If you've got some kind of server that's facing the internet, you need to protect it. Now we covered things like firewalls and other episodes and firewalls are a critical if not the first thing we need to do to protect our servers. But since that's well covered in other episodes, I want to talk about some of the other denizens that we install within our DMZ to protect our servers. Now, to start this process up, let's go ahead and take a look at a typical network. So what we have here is a DMZ. So we have the router that's connected to the internet.
And then between that and our second router, this is our public facing servers. So we've got a little switch here. These guys are all connected to it. This is going to be on its own network ID. And that's very, very separate from the rest of the network, which is behind that second router. In fact, let's just fade that out and concentrate on the DMZ itself.
So these are the machines we're protecting. These could be file servers, they could be web servers, they could be VPN, They could be all kinds of stuff. The bottom line is these are boxes that have a public presence on the internet itself. Now, you'll see I've got the router here between that and the internet. So there's certainly going to be a good firewall on there. But let's go ahead and take it a step further started with something called an SSL accelerator.
If you're using a lot of asymmetric encryption, you're going to be doing a lot of SSL TLS. And asymmetric encryption can really burden CPUs. So what is a very common thing to do, and let's go back to our diagram. Now here, we're going to have all four of these are going to be web servers in this case, and what we're going to do is install a special card into each one of these boxes. These cards only have one real job and that is to encrypt and decrypt asymmetric encryption on the fly. Now, putting in individual cards is a great idea.
However, for larger, more enterprise type situations where you have A lot of these systems, having individual cards in each one of your web servers can become onerous. So what we often see instead is an appliance that sits directly behind our gateway router, and is between the internet and our switches. So this box right here is a dedicated SSL accelerator, it only has one job, and that is to handle all the SSL TLS encryption and decryption going across the network. Now, an SSL accelerator isn't going to protect your network so much as it's going to make it run more efficiently. But in a way running more efficient is a protection to so let's go ahead and take a look at the next one called a load balancer. Now, let's say I've got four different web servers.
Now the problem with these web servers is that they can all be working on the same website. So what we'd like to do is we put a box between our web servers and the internet called a load balancer. Now this load balance is actually a proxy, because he takes all the incoming requests for the website, and then distribute it around to the four different basically identical web servers. Now, a load balancer works in a lot of different ways. He can do this by DNS names. He can go by the workload, if there's one web server that's a lot more busy than we'll put it to another web server.
And he can also keep track of sessions. A lot of times somebody will connect to a particular web server, and they're in the middle of buying something or something like that. And maybe they walk away, they disconnected each reestablish a session, a load balancer will remember those things and always get us right back to the correct web server. Now, the last one's kind of an interesting beast, and it's called a distributed denial of service mitigator or a DDoS mitigator. Distributed Denial of Service is the biggest problem that we have on the internet today. There's no question mark about that.
So there have been a number of interesting tool sets to help us while we can't Stop denial of service, but we can hopefully mitigate it, reduce its effect. So a DDoS mitigator works kind of like this. So, if we take a look at this diagram, what we've done is we put a box here, again between the router and our servers. And this is a DDoS mitigator. Now, this box can detect when denial of service attacks are coming through. So it's well updated.
It knows about denial of service attacks. And what it will do is that if it detects one, it will basically go help. And we have companies with names like CloudFlare, for example, who then have servers all over the internet. Now, what these servers will do once this kicks in, once our mitigator yells help is that these different boxes will act as proxies for a particular website. And what will happen is that these boxes I've only got a few drawn here, but there's hundreds and hundreds and hundreds of these. So anytime anybody tries to get to WWE WW, whatever is in trouble calm, they can.
Instead they're actually going through these proxy servers. And so there's so many of them, they can filter out bad data, they could filter out denial of service attacks, and at the same time, letting the good people who want to get to that particular URL all the way back to the site. And that's pretty much how a distributed denial of service mitigator works. Now, keep in mind that when we talk about protecting our servers, there are all kinds of boxes that we can put in. Now, it sounds expensive, but what's interesting for many people today, since we use virtualization and cloud based services, all of the devices I talked to you, you don't have to actually buy hardware. They can manifest as software in sitting in the cloud, along with all of your virtual servers.