Can you use two hardware firewalls?

Question

There's a common saying that you should not run more than one software firewalls on the same computer at the same time, for example don't use Comodo and Zonealarm firewall on a single computer because both can cause conflicts with each other.

But, I heard you can use two firewalls if the first one is a software firewall and the second is a hardware firewall, so by that clearly we can use a hardware and a software firewall together. But can you use two hardware firewalls on one network?

Let's say a router is acting as a hardware firewall, can I buy a third party hardware firewall, and hook it up to the router and use the router firewall together with the hardware firewall?

Answer 1

Yes and there are several reasons to do so.

Firewalls like other computing devices occasionally have security flaws which need to be patched. If you were to think of two firewalls or firewall pairs (one behind the other) as two layers of defense if the first layer had an issue and was able to be bypassed the second firewall would be able to prevent outsiders from gaining access to your network.

Likewise different types of firewalls can process different types of attacks at different speeds. Hardware-only style devices tend to process packets at a much faster rate than software firewalls but they don't process or block packets as deeply whereas other types of firewalls can block a much larger number of types of attacks because they do inspection either for more items or cover more of the communications that are being filtered. If a client were to deploy both of these they would want the hardware firewall internet-facing to block the largest number of attacks and then have the software firewall behind it blocking attacks at a deeper layer.

Take this a step further and we have specialized Firewall devices such as Web Application Firewalls (WAFs) which only do filtering on http and https. These are almost always used in conjunction with more traditional firewalls in front of them.

Likewise in a cloud environment it is not uncommon to use a primary firewall in front and also run firewall software on each of the computers in what's known as a Zero-Trust model of firewalling which is also effectively two layers (or more).

Note: Zero-Trust firewalling does not have to have a separate firewall in front this is simply a common deployment pattern I see especially in AWS environments.

Finally to dispel said "rule": You can use two software firewalls like IPTables and mod_security (essentially a WAF) on one computer or even have IPTables forward incoming traffic to a second software firewall for further inspection for things like Data Loss Prevention (DLP) or for advanced malware or application filtering. The use of the second software firewall as a WAF is actually very common for people who run software WAF's.

That said having two software firewalls is not common in traditional computing but it's a very legitimate way to add good security controls to a system and as long as you are adding unique security controls into each layer and not negatively impacting your applications I would say it's very wise to do so.

In regards to having a hardware firewall behind the router. This is very similar to how all businesses have their own firewall behind their router and have access-lists on the router. All companies need to secure that external router so effectively almost all companies effectively do have two layers of firewalling even if one is more actively used than the other. I do this myself because the ISP has access to the network router in my house and I don't trust the ISP to secure it. This is very common in business and semi-common for home routers amongst people in the know about security.

You don't get Defense in Depth from a single layer so having a second layer is always wise and I think it would be wise to question this "rule" you mention about one firewall.

BTW: I once saw a bank that used three different pairs of firewalls in a row for it's Internet-facing banking application.

Useful links for comparison:

https://en.wikipedia.org/wiki/Comparison_of_firewalls

https://en.wikipedia.org/wiki/Application_firewall

https://www.modsecurity.org/

Answer 2

Yes, you can use more that one firewall appliance, and that is not at all uncommon. For example, there may be an external firewall in an organization's connection to the Internet and an internal firewall that protects a particularly sensitive subnet, e.g. the R&D or finance subnet.

You can, and generally should, run a software firewall even on a network protected by a firewall appliance.

Answer 3

There is a rule that says "don't use more than one firewall" (software firewalls to be exact).

I'm not aware of any such rule. In fact there are security models which explicitly propagate to put a packet filter firewall first, than an application level gateway and then another packet filter from a different vendor. Combining firewalls from different vendors can increase security if these have different strength.

first one is a software firewall and the second is a hardware firewall,

There is no such thing as a hardware firewall. From the context of your question it looks more that your are talking about dedicated firewall appliances ("hardware firewalls") vs. software on your own system. But such dedicated appliances still have the firewall implemented in software even if sometimes accelerated with software defined hardware like FPGA.

To get to the possible source of your claims (which miss any kind of source): if you have multiple firewall and antivirus software on the same computer they might interact badly with each other because they are not designed to work together with other firewalls or antivirus. But this does not mean that combining firewalls or antivirus is generally bad, it is only the problem if you try to run these on the same computer at the same time.

Answer 4

Your rule of thumb is based on the incompatibility by default of putting one or more traffic modifying filters in the same network stack as any other filters unless the stack enforces a consistent (onion-like) ordering of filter modules.

A common example was relying on separate implementations to perform NAT and VPN tunnel encapsulation.

• If you perform NAT before unencapsulating on incoming packets then you must perform the same NAT policy after encapsulating on outgoing packets and your NAT policy is applying to your external network.

• Doing unencapsulation before NAT on incoming packets is also fine and may be what you need if you need NAT to remap your internal network for differences with the remote site's internal network.

• Applying policies in the same order on both incoming and outgoing traffic will require an impossible policy; it applies to your internal addresses in one direction and external addresses in the other.

So generally, to mix and match modules within a node requires a monolithically designed system or one that has a clear API with ordering guarantees and some obligations not to optimize a module by short-cutting the separation of incoming and outgoing tasks on forwarded packets.

In cases where no guarantee is possible, one uses multiple gateways where each applies its rules consistently such that each intermediate network has a self consistent layout. The combination of gateways and networks provides exactly the same onion like layout between filters so that each is consistent with two momentary views of your traffic.

Some designs of hardware firewalls are embedded in a network interface or rely on virtualization to present normal interfaces to the target OS. These firewalls could coexist with an OS firewall with no issues. In other instances hardware can just be accelerating expensive operations for a firewall that injects hooks throughout the Operating System. Firewalls that rely on such hooks are unlikely to coexist cleanly with any other firewall that does the same thing unless the hooks are part of a carefully designed API.