Re: External/DMZ/Internal with two firewalls?

te@ivorypetal.com wrote:
> This is the first time I have seen this and I was curious on the
> feedback on this configuration...
>
> I'm at a new gig and they have their network setup with two external
> firewalls (active/passive) for redundancy, then their DMZ, then
> another pair of firewalls before getting into the Internal network.

It's a common setup.

> I have always just seen one set of firewalls, not two.

That's another common setup.

> It has made trouble shooting a complete nightmare, because they do
> double NAT'ing.

I fail to see the problem.

> I have read a thing or two that "maybe" this might be something you
> would do if you used two different vendors to protect against a 0-day
> exploit,

Exactly. It's very unlikely that two different firewalls (preferrably
running on different hardware platforms as well) are vulnerable to the
same 0-day exploit, thus raising the bar for an attacker who tries to
get into the LAN.

> but it seems a little odd to me.

I fail to see why.

cu
59cobalt

-- 
"If you think technology can solve your security problems, then you
don't understand the problems and you don't understand the technology."
--Bruce Schneier