DMZ design question

Unanswered Question
Nov 5th, 2009

I once read somewhere in the old Cisco SAFE that it is better to design a DMZ with a PIX/ASA on the outside and then on the inside of the DMZ address space, vs. simply using an interface on one PIX/ ASA as the DMZ, but for the life of me cannot remember what the justification for this was.

I designed a DMZ for a customer in the two ASA design. I have an outside Perimeter ASA that faces the internet. On the inside interface is the DMZ. The 2nd ASA guards the DMZ space from the inside networks. His outside interface is the DMZ address space while his inside interface is the inside network(s).

Can someone explain why this is a better design?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (4 ratings)
Farrukh Haroon Mon, 11/23/2009 - 00:43

Hello Kevin

The sandwich DMZ deployment does not add any real security benefit, and is usually used when you have a two-tier firewall archicitecture (mostly from two different vendors). The one-arm DMZ deployment model is more commonly used and is simpler to manage and troubleshoot. What happens when a server connected in the DMZ sandwich model misbehaves? (e.g. L2 loop/broadcast spike)? It affect even your Inside >> Outside communication as it has to pass through the DMZ sandwich (two firewalls). For some high critical environments, it might make sense. E.g. a 'human error' on the Tier-1 Firewall would not affect the internal network, as the Tier-2 Firewall would still be correctly configured.

Btw, there is a new SAFE blue print which can help you further:

Please rate if helpful.



Kevin Melton Mon, 11/23/2009 - 11:51

thanks for your response Farrukh and also thanks for the link to the new SAFE


Jon Marshall Mon, 11/23/2009 - 07:08


I would take a slightly different view than Farrukh. It really depends on the size of your organisation and the complexity of your setup.

For a very simple setup with perhaps a web/e-mail server then i would agree with Farrukh in that a 2 tier system really doesn't provide any benefits and in fact is just overkill.

However for a complex setup having a 2 tier system can make a lot of sense. As Farrukh mentions, a mistake on one of the firewalls doesn't automatically open up a hole into your network. In a complex environment this is actually quite an important point. With a 2 tier system you can logically split your rule bases ie.

outside facing firewall(s) has a rule base for external access to publically available servers

inside facing firewall(s) has a rule base for DMZ server access to internal resources

By splitting up the rule bases it makes it a lot more manageable and less prone to error in my opinion.

It's important to note that in a 2 tier system generally servers in the DMZ are dual honed to 2 DMZs, one external facng DMZ and one internal facing DMZ. Again this helps organise and clarify your rule bases.

Another argument that is often used is that if you have a 2 tier system then you can deploy 2 different vendor firewalls so if there is a bug in one it will not affect the other one. In priinciple a sound idea but i have often found that a lot of companies that do deploy 2 tier systems actually deploy the same firewall at both tiers simply for ease of administration.

Finally, don't forget throughput needs. An internal 2 tier system within the data centre to protect application and database servers will need a lot more throughput/performance from the firewalls. In a single tier system if you had 2 DMZs, one for application servers, one for database servers, for traffic to go to the application servers from outside it needs to go through the firewall. For traffic to go from the apps servers to the database servers again needs to go through the same firewall etc. This can lead to performance issues on the firewall. With a 2 tier system traffic to apps servers from outside goes through one firewall and traffic from the apps servers to database servers goes through a different firewall.


Kevin Melton Mon, 11/23/2009 - 12:00

Thanks for your reply  Jon.  As soon as I figure out how to rate the post in the new system (CSC vs. Netpro)

I will do so.

As for the discussion, I beleive the reason I went forward with the design was the justification that if one of the Firewalls were hacked, there would still be the second one for the potential attacker to have to compromise.

The customer only has a front end mail server and a front end 3rd party interface in the DMZ.  The address space on the outside interface of the inside firewall and the inside interface of the outside firewall is where this DMZ network resides.  The two rule sets on each independent Firewall are configured exactly as you have described


Jon Marshall Mon, 11/23/2009 - 12:28


No worries about the rating, think it's going to take all of us a bit of time to get used to the new site.

For future reference, within the actual post you want to rate there are 2 sets of stars bottom left. You use the left hand set to rate.



This Discussion