06-30-2014 10:40 AM - edited 03-11-2019 09:24 PM
Hi,
As per the title just want to know if creating a DMZ with two firewalls is better than having just one firewall. If yes, in what way?
Solved! Go to Solution.
06-30-2014 12:09 PM
There are some who advocate this approach in the literal sense - two physical firewalls (perhaps even from different vendors). That is less and less often seen and has its roots back in the 90s when firewalls were less trusted than today - mostly stemming from some vulnerabilities found in some early firewall code.
Another way to interpret the diagram is logically - the flow comes in via an Internet-DMZ zone pair and then goes via a DMZ-Inside zone pair to reach the internal backend servers. That's not at all uncommon as it's just separate set of rules on one physical firewall (or cluster).
It is also sometimes implemented via the second "firewall" being a proxy server like a load balancer, perhaps with an application layer firewall function residing on it. In such a case, traffic comes in via, say an ASA outside interface where it is checked against an ACL and un-NATted to a load balancer VIP residing in the DMZ. The load balancer perhaps decrypts SSL and runs the http content through an application firewall before handing it off via separate interfaces to the backend internal servers. This is often done in things like e-commerce application where much of the content may be encrypted and we don't want to (or are unable to) put the load of SSL decryption on the Internet-facing firewall.
06-30-2014 10:58 AM
My initial answer would be a resounding no. Why? Cost, Design, Management
You can easily have separate DMZ's within one firewall and permit/deny traffic as you see fit based on rules etc.
It's not economical to have another firewall just for another DMZ.
06-30-2014 11:43 AM
06-30-2014 11:59 AM
Ok, well this is something entirely different than simply asking about creating a DMZ with two firewalls.
Having two firewalls as in the digram is not uncommon but again it all depends on what the business needs are. Designs should take place around the business needs not the configuration skills of the Engineer (which happens 90% of the time)
A basic look at it would be something like this
Internal Zone - FW1
External Zone - FW2
Since DMZ's are typically external facing you could hang them off FW2 or you could hang them off FW1 ensuring all connections pass through both firewalls. Again, it "depends" on what is needed.
06-30-2014 12:09 PM
There are some who advocate this approach in the literal sense - two physical firewalls (perhaps even from different vendors). That is less and less often seen and has its roots back in the 90s when firewalls were less trusted than today - mostly stemming from some vulnerabilities found in some early firewall code.
Another way to interpret the diagram is logically - the flow comes in via an Internet-DMZ zone pair and then goes via a DMZ-Inside zone pair to reach the internal backend servers. That's not at all uncommon as it's just separate set of rules on one physical firewall (or cluster).
It is also sometimes implemented via the second "firewall" being a proxy server like a load balancer, perhaps with an application layer firewall function residing on it. In such a case, traffic comes in via, say an ASA outside interface where it is checked against an ACL and un-NATted to a load balancer VIP residing in the DMZ. The load balancer perhaps decrypts SSL and runs the http content through an application firewall before handing it off via separate interfaces to the backend internal servers. This is often done in things like e-commerce application where much of the content may be encrypted and we don't want to (or are unable to) put the load of SSL decryption on the Internet-facing firewall.
06-30-2014 12:09 PM
This is an elegant explanation and 100% rooted in the correct!
So how common is it anymore? I can say I have not come across this approach myself in production. Again, an "old" line of thinking it may very well be and isn't Checkpoint the reasoning for the multi vendor approach as well? lol
06-30-2014 01:49 PM
Thanks again Marvin! Very informative.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: