Let's begin by analyzing our network design:
We can see that our environment consists of four separate interfaces:
- Wide Area Network (WAN): Directly connects to our cable modem, which in turn provides access to the internet.
- Local Area Network (LAN): Our primary internal network.
- Demilitarized Zone (DMZ): Our internal network, on which we allow external access. Our web servers belong to this interface.
- Wireless guest network (GUEST WIFI): We've created this network for the convenience of guests. They can all connect with an easy-to-remember password (or perhaps no password at all) and surf the web. We consider this interface insecure and treat it as such. We will define rules so it has no access to other networks—not even the also insecure DMZ.
We could have also accomplished this result with two NICs (WAN and LAN). and two VLANs (DMZ and GUEST WIFI).
A firewall requires a separate NIC for every interface it hopes to support. This ensures a physical separation of network traffic. All inter-network traffic is forced to pass through the firewall where our rules will be applied and enforced. For that reason, a firewall requires a minimum of two NICs to function properly, one for internal traffic and one for external traffic (LAN and WAN). Each subsequent optional interface will require yet another NIC, which can be added at any time (unless, of course, we use VLANs).
Typically, an NIC will have a single Ethernet port. However, some NICs may have two, four, or even more Ethernet ports on a single card. Our firewall in the preceding scenario could have had four single-port NICs, or a single four-port network interface card.