The dual-firewall architecture is more complex than the single-firewall architecture, but it is also a more secure overall design and provides for a much more granular level of control over traffic traversing the firewalls. This is because the architecture uses two firewalls, ideally of different vendors and models, to act as exterior and interior firewalls providing a DMZ segment between the two firewalls, as shown in Figure 9-3. Like previous designs, traffic is permitted into the DMZ segment as well as from the internal network to the external network, but no traffic from the external network is permitted directly to the internal network. Figure 9-3. Dual-Firewall ArchitectureThe granular control in a dual-firewall architecture comes from the fact that each firewall controls a subset of all the traffic entering and exiting a network. Because untrusted (that is, external) traffic should never be allowed to directly access a trusted (that is, internal) network, the exterior firewall can be configured specifically to grant access to and from the DMZ segment and external systems. Similarly, the interior firewall can be configured to grant access to and from the DMZ segment and internal resources. This allows for the creation of two distinct and independent points of control of all traffic into and out of all corporate network segments, whether they are DMZ segments or internal network segments. When a dual-firewall architecture is implemented with different firewall models (for example, a Cisco PIX Firewall and a Microsoft ISA Server firewall), you also gain additional security because an attacker would need to compromise two separate firewalls (which will likely not be susceptible to the same attack methods) to gain access to protected resources. In addition, an attacker also needs to be knowledgeable in the workings of two different types of firewalls to tamper with the configurations. The downsides of a dual-firewall architecture relate to implementation complexity and cost. With regard to complexity, a dual-firewall architecture frequently requires some form of routing be implemented in the DMZ segment to allow resources in the DMZ segment to send external-destined traffic to the exterior firewall and internal-destined traffic to the interior firewall. Although many companies just use static routing statements on the servers themselves, the larger the number of servers in the DMZ, the more difficult it becomes to manage and maintain so many routing statements. Whereas routers can be used, allowing the administrator just to update the router with new routes, the use of routing protocols should be avoided, because an attacker can potentially use the information provided by the routing protocol to gain insight regarding the internal network topology and structure. Aside from the obvious costs related to implementing and maintaining multiple firewalls, it is also more expensive to implement and manage a dual-firewall architecture because you need people who understand multiple firewall technologies. Because of the cost and complexity of the dual-firewall architecture, it is typically implemented in environments with critical security requirements such as banking, government, finance, and larger medical organizations. |