A Single Firewall and One Subnet
The idea of resource separation is based on the understanding that network resources differ in the extent of acceptable risk. Risk, when used in this context, is comprised of two factors: the likelihood that a resource will be compromised and the sensitivity of the resource itself. For instance, a well-configured Web server that hosts CGI scripts is more likely to be compromised than one serving only static HTML pages. Deploying a firewall in front of the server tends to decrease the likelihood that it will be compromised, thus decreasing its overall risk exposure. Similarly, a database server that stores login credentials may warrant additional layers of protection because it is generally more sensitive than the Web server that generates the application's front end.
Figure 2 illustrates a common network architecture that uses a single firewall to protect components of a multitier application. Here, all servers are hosted on a single subnet, located directly behind the firewall. The firewall, in conjunction with the border router, is responsible for thwarting network-based attacks coming from the Internet. Servers are hardened and are watched over using network- and host-based intrusion-detection systems. This helps protect the application against attacks that use protocols that are not blocked at the network's border or that do not come from the Internet. Such defense-in-depth elements are common to all solid designs and are not explicitly shown on the diagram.
Figure 2 A single firewall and one subnet.
In this design, all servers are hosted on the same subnet and are warranted equal protection by the firewall that separates them from the Internet. Keep in mind that even though production servers are on the same subnet, in this design they are already separated from the corporate network used by the company's employees for internal operations. This, in itself, may be sufficient to achieve the desired extent of resource separation.
Using a single firewall to protect servers is relatively inexpensive and simple to manage, which is a significant advantage of this solution. You may elect to use this architecture if the expense of deploying and maintaining multiple firewalls is not warranted by the risk of hosting servers on the same subnet. For example, having a single subnet may be justified when further separating the servers does not substantially mitigate a significant risk.
Consider a scenario in which the database server listens on only a single port, used by the middleware server to retrieve data. In this case, placing a firewall between the servers improves security only marginally because this port still needs to remain open. Segmenting the internal network into separate subnets will, of course, help to protect against other types of attacks, but you might need to address other, more significant weaknesses before you decide to deploy additional firewalls or subnets. For environments in which additional separation is appropriate, let's consider a somewhat more elaborate network architecture that uses a single firewall but that segments the network into multiple subnets.