This firewall topology does not provide any flexibility should you later decide to offer a public service. Adding a public service at a later date with no change to the topology will only offer two alternatives:
a. Place your public server on the outside of the firewall on the public side, then that server will be extremely vulnerable to attack from anywhere on the Internet while your other network assets will be secure.
b. Place your public server on the inside, trusted security zone puts your other network assets at a severe risk should your public service be successfully attacked or compromised.
If your organisation does not plan any public service, then this topology will be just fine.
Probably the best topology for organisations planning any kind of public service such as a website is to provide a DMZ (De-Militarized Zone), where a firewall with 3 ports or interfaces is employed. This would be a cost effective solution requiring the use of only a single firewall. Just like the first topology we discussed, we have a connection from the firewall to our private security zone that we refer to as our trusted network. All our workstations and local servers will be contained within this private security zone, while we have another connection direct to the Internet. A third port or interface on the firewall appliance provides access only to our public servers such as Web Servers, DNS Servers or Email Servers. We are effectively screening our trusted subnet from the Internet and ensuring that our Public Services will not compromise our main local network assets.
Another, potentially more secure topology would be through the use of two firewalls, providing a DMZ between the two. This adds a second layer of defence for your trusted assets and isolation from any public assets such as Web Servers. With this topology your public assets can be afforded a good degree of protection from the public network, while your trusted assets have double the protection, as traffic to and from the Internet has to traverse two firewalls. If budget is available, then this solution would be the most flexible, giving the added benefit of being able to disable a single firewall when undergoing upgrades or maintenance, as well as the ability to provide isolation when attempting to recover from any suspected compromises.
Firewalls are discussed on some of our instructor-led training courses, and we are currently developing two new Firewall and VPN courses aimed at basic firewall configuration for small to medium sized businesses.