Dual Firewall Setup [ FW DMZ FW LAN ]

Question

Hello All,

I am currently building dual firewall network. Seeking for some advise. Am not sure if im doing it wrong. Below is my current network topology. 
 
 1.1.x.x 192.168.1.1 192.168.1.10 
 Internet > EXT Firewall > DMZ Switch > DMZ Servers 
 | 
 192.168.1.2 ( WAN interface ) 
 INT Firewall 
 10.0.0.1 ( LAN interface ) 
 | 
 LAN Switch > DB Server ( 10.0.0.10) (192.168.1.20 DMZ IP ) 
 
 For example, For DMZ server to access the DB from DMZ, it has to be NATted from 192.168.1.20 to 10.0.0.10 to access DB server. Am i doing it right? Or is there any better and proper way to do so?

DouglasFoster · Answer

Your configuration makes sense. On than general encouragement, I am not sure what information you were seeking. 
 I would use UTM for the internal firewall and something else for the external firewall. This allows you to use normal access control lists (rather than DNAT-to-DeadEnd) when you need to block a source-destination pair. 
 The reason for dual firewalls is that even if the bad guys own your DMZ servers, and use them to own your external firewall, they will not own your network because there will be very limited, if any, incoming connections allowed through the internal firewall. 
 There is also an incentive to use two different devices, so that a fatal flaw in the external firewall cannot be exploited equally easily on the internal firewall.

Dual Firewall Setup [ FW > DMZ > FW > LAN ]