Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

2 Tier Firewalling

Hi folks,

I've seen 2 tier firewalling getting very common these days, i.e customers implementing 2 firewalls, usually PIX for DMZ and Checkpoint as 2nd layer for Internal LAN.

What addition benefits does this kind of design really bring? And what are the issues to look out ofr?

New Member

Re: 2 Tier Firewalling


it brings HEADACHE :) and confusion during troubleshooting.

besides, it will be a burden for a company's budget to hire individuals who know both pix and checkpoint, not accounting for hardware prices

Adv: none,

Honestly, i don't see a reason to use to different vendors in this case (pix and checkpoint). if one is better than the other, then why use it in the first place? And if both of them are good then company has to make up their mind which one to use. Unless this company is doing some security testing/research for the product line, i would understand that. Otherwise, they would have to spend big $$$ and time for this solution.

Good luck.


New Member

Re: 2 Tier Firewalling

one advantage of using differant vendors on each tier is that if intruder manages to break in at the first line of defence using some sort of vendor specific hardware/software weakness, they wouldnt be able to compromise the second firewall using the same technique...

New Member

Re: 2 Tier Firewalling

I'd have to go along with Yuri. You can put together

a multi level security setting with a larger pix.

the checkpoint has the GUI, but look at the 6.0 release

of Pix software.

New Member

Re: 2 Tier Firewalling

I disagree with the comments of the first responses that you have recieved.

Two-tier(or even Ntier)firewalling can provide "depth and diversity" of security. Many products excel in one area or another, and it is prudent to remember that a "firewall" is not a single "system", but normally a series of thoughtful processes and products working in conjunction/parallel to provide an acceptable end-result.

In many instances, I have found it mandatory to implement multi-tiered security mechanisims to achieve a particular (elegant) end-result.

If it is complexity that troubles certain individuals, then perhaps security management and engineering is not an area they should endeavor to pursue. Security always has been, and will continue to be a complex and time-intensive proposition.


New Member

Re: 2 Tier Firewalling

It's interesting to consider which firewall to put where in such design, eg PIX is normally the one closest to the Internet since it's less feature rich and faster, where else Checkpoint is placed behind for the opposite reasons ... but it's strange since the traffic transit between DMZ and internal requires better performance ... any comment ?

New Member

Re: 2 Tier Firewalling


I totally agree with ur opinion.

I would also like to add that having 2 diferent f/w technology such as application proxy with strict authentication at the second tier will give u max security.

If u have more bastion hosts such as WEB,FTP services where public are allowed to access, appropriate security can be applied at the first tier without copromising speed.


CreatePlease login to create content