How many firewalls do you need

Easy answer is the number of Firewalls required to protect your perimeter. The right answer is the number of firewalls required for all entry points — perimeter and internal. Internal threats are often more dangerous than external. Now you must protect multiple segments of your enterprise network. The perimeter is just the start. I suppose two firewalls could also have trouble working together. It would be nice to know of a concrete instance where two firewalls in series actually saved the day or conversely were of no help whatsoever against a well-crafted attack.

Due to the nature of the beast, the first case is likely to be rare and undocumented, the second case is is likely to have occurred quite a few times e. Isn't the encapsulation supposed to be transparent? Add a comment. Active Oldest Votes. The main disadvantage is cost and maintenance, but in my opinion the advantages outweighs these. Improve this answer.

Dog eat cat world Dog eat cat world 5, 1 1 gold badge 24 24 silver badges 44 44 bronze badges. No, the main disadvantage is that you've added another single point of failure in your network. Also, point of note, but almost all industry-grade firewalls in the market nowadays can handle a DMZ setup with only a single firewall box by maintaining different networks on different ethernet ports. If you worry about single points of failures, redundancy is the option. In this case, single points of failures are not "random", as it is initiated by malicious intent.

What is worst? A denial of service disrupting the whole network, or just the external network? As a rule, No. This is why I give a specific situation in my question. Let's say that an attacker have some exploit for this firewall and he is able to bypass it. In this case I think that the second FW will be able to prevent the attack.

As a rule, you don't exploit a firewall. There's no code you can download that will defeat Juniper firewalls or Cisco firewalls. You bypass a firewall by tunneling your traffic over connections that the firewall is already configured to allow. Kiwy you will find that You attack a connection that already accepts you. For a giggle, see strangecharmed. Tylerl I think the NSA would disagree, it's entirely possibly to download software to the firewall that'd compromise it.

Show 6 more comments. Ali Ahmad Ali Ahmad 4, 8 8 gold badges 33 33 silver badges 60 60 bronze badges. Although a valid opint, the question stipulates firewalls "after" each other, and not in a HA setup. Well it mainly depend on what you secure. If I must secure server with highly confidential data, in this case it will be better to use two. If the data is so highly confidential as to be disastrous if it leaked, you'd be looking at more than just "putting in a firewall"; right up to formal verification of the server software, for instance.

Steffen Ullrich Steffen Ullrich k 27 27 gold badges silver badges bronze badges. Contact Us. Data Security. Incident Response. Firewalls are one of the oldest computer security defenses that continue to remain a crucial foundation of network protection today. A firewall must be correctly installed, updated, and maintained. Firewall rules must also be reviewed semiannually.

There is some validity to this question. Look at it from this perspective: Would you rather have to learn two different interfaces to manage two firewalls or use just interface to manage two firewalls? Look at the vulnerabilities reported by the vendor and the security community on the firewall you're currently using. Compare this against the other firewalls you consider.

See which has had the most problems and how quickly they were resolved. One way to see what it is like to manage a dual-firewall situation is ask your current vendor to loan you one to test this configuration. Most should, it's a reasonable request. Another option is to look at one of the bootable Linux firewall distributions that run from CD and use a floppy to store the configuration.