4

We have a webservice border gateway in DMZ which handles incoming and outgoing webservice requests in terms of authentication and security.

We have two network interfaces in place, on is called 'dirty' and is used for traffic to and from the internet. The other one is called 'clean' and is used for traffic to and from the intranet. However, the dirty interface has still an internal IP address. There is a public IP address configured on the firewall which performs NAT to forward requests to the dirty interface.

I'm wondering now what the benefit of such an architecture is. Is there really an advantage in having a dirty and a clean interface? I could see the advantage in security if the dirty interface has directly a public IP address but in our scenario I don't get the benefit of splitting clean and dirty traffic...

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
pfust75
  • 425
  • 7
  • 9

2 Answers2

2

The two-interface (aka two-tiered firewall) architecture is all about defense in depth for your internal network. The dirty and clean scenario makes traffic go through 2 different sets of firewalls. The internet-facing firewalls protect your DMZ against external threats, while your internal firewalls protect your internal network from potentially compromised DMZ systems.

The thought behind having two sets of firewalls is that if the Internet-facing firewalls become compromised, or if somebody accidentally opens up too much access, the inner set of firewalls will still protect your core network. Quite often the 2 sets of firewalls will be from different manufacturers so that no single exploit will compromise both sets of firewalls. With one set of firewalls you are putting all your eggs in one basket.

You don't have to have to interfaces, but there are advantages:

  1. Measurements: keeping the dirty and clean traffic separate means you can measure the quantity of the two types of traffic
  2. Network simplicity: It's somewhat easier to keep routing straight with two interfaces.
  3. Minimize the mixing of dirty and clean traffic: The goal is to reduce the traffic that directly transits between the external and internal firewalls. The goal is to force all traffic through a device in order to transit between the tiers. Ideally no traffic will travel directly between the internal and external firewalls. Web traffic will go through a proxy for example. The through it that the more devices that traffic has to travel through the more chances to stop malicious traffic

The downside to it is increased complexity and management overhead. It also rarely makes a difference to a company's IT security, so it often seems like it's a lot of work for no benefit.

However, it makes a difference often enough it's generally worth doing. It also makes auditors happy; you'd need a lot of justification to show that having a single tier is sufficient for your organization, especially since somebody thought that your organization needs two sets of firewalls to begin with.

GdD
  • 17,291
  • 2
  • 41
  • 63
  • Thanks. But why do I need two different network interfaces for a two-tiered scenario? I could imagine a scenario with only one internal IP on the gateway and a NAT rule on the external firewall which forwards requests originally targeting the external public IP address to the internal IP address on the gateway... And obviously, the internal IP address is known by clients from the intranet. – pfust75 Oct 08 '12 at 09:18
  • @pfust75, see my edit. – GdD Oct 08 '12 at 09:28
2

Since your DMZ host is basically a firewall, the design you described does not make sense, you are completely right. This is no better than one-interface firewall (which is the weakest possible architecture).

When using a 2-interface firewall, the two interfaces have be on different networks - e.g. "internet" and the DMZ or the DMZ and the intranet.

At the same time, this confused design does not really do any harm, perhaps this is a historical archecture mishap of some kind.

Vitaly Osipov
  • 863
  • 6
  • 14