cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

379
Views
15
Helpful
3
Replies
Highlighted
Participant

3 tier firewall architecture

Hi,

I am confuse in everybody say 3 tier firewall Architecture.

Let me know what is it.If i divided 3 zone and applied to three different subnet and applied to three different interface with each network,can we call 3 tier architecture?

OR it must have each physical firewalls for every web tier,app tier and database tier(total 3 firewall)?

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Hall of Fame Guru

Re: 3 tier firewall architecture

There's no one correct answer as the term "3 tier" is not a standards-based term but rather a generally used description. Originally it was used as you allude - to describe an application delivery architecture divided among web, application and database servers or "tiers". Commonly we put security controls between those tiers as well as controls in front of the web tier. So you could call that a "3 tier firewall". But it's not a prescriptive standards-based design.

Some things are best done with routers and other things are better suited for firewalls. An Internet connection for a data center hosting application such as you describe will most often have a router at the outermost "edge". It will primarily route and, to an extent provide some security (such as filtering bogons, IP address spoofing protection with uRPF, rate limiting etc.). It then connects (via a layer 2 switch) to perimeter firewall(s) or potentially directly to an application delivery controller (ADC or "load balancer") which has/have further security controls - classic 5-tuple ACLs, protocol inspection, potentially intrusion prevention (L7 inspection), etc.

Further into the tiers you may have additional firewalls, ADCs or security controls.

In all cases these can be physical or virtual machines. Arguably, none is inherently more or less secure than another. It all has to be part of a coherent design that takes into account the necessary level of protection that should be applied to the assets being protected in the context of the risk profile.

View solution in original post

3 REPLIES 3
Highlighted
VIP Mentor

Re: 3 tier firewall architecture

Its all depends how you much security you want to put in place.

 

Some organisation deploy :

 

Internet Edge FW

Inernal FW

DC FW.

 

Some people also sploy DC FW also multi context FW, between Application,. database, Others  depends on requirement.

 

BB
*** Rate All Helpful Responses ***
Highlighted
Participant

Re: 3 tier firewall architecture

Hi ,

If i deploy :

1. Internet Edge FW

2. Inernal Fw deploy multi as context FW between Application and database

Can i call 3 tier ?

If we have remote users need to connect our DC,

In security point of view, internet facing device should router or firewall ?

 

 

Everyone's tags (1)
Highlighted
Hall of Fame Guru

Re: 3 tier firewall architecture

There's no one correct answer as the term "3 tier" is not a standards-based term but rather a generally used description. Originally it was used as you allude - to describe an application delivery architecture divided among web, application and database servers or "tiers". Commonly we put security controls between those tiers as well as controls in front of the web tier. So you could call that a "3 tier firewall". But it's not a prescriptive standards-based design.

Some things are best done with routers and other things are better suited for firewalls. An Internet connection for a data center hosting application such as you describe will most often have a router at the outermost "edge". It will primarily route and, to an extent provide some security (such as filtering bogons, IP address spoofing protection with uRPF, rate limiting etc.). It then connects (via a layer 2 switch) to perimeter firewall(s) or potentially directly to an application delivery controller (ADC or "load balancer") which has/have further security controls - classic 5-tuple ACLs, protocol inspection, potentially intrusion prevention (L7 inspection), etc.

Further into the tiers you may have additional firewalls, ADCs or security controls.

In all cases these can be physical or virtual machines. Arguably, none is inherently more or less secure than another. It all has to be part of a coherent design that takes into account the necessary level of protection that should be applied to the assets being protected in the context of the risk profile.

View solution in original post