No you are not wrong regarding your security concerns... no matter how many firewalls you have and what flavour they are you cannot guarantee with your life that something cannot penetrate your defenses, you can throw all the security scans in the world but they willl not test for unknown, yet to be developed threats... who knows whats around the corner... but, you can do your best, nothing else.... in your example of web server in dmz..... very unlikely that hacker can get onto server via https and then jump to private network. however... your private users have access to the server, and an attacker on a compromised dmz server could piggy back or inject pages into your private users return traffic as this is how stateful firewalls work. the above is a wild over imaginative view of what may happen but its an overview of what could happen... we do not allow web servers in dmz because of the possibility of the above. as previous post.. we only have reverse proxies, rdp gateways and load balancers plus some ftp stuff in our dmz. we do have different brand firewalls but this is not for security, more budget.. our private net to dmz only does ip and port and a bit of nat. i have gone on a bit but if you are using web servers on dmz then no major security advantage on twin firewalls but if you have tens of thousands of sessions then perhaps yes, it all depends on your setup.
... View more