Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7721
Views
15
Helpful
3
Replies

3 tier firewall architecture

Go to solution
MrBeginner
Spotlight
Spotlight

‎02-03-2020 05:39 AM

Hi,

I am confuse in everybody say 3 tier firewall Architecture.

Let me know what is it.If i divided 3 zone and applied to three different subnet and applied to three different interface with each network,can we call 3 tier architecture?

OR it must have each physical firewalls for every web tier,app tier and database tier(total 3 firewall)?

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to MrBeginner

‎02-03-2020 07:55 PM

There's no one correct answer as the term "3 tier" is not a standards-based term but rather a generally used description. Originally it was used as you allude - to describe an application delivery architecture divided among web, application and database servers or "tiers". Commonly we put security controls between those tiers as well as controls in front of the web tier. So you could call that a "3 tier firewall". But it's not a prescriptive standards-based design.

Some things are best done with routers and other things are better suited for firewalls. An Internet connection for a data center hosting application such as you describe will most often have a router at the outermost "edge". It will primarily route and, to an extent provide some security (such as filtering bogons, IP address spoofing protection with uRPF, rate limiting etc.). It then connects (via a layer 2 switch) to perimeter firewall(s) or potentially directly to an application delivery controller (ADC or "load balancer") which has/have further security controls - classic 5-tuple ACLs, protocol inspection, potentially intrusion prevention (L7 inspection), etc.

Further into the tiers you may have additional firewalls, ADCs or security controls.

In all cases these can be physical or virtual machines. Arguably, none is inherently more or less secure than another. It all has to be part of a coherent design that takes into account the necessary level of protection that should be applied to the assets being protected in the context of the risk profile.

View solution in original post

3 Replies 3

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎02-03-2020 06:16 AM

Its all depends how you much security you want to put in place.

 

Some organisation deploy :

 

Internet Edge FW

Inernal FW

DC FW.

 

Some people also sploy DC FW also multi context FW, between Application,. database, Others  depends on requirement.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
MrBeginner
Spotlight
Spotlight
In response to balaji.bandi

‎02-03-2020 05:23 PM

Hi ,

If i deploy :

1. Internet Edge FW

2. Inernal Fw deploy multi as context FW between Application and database

Can i call 3 tier ?

If we have remote users need to connect our DC,

In security point of view, internet facing device should router or firewall ?

 

 

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to MrBeginner

‎02-03-2020 07:55 PM

There's no one correct answer as the term "3 tier" is not a standards-based term but rather a generally used description. Originally it was used as you allude - to describe an application delivery architecture divided among web, application and database servers or "tiers". Commonly we put security controls between those tiers as well as controls in front of the web tier. So you could call that a "3 tier firewall". But it's not a prescriptive standards-based design.

Some things are best done with routers and other things are better suited for firewalls. An Internet connection for a data center hosting application such as you describe will most often have a router at the outermost "edge". It will primarily route and, to an extent provide some security (such as filtering bogons, IP address spoofing protection with uRPF, rate limiting etc.). It then connects (via a layer 2 switch) to perimeter firewall(s) or potentially directly to an application delivery controller (ADC or "load balancer") which has/have further security controls - classic 5-tuple ACLs, protocol inspection, potentially intrusion prevention (L7 inspection), etc.

Further into the tiers you may have additional firewalls, ADCs or security controls.

In all cases these can be physical or virtual machines. Arguably, none is inherently more or less secure than another. It all has to be part of a coherent design that takes into account the necessary level of protection that should be applied to the assets being protected in the context of the risk profile.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card