Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Is a DMZ using two firewalls better?

Hi,

 

 As per the title just want to know if creating a DMZ with two firewalls is better than having just one firewall. If yes, in what way?

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

There are some who advocate

There are some who advocate this approach in the literal sense - two physical firewalls (perhaps even from different vendors). That is less and less often seen and has its roots back in the 90s when firewalls were less trusted than today - mostly stemming from some vulnerabilities found in some early firewall code.

Another way to interpret the diagram is logically - the flow comes in via an Internet-DMZ zone pair and then goes via a DMZ-Inside zone pair to reach the internal backend servers. That's not at all uncommon as it's just separate set of rules on one physical firewall (or cluster).

It is also sometimes implemented via the second "firewall" being a proxy server like a load balancer, perhaps with an application layer firewall function residing on it. In such a case, traffic comes in via, say an ASA outside interface where it is checked against an ACL and un-NATted to a load balancer VIP residing in the DMZ. The load balancer perhaps decrypts SSL and runs the http content through an application firewall before handing it off via separate interfaces to the backend internal servers.  This is often done in things like e-commerce application where much of the content may be encrypted and we don't want to (or are unable to) put the load of SSL decryption on the Internet-facing firewall.

6 REPLIES
New Member

My initial answer would be a

My initial answer would be a resounding no. Why? Cost, Design, Management

You can easily have separate DMZ's within one firewall and permit/deny traffic as you see fit based on rules etc.

It's not economical to have another firewall just for another DMZ. 

New Member

I thought so too. But these

I thought so too. But these diagrams on the net keep throwing me off. Are their scenarios where this is preferable?

New Member

Ok, well this is something

Ok, well this is something entirely different than simply asking about creating a DMZ with two firewalls.

Having two firewalls as in the digram is not uncommon but again it all depends on what the business needs are. Designs should take place around the business needs not the configuration skills of the Engineer (which happens 90% of the time)

A basic look at it would be something like this

Internal Zone - FW1

External Zone - FW2

Since DMZ's are typically external facing you could hang them off FW2 or you could hang them off FW1 ensuring all connections pass through both firewalls. Again, it "depends" on what is needed.

 

 

 

Hall of Fame Super Silver

There are some who advocate

There are some who advocate this approach in the literal sense - two physical firewalls (perhaps even from different vendors). That is less and less often seen and has its roots back in the 90s when firewalls were less trusted than today - mostly stemming from some vulnerabilities found in some early firewall code.

Another way to interpret the diagram is logically - the flow comes in via an Internet-DMZ zone pair and then goes via a DMZ-Inside zone pair to reach the internal backend servers. That's not at all uncommon as it's just separate set of rules on one physical firewall (or cluster).

It is also sometimes implemented via the second "firewall" being a proxy server like a load balancer, perhaps with an application layer firewall function residing on it. In such a case, traffic comes in via, say an ASA outside interface where it is checked against an ACL and un-NATted to a load balancer VIP residing in the DMZ. The load balancer perhaps decrypts SSL and runs the http content through an application firewall before handing it off via separate interfaces to the backend internal servers.  This is often done in things like e-commerce application where much of the content may be encrypted and we don't want to (or are unable to) put the load of SSL decryption on the Internet-facing firewall.

New Member

This is an elegant

This is an elegant explanation and 100% rooted in the correct! 

So how common is it anymore? I can say I have not come across this approach myself in production. Again, an "old" line of thinking it may very well be and isn't Checkpoint the reasoning for the multi vendor approach as well? lol

 

 

 

New Member

Thanks again Marvin! Very

Thanks again Marvin! Very informative.

2321
Views
0
Helpful
6
Replies
CreatePlease to create content