Dual Firewall Setup [ FW > DMZ > FW > LAN ]

Hi Samuel,

I don't understand why you would want the complexity of a second device since everything you've described can be done more easily with a single UTM.

Cheers - Bob

Hi Bob,

Its a govt standard for certain organisation to have dual firewall.

Your configuration makes sense. On than general encouragement, I am not sure what information you were seeking.

I would use UTM for the internal firewall and something else for the external firewall.  This allows you to use normal access control lists (rather than DNAT-to-DeadEnd) when you need to block a source-destination pair.

The reason for dual firewalls is that even if the bad guys own your DMZ servers, and use them to own your external firewall, they will not own your network because there will be very limited, if any, incoming connections allowed through the internal firewall. 

There is also an incentive to use two different devices, so that a fatal flaw in the external firewall cannot be exploited equally easily on the internal firewall.

Doug, I don't understand why the same level of security can't be provided with a DMZ and the internal LAN connected to the UTM on different interfaces.  The only factor I can see is that having two separate devices managed by two different people ensures that one person cannot create a security hole alone.  If someone leaves their firewall open to be owned by a device in the DMZ, the organization hired the wrong person and the wrong supervisor.

That said, a government regulation is a good reason.  Just because I'm skeptical of the justification for the regulation doesn't mean it can be ignored!

Cheers - Bob

Doug, I don't understand why the same level of security can't be provided with a DMZ and the internal LAN connected to the UTM on different interfaces.  The only factor I can see is that having two separate devices managed by two different people ensures that one person cannot create a security hole alone.  If someone leaves their firewall open to be owned by a device in the DMZ, the organization hired the wrong person and the wrong supervisor.

That said, a government regulation is a good reason.  Just because I'm skeptical of the justification for the regulation doesn't mean it can be ignored!

Cheers - Bob

This question brought back memories of the first time that I heard the term "DMZ".   It described a DMZ architecture as some internet-accessible servers between two firewalls.   The article was actually pointing out ways that even a dual-firewall configuration can be defeated, but the concept made sense.

These are the perceived problems with a single firewall:

1. (Most difficult) A critical bug exploit in the firewall allows the attacker to seize control of the firewall directly.   If you only have one firewall with three interfaces, a successful capture of the firewall gives the attacker an unrestricted opportunity to attack the internal network.
   
   
2. (Somewhat less difficult):   The attacker penetrates a DMZ server, and then uses the victim server to attack the firewall.   The firewall will be softer on the DMZ side than on the internet side, so the opportunities for attack escalation are proportionately higher.  Once the only firewall is penetrated, the internal network is exposed.

With two firewalls:

If attack 1 is used successfully on the first phase, that attack method is likely to fail if the second firewall is a different model.

Whichever attack is used in phase 1, it provides little or no help for phase 2 because the second firewall treats inbound connections from the DMZ as untrusted.   Minimizing the number of open ports from DMZ to internal is essential to any defense architecture.  

I don't like the DNAT-to-DeadEnd workaround, so if you are buying two different firewall models, I think UTM is better suited as the interior device.

I was not saying that the two-firewall method is the only valid one, but I understand why the government thinks it is important. 

Yes, agreed that I understand why the two-firewall method might be required.  I suspect that that is an old requirement, not a recently-enacted one.

I don't agree that the DMZ interface should be "softer" than the WAN interface - there should be no ports open to the LAN from there.  I bet you can find a different, more-secure solution for any "need" for an open port.

Interesting discussion!

Cheers - Bob

Hello,

There are various way i can connect with dual setup. I can do a dual nic DMZ server and have them do static route to INT firewall as gate way, I can do it by per VLAN by servers and have firewall control every single port and rules or by NAT to access internal servers. Im trying to find the most secure way. The most secure means less flaw. I understand there are always risk whenever routed subnet exist. Im trying to minimize the risk. We are also running a decent brocade L3 switches. Question is, ppl tend to challenge whatever came in min. Example 

1. What is someone hack DMZ server and DMZ server always have a NAT rules to backend server, means hacker can access backend server from the DMZ server

2. What if someone have access to DMZ subnet, means they can do an ip scan on NAT ip to access backend server

3. IF DMZ server has a static route to backend servers, what is the point of firewall and using dual layer if someone gain access to DMZ server?

There are more question challenging the infra and network security. Im not a network security guys but im trying to do it right and minimize the risk.