DMZ and Firewalls

Hey, just had a questions about the DMZ.

From what I have read, the DMZ sits outside a company Intranet.

My question is, do you need 2 firewalls to have a DMZ?

My confusion comes from some of the diagrams I looked up; the DMZ is actually between firewalls.

Is it possible to have:

Intranet----Firewall---DMZ---Internet

Or must you have:

Intranet----Firewall----DMZ----Firewall---Internet

I am not quite sure why 2 firewalls would be necessary. Considering they are both the same model, wouldn't having just 1 do the same as both?

Thank you.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

dynamik

If you're using a single one, it would have three network connections, so it wouldn't look like your diagram (it would have the DMZ jetting off the firewall in its own direction). It's not necessary to have two firewalls; there are pros and cons to each approach.

blackninja

If you used a PIX firewalll then you'd use port 1 for inside, port2 for outside and port 3 for DMZ.

But then if using linux boxes you could setup outside - firewall - dmz - firewall - inside.

JBrown

Don't forget that sometimes if not quite often internal threat is more dangerous than external one. Also, DMZ and Intranet are on 2 different networks, most of the time, and that is why there are 2 firewalls.

gojericho0

Just think of it as three separate networks with buffers of protection in between each layer. Sort of like a router with three interfaces, but with the added protection of the firewall. You don't necessarily need two firewall as one would do just fine depending on needs.

Two firewalls may be required if you notice however that you need to create more dmzs than ports that a single firewall can handle. Or you want additional security, redundancy or load balancing

up2thetime

Thank you for the replies.

The more I think about it, I don't understand the need for a firewall in front of the public facing servers.

If we have a webserver in between 2 firewalls, then the outermost firewall would have the job of protecting the public facing servers So I would assume it will only allow port 80 request in.

What happens if an employee in trying to VPN into the intranet?

The outermost firewall wont allow it in.

Unless we allow exceptions (but then what is the point of having a firewall if we are opening up ports beyond what it is supposed to protect?)

Sorry, I know this must be basic to many of you out there.

Thanks again.

gojericho0

up2thetime wrote: »

Thank you for the replies.

What happens if an employee in trying to VPN into the intranet?

The outermost firewall wont allow it in.

Thanks again.

Thats a good question. Another thing to think about is what good will a firewall do if the ports and data are encrypted because of the VPN?

Going back to the original scenerio with one firewall that has three interfaces (one for the internet, one for the intranet, and one for the web dmz), we could have the VPN terminate at the internet interface of the firewall. The firewall would then be able to do the unencryption, assign resources, and appropretly route the traffic to the intranet segment to access resources. That way everything stays protected

Neeko

gojericho0 wrote: »

Thats a good question. Another thing to think about is what good will a firewall do if the ports and data are encrypted because of the VPN?

Going back to the original scenerio with one firewall that has three interfaces (one for the internet, one for the intranet, and one for the web dmz), we could have the VPN terminate at the internet interface of the firewall. The firewall would then be able to do the unencryption, assign resources, and appropretly route the traffic to the intranet segment to access resources. That way everything stays protected

If there was two firewalls you could do the same, terminate the VPN at the first firewall and route that traffic to the second firewall.

kriscamaro68

We have a cisco ASA 5510 here at work that I manage and the way I see it is you have 3 connections going into the router on a single router. Connection 1 is lets say your intranet which the firewall covers. Then connection 2 is say your DMZ which is basically left open to whatever. Then connection 3 is your internet connection which is again covered by the firewall. So on a diagram it may look like 2 firewalls but in reality its the same firewall covering 2 connections and leaving the DMZ open.