Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

why connect to firewalls back to back?

I have recently looked at a firewall topology where there were 2 frewalls connected back to back in a serial fashion. the configuration was as follows: the LAN was connected to a router which performed all the NAT operations, that router was connected to a non-cisco firewall product, that firewall was connected to a web server which intern was connected to a PIX firewall that connected the intire network to the internet (or ISP).

The admin says that was done to make it harder for hackers to compromize the network but I am doubtful of that (that was the same reason given to me when i asked why have 2 firewall products from different vendors). Why would anyone want to connect 2 firewalls in that way? Was the explanation given to me valid



Re: why connect to firewalls back to back?

It sounds like they didn't plan ahead and buy a firewall with >= 3 interfaces. While you can make a theoretical argument that having a divergent base of hardware minimizes your risk, I feel that increasing the # of products you need to understand, and the chance that multiple vendors' gear will not work well together makes a one vendor approach more attractive. Increasing the raw number of devices also increases complexity.

Therefore, I would be against 2 different firewalls at the same site, be they from different or the same vendor.


Re: why connect to firewalls back to back?

Having a setup like this has some advantages though. The first advantage is that if the protected server has a vulnerability at ports which are accessable from the outside interface, there is still no traffic possible to the inside. This first advantage does also count when you have one firewall with a so-called dmz (having a third interface like mostiguy allready stated).

The second advantgae would be that having two vendors indeed do increase the knowledge you need to have, but having two different vendors also increases the security. If a vulnerability exist in the first vendor firewall, it is likely not to exist on the second vendor firewall, thus making it quite difficult to break in and making your site less vulnerable.

In fact, having two different vendor firewalls is a quite common setup, but I always recommend in this case to have the servers on a DMZ on the PIX´s, and the PIX´s having the inside interface connected to a second vendor (sorry Cisco) firewall.

In this setup you can create a large, but very scalable hosting solution with one (other vendor) which connects to your inside network (this one could also be used for browsing via a proxy). The dmz interface on this second vendor firewall is then connected to a switch (or switches) which connect all PIX inside interfaces (could be several PIX´s) for maintenace purposes. This way the setup is very secure and very scalable, cause another customer for webhosting is quite easy to do by just putting in another PIX.

Concluding: that they maybe forgot to have three interfaces at the PIX is not likely the case in my humble opinion (otherwise they would have just ordered a third interface instead of setting up a second firewall).

Most likely is that they did some good thinking and they want it to be really secure, because setting up an environment which a protected host subnet (as this setup is sometimes referred to) needs planning of IP-subnets et cetera.

Hope this helps.


CreatePlease login to create content