(Joel Snyder, Security Operations and Strategies) When you look at your firewalls and security policy, it's helpful to learn two new terms: "client-protecting" and "server-protecting." The reason we need these terms is that you configure your firewall very differently depending on whether you are protecting clients or servers. In fact, the configurations and requirements are so different, that you should consider having different firewalls for your servers and for your clients. That's not always the right answer, but it can simplify things dramatically, because you can focus on what you are protecting and where the vulnerabilities are.

When a firewall sits between the Internet and users browsing the Web, that constitutes "client-protecting." For example, if a user tries to go to a malware site, and the firewall blocks the malware from being downloaded, that's client-protecting behavior.

At the other end of the spectrum is "server-protecting," which means that the firewall is protecting your servers from attack or infection. For example, if someone tries a known SQL injection attack on your web server - whether it is vulnerable or not - and the firewall IPS blocks it, that's server protection.

The problem comes in when you are trying to mix client-protecting and server-protecting configurations in the same box. Some firewalls don't let you apply protections in different ways to different types of traffic. Sometimes it's just very confusing to keep straight whether the firewall is protecting clients or servers, because documentation and configuration tools are very commonly ambiguous about which direction things are flowing. And sometimes it's a cost question: when you pay subscription fees for services such as antivirus and intrusion prevention, it may be less expensive to pay for just what you want to protect on two smaller systems, rather than a single larger one that has to have every protection turned on for every user.