A Single Firewall and Multiple Subnets
One way to segment the network without introducing another firewall is to use multiple interfaces on the firewall to create several subnets. A design based on this principle is presented in Figure 3, in which the firewall splits the network into three subnets, each dedicated to hosting a particular tier of the application. The firewall is multihomed, which allows administrators to assign a different security policy to each interface.
Figure 3 A single firewall and multiple subnets.
In this configuration, Internet users can directly access only presentation servers, which have access only to middleware servers, which can access only data servers. Juxtapose this design against the architecture of a multitiered application in Figure 1, and you will see that it closely mirrors the roles and requirements of the application's components and allows a fine-grained control over access to servers in each tier. At the same time, the firewall's rulebase used to implement access restrictions in this scenario is more complicated than one in which all servers lived on the same subnet. This increases the likelihood that the firewall will be misconfigured, introducing its own risks into this design.
Hosting each tier of an application on a dedicated subnet is a powerful technique because it allows network designers to configure the network in a way that closely matches the application's security requirements, albeit at an added cost of maintaining a more complex firewall rulebase and managing servers located on different subnets. This approach, evident in several designs presented in this article, mimics the design of a large ship split into multiple watertight compartments to resist flooding: If one of the sections is compromised, other areas retain a high chance of maintaining their integrity.
Using a single firewall to segment the network is one of the most affordable ways of separating application tiers, but it is not without limitations. A single logical firewall, even if redundant in hardware, presents a single point of failure for the design, especially when it enforces security policy for subnets that host servers of different risk levels. If the firewall is compromised or misconfigured, an intruder could obtain access to all subnets, including the most sensitive segment that hosts data servers. Moreover, the firewall may become a performance bottleneck because it needs to examine traffic passing between all subnets. Let's take a look at an alternative design that uses multiple firewalls to eliminate some of these deficiencies.