What is the benefit of having DMZ setup with two firewalls.
If we have dmz setup with two firewalls ( I don't know this design is valid and adopted design, I found it in the net )
If this is a valid design ,From local lan how the traffic flow to outside (10.0.10.0/24 to internet ) and outside the local lan 10.0.10.0/24
Solved! Go to Solution.
One thing is the amount of load on the firewall. With two youre splitting some of the traiffc off and the outer on is taking the brunt of the external attacks. In the modern world with next gen firewalls that are sized appropriatly, either design will work. I dont see a problem with the collapsed DMZ model, e.g. one firewall with dmz branched off.
As long as they are configured correctly :).
Just my thoughts,
Thats a bit difficult as it depends on what you are using the dmz for and what type of services are contained within it.
in a basic setup traffic from outside is only allowed access to the dmz. More modern designs use the dmz for such devices as reverse proxies, ftp servers, rds and vdi dateways etc...
if you are twin firewalling for added intrusion prevention as @Otakar.Klier suggested then the dmz just becomes a stub network.
In twin firewalling case, How the local lan network traffic flow to outside .
Sorry I really don't undertand twin firewalling case .
If I am going for twin firewalling , how the traffic flow from inside to outside and dmz
Once again there are many variations but in your picture 1, traffic from the lan will go through both firewalls to the internet.
lan traffic to the dmz will only traverse firewall B.
traffic fron the internet to dmz will only traverse firewall A.
traffic from the internet to lan (not recomended) will firstly traverse firewall A and then firewall B.
if you don’t understand it then you probably wont need it.
To add to my previous post....
For lan traffic to internet....
firewall B will need to be the default gateway for lan.
firewall A will need to be the default gateway for firewall B.
firewall B will be aware of the dmz so will not use the default gateway.
my explanation is very very basic but you will need to add variuos routes and NAT for tis to perform correctly/securely.
Yes in your diagram 1 the lan traffic will route across the dmz to the internet and your incoming traffic from the internet to the lan will take the same route.
we do not allow this on our network for security reasons but its up to you.
For your drawing 1 i would do as below.
this way the dmz is independant of your outgoing traffic flow.
the objective of a dmz is to allow sessions to it but no further.
you do not need the dmz on both firewalls you could have it on just one as per drawing 2 but this option will eliminate the trombone effect on the dmz interface.
please excuse my doodle, its an ipad.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!