General discussion


two routers

By davide ·
I've read several articles that suggest having 2 firewalls before entering your network with a DMZ between the two.

I have a couple questions about that.
1)I assume the 2 firewalls must assume different roles and filter different information, other they would just be unnecessary overhead.

2)What should the roles be?

3)What do I do I have don't have anything to use as a DMZ? Do I siply point all traffic from firewall1 to firewall2?

4)Is it worth it to implement this scenario with only SOHO grade equipment?


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by CG IT In reply to two routers

an example of 2 firewalls would be a perimeter such as a router with a firewall and then the Windows firewall on workstations.

A DMZ is an area between the perimeter firewall and the network where public services are available. Best Practice is no external [public] inbound traffic gets to the network so the DMZ serves that purpose.

Remember what the perimeter network blocks is intrusions or probing. Connection based traffic is always allowed e.g. a workstation with internet access browses to a web page. The firewall allows the inbound web page because the outbound requested it. The Firewall does not filter block inbound traffic that was originated by an outbound request.

SOHO put a perimeter firewall up and have the Windows firewall on on all workstations. That way you have 2 layers of defense as you would with 2 routers.

Router are used to create networks they breakup large networks into small ones. so unless you need to breakup your SOHO into different networks, there's no reason for 2

Collapse -

by Greybeard770 In reply to two routers

1) You are exactly right. If the firewalls are doing the same thing it is just extra financial and time cost. A good firewall appliance can cost $500 to several thousand dollars.
2) An example would be you have an e-mail gateway server in the DMZ which only is accessible from the WAN side for SMTP (port 25) from the Internet. Another firewall on the LAN side would allow only SMTP traffic to your Exchange server inside - thus protecting your Exchange server. If the e-mail gateway gets compromised it is less likely to hurt anybody else.
3) If you don't have anything to put in the DMZ - don't crete a DMZ.
4) Unless you are doing things your SOHO ISP probably doesn't want you doing (web and e-mail services on broadband) you are doing things because because you can, not because you need to. But that can still have research value.

Collapse -

by davide In reply to two routers

here is the scenarion.

I have a server that needs to be able to accept connections from the Internet. I have a Internet Backup Server running that clients need to be able to connect to. It uses port 308 and currently is the only port needed (might ned to install IIS later on)
I also have a handfull of servers,workstations and printers.
If I understand what correctly what you are suggesting, I would put this server in the DMZ blocking all traffic from the WAN except for port 308 and putting all the other servers, workstatins and printers behind the second firewall and blocking ALL incoming request from the WAN.

Is this worth the extra money, rr should I just remove the second firewall?

Collapse -

by mshavrov In reply to two routers

First of all, you have to draw the picture and decide, what and from what you want to protect. For example, you want to give access to the "DMZ server". That's OK. But if the "DMZ-Server" is compromised, you don't want intruder to give access to your internal resources. So, that's the point of creating DMZ instead of putting the "Public Server" inside your LAN.

Many "commercial-grade" firewall have three or more interfaces, which allow to create DMZ networks. You create separate sets of rules, for example, Outside->DMZ, DMZ->Outside, DMZ->Inside, Inside->DMZ, etc. This will define granular access between these networks.

You can make the same things with "SOHO-grade" firewalls. Just connect WAN interface to your WAN, a DMZ-server and WAN interface of second firewall to a LAN ports, and your PCs to a LAN ports on the second firewall. You may either configure the DHCP on your first firewall to give a different IP addresses, or configure your DMZ with static IP addresses.

Then, at first firewall, you configure whtever access you need to give to your DMZ-Server. Usually "LAN->WAN" access on these firewalls is transparent, and you don't need to do anything. That's how your users will be accessing the Internet.

Good luck,

Michael Shavrov
CCNP, CCDP, CCSP, Security+, MCSE W2K, Solaris, etc.

Collapse -

by wlbowers In reply to two routers

Any firewall worth it's salt will have the capability of having a DMZ assigned port.

We did what you are planning with a Pix 520. Multiple ports, multiple zones. Tons of configuration posibilities.

Additionaly you should have firewalls on each machine inside the lan.


Related Discussions

Related Forums