pricing) |
Lower (bundle pricing for SMB) |
Zone-Based Firewall Design
| Zone |
Purpose |
Trust Level |
| Inside (Trust) |
Internal corporate network — employees, servers |
High trust — most permissive outbound |
| Outside (Untrust) |
Internet — untrusted external network |
Zero trust — deny all inbound by default |
| DMZ |
Publicly accessible servers (web, email, DNS) |
Medium trust — limited access from outside, limited to inside |
| Guest |
Guest WiFi, BYOD devices |
Low trust — internet access only, no internal access |
| Server |
Internal servers (DB, app, file servers) |
High trust but restricted — only specific traffic from users |
| Management |
Network management, monitoring, admin access |
Highest trust — very restricted access, admin only |
Micro-Segmentation
| Feature |
Detail |
| What |
Divide network into smallest possible segments — enforce policy between every workload/VM/container |
| Why |
Traditional firewall: perimeter only → once inside, lateral movement is easy → micro-seg prevents this |
| East-West |
Enforce security for internal traffic (server-to-server) — not just north-south (in/out) |
| Identity-Based |
Policy based on workload identity (tags, labels) not IP addresses — works in dynamic cloud environments |
| Tools |
VMware NSX, Cisco ACI, Illumio, Guardicore (Akamai), cloud security groups (AWS SG, Azure NSG) |
| Zero Trust |
Micro-segmentation is foundation of Zero Trust — every connection must be authorized |
IPS/IDS
| Feature |
IDS (Intrusion Detection) |
IPS (Intrusion Prevention) |
| Mode |
Passive — monitor and alert only (out-of-band) |
Inline — detect AND block malicious traffic |
| Deployment |
TAP/SPAN port — copy of traffic |
Inline between firewall zones — all traffic passes through |
| Action |
Alert, log — human must investigate and act |
Alert, log, drop, reset connection — automatic prevention |
| Risk |
No risk (passive) — but misses prevention |
False positive = block legitimate traffic — must tune carefully |
| Detection Methods |
Signature-based (known attacks), anomaly-based (baseline deviation), protocol analysis |
| Modern NGFW |
IPS built into NGFW — single pass architecture inspects traffic once for all features |
Firewall Design Best Practices
| Practice |
Detail |
| Default Deny |
Block everything by default → only allow explicitly permitted traffic — whitelist approach |
| Least Privilege |
Allow minimum required access — specific source, destination, port, application |
| Rule Order |
Most specific rules first → general rules last → deny-all at bottom |
| Rule Review |
Review firewall rules every 6 months — remove unused, tighten overly broad rules |
| Logging |
Log all denied traffic + critical allowed traffic → send to SIEM for analysis |
| HA (High Availability) |
Active/passive or active/active cluster — no single point of failure |
| SSL Decryption |
Decrypt and inspect SSL/TLS traffic — 80%+ of traffic is encrypted, threats hide in encryption |
| Change Management |
All firewall changes through change process — review, approve, test, document |
ทิ้งท้าย: Firewall = First Line of Defense, But Must Be Configured Right
Firewall Architecture Evolution: packet filter → stateful → NGFW (App-ID + User-ID + IPS + SSL decrypt) → FWaaS cloud NGFW vs UTM: NGFW for enterprise (performance + features), UTM for SMB (all-in-one simplicity) Zones: inside (trust), outside (untrust), DMZ (public servers), guest, server, management — deny between zones by default Micro-Seg: east-west security, identity-based policy, every workload isolated — foundation of Zero Trust IPS/IDS: IDS = detect only (passive), IPS = detect + block (inline) — built into modern NGFW Best Practices: default deny, least privilege, rule review every 6 months, SSL decrypt, HA cluster, SIEM logging Key: 60%+ of breaches from misconfigured firewalls — invest in proper design, regular review, and automation
อ่านเพิ่มเติมเกี่ยวกับ Network Security Architecture Defense in Depth Segmentation และ Zero Trust Network Identity-Based Access ZTNA SASE ที่ siamlancard.com หรือจาก icafeforex.com และ siam2r.com
