Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7389
Views
0
Helpful
6
Replies

Is a DMZ using two firewalls better?

Go to solution
NInja Black
Level 1
Level 1

‎06-30-2014 10:40 AM - edited ‎03-11-2019 09:24 PM

Hi,

 

 As per the title just want to know if creating a DMZ with two firewalls is better than having just one firewall. If yes, in what way?

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to NInja Black

‎06-30-2014 12:09 PM

There are some who advocate this approach in the literal sense - two physical firewalls (perhaps even from different vendors). That is less and less often seen and has its roots back in the 90s when firewalls were less trusted than today - mostly stemming from some vulnerabilities found in some early firewall code.

Another way to interpret the diagram is logically - the flow comes in via an Internet-DMZ zone pair and then goes via a DMZ-Inside zone pair to reach the internal backend servers. That's not at all uncommon as it's just separate set of rules on one physical firewall (or cluster).

It is also sometimes implemented via the second "firewall" being a proxy server like a load balancer, perhaps with an application layer firewall function residing on it. In such a case, traffic comes in via, say an ASA outside interface where it is checked against an ACL and un-NATted to a load balancer VIP residing in the DMZ. The load balancer perhaps decrypts SSL and runs the http content through an application firewall before handing it off via separate interfaces to the backend internal servers.  This is often done in things like e-commerce application where much of the content may be encrypted and we don't want to (or are unable to) put the load of SSL decryption on the Internet-facing firewall.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
david-swope
Level 1
Level 1

‎06-30-2014 10:58 AM

My initial answer would be a resounding no. Why? Cost, Design, Management

You can easily have separate DMZ's within one firewall and permit/deny traffic as you see fit based on rules etc.

It's not economical to have another firewall just for another DMZ. 

0 Helpful

Go to solution
NInja Black
Level 1
Level 1
In response to david-swope

‎06-30-2014 11:43 AM

I thought so too. But these diagrams on the net keep throwing me off. Are their scenarios where this is preferable?

Preview file
30 KB
0 Helpful

Go to solution
david-swope
Level 1
Level 1
In response to NInja Black

‎06-30-2014 11:59 AM

Ok, well this is something entirely different than simply asking about creating a DMZ with two firewalls.

Having two firewalls as in the digram is not uncommon but again it all depends on what the business needs are. Designs should take place around the business needs not the configuration skills of the Engineer (which happens 90% of the time)

A basic look at it would be something like this

Internal Zone - FW1

External Zone - FW2

Since DMZ's are typically external facing you could hang them off FW2 or you could hang them off FW1 ensuring all connections pass through both firewalls. Again, it "depends" on what is needed.

 

 

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to NInja Black

‎06-30-2014 12:09 PM

There are some who advocate this approach in the literal sense - two physical firewalls (perhaps even from different vendors). That is less and less often seen and has its roots back in the 90s when firewalls were less trusted than today - mostly stemming from some vulnerabilities found in some early firewall code.

Another way to interpret the diagram is logically - the flow comes in via an Internet-DMZ zone pair and then goes via a DMZ-Inside zone pair to reach the internal backend servers. That's not at all uncommon as it's just separate set of rules on one physical firewall (or cluster).

It is also sometimes implemented via the second "firewall" being a proxy server like a load balancer, perhaps with an application layer firewall function residing on it. In such a case, traffic comes in via, say an ASA outside interface where it is checked against an ACL and un-NATted to a load balancer VIP residing in the DMZ. The load balancer perhaps decrypts SSL and runs the http content through an application firewall before handing it off via separate interfaces to the backend internal servers.  This is often done in things like e-commerce application where much of the content may be encrypted and we don't want to (or are unable to) put the load of SSL decryption on the Internet-facing firewall.

0 Helpful

Go to solution
david-swope
Level 1
Level 1
In response to Marvin Rhoads

‎06-30-2014 12:09 PM

This is an elegant explanation and 100% rooted in the correct! 

So how common is it anymore? I can say I have not come across this approach myself in production. Again, an "old" line of thinking it may very well be and isn't Checkpoint the reasoning for the multi vendor approach as well? lol

 

 

 

0 Helpful

Go to solution
NInja Black
Level 1
Level 1

‎06-30-2014 01:49 PM

Thanks again Marvin! Very informative.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card