Select Single firewall DMZ or dual firewall DMZ

You have accepted the idea of using a demilitarized zone (DMZ) to provide more secure and powerful protection for your machine, rather than simply using a traditional firewall in front of your entire network. This is good for you, but there is still a problem: will you use simple routing and set up a quarantine zone outside your single firewall? Or are there two firewalls and a quarantine zone between two firewalls, which adds extra overhead to provide maximum protection?

You can use the traditional quarantine zone to reasonably protect your public-facing servers, and these servers will protect your sensitive internal network from malicious external users. In this case, the firewall monitors all network traffic to determine whether the communication should be transferred to the quarantine network or to a protected internal network. Traditional quarantine checks all communications sent from the internal network to the external network, to determine whether this communication is allowed to pass: 1. Whether to allow internal packets of network and mail services to be sent from the protected internal network to the quarantine network; 2. As a response from an internal request, the communication is allowed to enter a protected internal network from the area of separation; 3. Whether these communications are allowed to enter the Internet. You should know that this structure is a dual-host gateway structure because the firewall has two interfaces, one to the quarantine zone and the other to the internal network.

Further, this dual firewall quarantine structure (sometimes called a subnet firewall) adds another layer of defense and separates the internal network from the large and evil outside world. By setting up a firewall in front of them and adding a firewall to the front of your internal network, you will also provide further protection for the public-facing hosts. With this mechanism, communication between the protected network and the Internet must pass through both firewalls. These firewalls will provide you with the initial first line of defense to the server you are opening up to prevent the intrusion of malicious communications.

So you have to make up your mind. The following communication questions help you make decisions:

• From a performance point of view, can you afford the performance penalty of letting external communications pass through two firewalls instead of a firewall?

• Can you monitor communication over two lines through this network?

• Where should you monitor that communication?

• Do you need to always have the ability to recover from the compromised state immediately to the normal state? This capability includes keeping another firewall running and communicating unimpeded when a firewall system shuts down.

• Do you have an essential number of network ports?

• Does your budget allow you to use two firewalls? or is this expense prohibited?

The bottom line here is that the traditional separation structure provides a layer of extra protection for your public service machine, but this requires additional operational and maintenance work. The choice of double firewall quarantine is the safest, but it is also a double-edged sword, the cost of application and operation are very expensive.