Are two firewalls better than one?

  • Let's say that our first firewall has some vulnerability and a malicious person is able to exploit it. If there's a second firewall after it, he/she should be able to stop the attack, right?

    Also, what will be the side-effects? I mean, would this slow the traffic or not? What are other possible effects like this one?

    Here is what I mean for configuration:

    • Firewall 1 → Firewall 2 → Network
    • Firewall 1 is different from Firewall 2

    @naught101 Better use socks with holes in different places as a metaphor, since condoms are known for tearing from friction against each other. I suppose two firewalls could also have trouble working together.

    It would be nice to know of a concrete instance where two firewalls in series actually saved the day or conversely were of no help whatsoever against a well-crafted attack. Due to the nature of the beast, the first case is likely to be rare and undocumented, the second case is is likely to have occurred quite a few times (e.g. via successful drive-by download attack).

    @user1306322, Why will two firewalls have trouble working together? Isn't the encapsulation supposed to be transparent?

  • DMZ

    There are both advantages and disadvantages having two firewalls. While firewalls are not commonly exploited, they are prone to denial of service attacks.

    In a topology with a single firewall serving both internal and external users (LAN and WAN), it acts as a shared resource for these two zones. Due to limited computing power, a denial of service attack on the firewall from WAN can disrupt services on the LAN.

    In a topology with two firewalls, you protect internal services on the LAN from denial of service attacks on the perimeter firewall.

    Of course, having two firewalls will also increase administrative complexity - you need to maintain two different firewall policies + backup and patching.

    Some administrators prefer to only filter ingress traffic - this simplifies the firewall policy. The other practice is to maintain two seperate rulesets with both outbound and inbound filtering. If you need an opening from LAN to WAN, you will have to implement the rule on both firewalls. The rationale behind this is that a single error will not expose the whole network, only the parts the firewall is serving directly. The same error has to be done twice.

    The main disadvantage is cost and maintenance, but in my opinion the advantages outweighs these.

    No, the main disadvantage is that you've added another single point of failure in your network.

    Also, point of note, but almost all industry-grade firewalls in the market nowadays can handle a DMZ setup with only a single firewall box by maintaining different networks on different ethernet ports.

    If you worry about single points of failures, redundancy is the option. In this case, single points of failures are not "random", as it is initiated by malicious intent. What is worst? A denial of service disrupting the whole network, or just the external network?

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM

Tags used