2

I am wondering how many of you who work for LARGE companies have a network architecture that enforces the use of three-separate firewalls to get at the data. In other words:

  • Separation of external (internet) parties and a presentation tier by a firewall
  • Separation of presentation and application tier by a firewall
  • Separation of application and data tier by a firewall

In short: Public->Presentation->Application->Data (where each arrow is a firewall)

Here is my problem: I work for a very large US company (75K+ employees) where each environment seems to have a different number of segmentation firewalls. We wanted to standardize our firewall architecture, but:

  1. We can't find any real material to justify the need for three firewalls (as opposed to, say, just a single perimeter firewall)
  2. We can't qualify the value-add of three layers of firewalls.
  3. We can't sort out if this should be an architecture for just internet facing apps, or for ALL applications/appliances/gear.

Any advice?

Dennis Williamson
  • 62,149
  • 16
  • 116
  • 151

1 Answers1

2

It depends on what sort of services you're offering outside of your network as well as how much security you need in front of key services. If you've got an e-commerce site that ties into a database backend and handles credit cards, I could easily see three levels of firewalls being required (to meet PCI requirements if nothing else). However, if you're offering simple static content via locked down web servers, it could be as simple as a single set of firewalls that have an outside, inside, and dmz interface.

Perhaps some more details on your setup? http://www.sans.org has some excellent documents explaining defense-in-depth.

Greeblesnort
  • 1,759
  • 8
  • 10