Hybrid Multifirewall Architectures
One of the ways to retain the flexibility of dedicating a subnet to each application's tier while decreasing the number of firewalls is to deploy only two firewalls. Figure 5 presents one such design: Middleware and data firewalls have been collapsed into a single device, but the application's tiers still reside on dedicated subnets.
Figure 5 Hybrid multifirewall architecture.
As in all designs that we examined, firewalls control what communications can take place across subnet boundaries. Yet, unlike in the single-firewall solution presented earlier, this architecture separates middleware and data servers from the Internet using two firewalls deployed in series. We still have the option of using one type of a firewallsay, a reverse proxyin front of presentation servers and deploying another type of device as the middleware/data firewall.
If you prefer to focus the design on isolating data servers from other tiers, you could share the firewall between presentation and middleware subnets instead. This configuration is illustrated in Figure 6. You still have the opportunity to use one firewall technology in the front and another type of device behind it, but now presentation and middleware tiers are assumed to be more similar in security and performance requirements, and they rely on the same firewall for protection.
Figure 6 Alternate hybrid multifirewall architecture.
You can further mix and match these configurations by combining some of the application's tiers into a single subnet, if that best suits your budget and requirements. One such configuration is shown in Figure 7. Here middleware and data servers are on a subnet separate from presentation servers, in another attempt to group resources according to their sensitivity levels and the likelihood of a compromise. In this design, the presentation subnet most closely resembles a classic DMZ, with middleware and data servers separated from presentation servers by a dedicated firewall. This design is most appropriate for applications when the distinction between data and middleware tiers is not as clear cut as in a traditional multitier architecture.
Figure 7 Firewalls in series and two subnets.