External/DMZ/Internal with two firewalls?

This is the first time I have seen this and I was curious on the feedback on this configuration...

I'm at a new gig and they have their network setup with two external firewalls (active/passive) for redundancy, then their DMZ, then another pair of firewalls before getting into the Internal network.

I have always just seen one set of firewalls, not two. It has made trouble shooting a complete nightmare, because they do double NAT'ing.

I have read a thing or two that "maybe" this might be something you would do if you used two different vendors to protect against a 0-day exploit, but it seems a little odd to me.

I just thought I would ask the experts.


Reply to
Loading thread data ...

You have as many layers of firewall as you determine you need. While a

1:X NAT can have issues, they could implement 1:1 NAT on the first firewall, or maybe you should just ask the Network admins why they did it that way.
Reply to

It's a common setup.

That's another common setup.

I fail to see the problem.

Exactly. It's very unlikely that two different firewalls (preferrably running on different hardware platforms as well) are vulnerable to the same 0-day exploit, thus raising the bar for an attacker who tries to get into the LAN.

I fail to see why.


Reply to
Ansgar -59cobalt- Wiechers

It may offend some, but in my experience I've come to know a single firewall supporting multiple interfaces as a 'Modern DMZ' whereas having two or more firewalls inline with each other is what is/was referred to as a 'Traditional DMZ' with the network in between known as the perimeter network.

Reply to
Don Kelloway

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.