Deploying Firewalls in Series
To eliminate the reliance on a single firewall while still retaining fine-grained control over intersubnet communications, you can use multiple firewalls to guard subnet boundaries. One such design is presented in Figure 4, in which three firewalls are deployed in series, one behind another. As the sensitivity level of hosted resources increases, so does the number of firewalls located between the Internet and the potential target. In this configuration, tiers of the application are "sandwiched" between firewalls, and a dedicated firewall moderates communications between adjacent subnets according to the application's architecture and the organization's security policy.
Figure 4 Firewalls in series and three subnets.
When deploying firewalls in series, each firewall's hardware components may be scaled up or down independently of other devices, depending on the nature of network traffic passing through the device. You can also deploy different firewall devices according to requirements of a specific subnet boundary. For example, you may consider implementing the presentation firewall as a reverse proxy to enforce strict control over traffic targeting presentation servers. This works especially well if presentation servers are accessed via HTTP because HTTP proxying techniques are well understood and have the ability to tightly restrict operations performed by the application's end users. Reliability of proxy firewalls tends to come at the expense of performance, and you may decide to implement middleware or data firewalls using faster filtering devices such as stateful firewalls or even static packet filters.
Such flexibility is difficult to achieve when a single firewall is responsible for regulating traffic that crosses subnet boundaries. However, added security comes at the expense of manageability, which tends to be a significant cost factor when deploying and maintaining multiple firewalls. Middle ground can be achieved between single-firewall and multifirewall designs, so let's look at hybrid architectures that attempt to reach a compromise between cost and security.