2 Tier firewall design

carl_townshend · ‎10-31-2012

Hi All

what are peoples thoughts on a 2 tier firewall design for a large enterprise, is it normal and recommended paractice to have 2 layers of firewall? and of different vendors ?

also would the rulebase normally be duplicated on each firewall ?

cheers

Collin Clark · ‎10-31-2012

I've used 2-tier many times. It has advantages & disadvantages, you just need to compare them. Different vendors is suggested and for some entities it may be required. The rule base would be completely different. The servers in the DMZ are usually reverse proxies and outside access to them is signifcantly different than what the proxies need to the inside.

Jouni Forss · ‎10-31-2012

Hi,

The most common situations where I've seen this used is when a customer has an office network and an automation network. So mostly in factories/mills where its important to separate the 2 networks from eachother.

In these cases the firewall pair between office and automation are usually doing NAT Exemption for all traffic. Any NAT is handled on the firewall equipment on the edge of the whole network.

In these types of setups you can basically leave the inner ASA without any NAT configurations and you will mostly be configuring ACLs while the bulk of the firewall configurations are done at the edge devices.

- Jouni

carl_townshend · ‎10-31-2012

To be honest, it was more about the design being on the internet edge not inside the network.