General discussion


Multiple firewall installations

By dravensc ·
In the UK Financial Services and government environment it seems that companies are installing two firewalls from different vendors. I can't understand the logic of putting in for example a Pix firewall in front of Firewall One when the differences are so few? Can anyone justify why anyone would go this route?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -


by JamesRL In reply to Multiple firewall install ...

You don't put one over the other, you have two internet connections and two different firewalls(primary and secondary). In the case that you get a denial of service attack or are exposed because of a vulnerability on your primary, you shut it down and use your secondary until you have resoved the issue.

At one of my previous employers we had this situation - general internet access was through one router, and email and edi through another. If need be we could reroute everything through one.


Collapse -


by afram In reply to Easy

Checkpoing has some firewall-like devices that are meant to be installed between switches. This so damage by hackers/viruses/etc do not get past the one switch.

Some companies use 2 firewalls as failover. If one is being updated or is down for maintenance, the other one still protects the network

Collapse -

And it has happened to me

by JamesRL In reply to outbreak

That one firewall experiences an issue with say email transfers, gets hung up, and if not for the "other" firewall, there is no way to reroute traffic out.


Collapse -

Behind Each Other

by walesman In reply to And it has happened to me

The purpose of putting a firewall behind a firewall is the fact that none of them are absolutely secure. Most banks will have say a symantec velociraptor behind a Checkpoint NG system. This gives good protection against any vulnerabilities found in the main internet facing firewall.

Collapse -


by ssgduff In reply to Easy

If you are needing to overlapp firewalls, such as Checkpoint and Pix, or Netscreen and VR, sure go ahead. You can also have firewalls on different routes on different ISP's and you can overlapp them as well.

Just make sure when and if you overlapp, that it is not the same type of firewall, and when you update one with a rule change, amke sure both layers have the changes. Nothing like opening FTp on the internal firewall and no FTP is working because the outer firewall is still not allowing it.

The reason for overlapping is case of a vuneralability is found in the outer. But do you really want to spend the money on VR or any major firewall when you outer firewall is NG, PIX or what ever your flavor may be, There are some incredidle low cost very secure firewall companies who do nothing but make and market a secondary firwalls just for such purposes. Think about budget vs security, 30,000 for a firewall deployment times 2 for two major OS indepent firewall solutuion when you can buy a secondary firwall solution in a HA pair with rack mount hardware, license, even the cables for 1500 out the door.

Collapse -


by ayotunde In reply to Easy

What ever happened to firewall with failover? In any case, I have two firewalls on my network, one a pix with failover and another a software (unix) firewall. I think it all boils down to how much important data you have and what you're willing to do to secure it.

Collapse -

Two routers in line for extra protection

by jdclyde In reply to Multiple firewall install ...

Every product has an expoit, even firewalls.

Once someone knows what your firewall is, it isn't that hard to get around them.

If you have a second firewall from a different vendor, it will have different exploits than the first one.

Layered security.

Related Discussions

Related Forums