On Thu, 4 Oct 2001, Rob Collins wrote:

> Just to be clear, the two different architectures are:
> Basic firewall with DMZ network architecture;
> INTERNET
> |
> LAN---o---DMZ
> Dual firewall with DMZ network architecture;
> INTERNET
> |
> o
> |___DMZ
> |
> o
> |
> LAN
>
> In both architectures, traffic from any one segment to
> another must first pass a firewall. The difference,
> so far as I see, is entirely in the shape of the rules
> the firewall(s) use.
>
> Maybe I'm not understanding 'layering'. What benefit
> does putting the second firewall in provide? I see
> complications (like an extra firewall), but no benefit
> in making traffic destined for the intranet traverse
> the DMZ.

It doesn't traverse the DMZ in as much as the 2nd firewall is probably
connected to the same switch that the 1st one is.

The benefit is that you can provide some firewalling to your DMZ (web,
mail, etc) servers and then some for your internal machines with the 2nd
box. With the 1st setup it is somewhat unclear (usually the DMZ is before
the firewall) if the DMZ has any firewall protection.

Also it helps you out if the 1st firewall is cracked -- they still have
another one to go through.

This approach is also called a "firewall sandwich"

Chris

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]