The difference between a two-tier and a three-tier firewall

The difference between a two-tier and a three-tier firewall

I would like to know the difference between a two-tier and a three-tier firewall. When choosing an ISP to host a business application, what kind of firewall should the ISP have?


    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

The terms "two-tier" and "three-tier" firewalls do not have a hard-and-fast definition. They are applied to two different ideas. First off (and in the most widely used terminology), the tiers refer to the number of interfaces the firewall has. A two-tier firewall would have two interfaces: the inside (protected) network and the outside (big, bad, scary) network. A three-tier firewall would have inside and outside as well, but also includes a side interface for a protected Demilitarized Zone (DMZ). On your DMZ, you can put servers that need to be publicly accessible (such as Web servers, mail servers and DNS servers), but also need to be protected.

In its other usage, the tiers don't refer to interfaces, but instead the layers of firewalls you have. I admit, this usage is less common than that above. So, a two-tier firewall would be like a firewall sandwich. There is an external firewall, then a DMZ, then an inside firewall. With this architecture, you could block elements with much more flexibility. A three-tier architecture would include three firewalls: one on the outside and two different layers on the inside.

The ISP should have a firewall that restricts all connections to their protected host except those that are absolutely required. So, if the protected system is a Web server, it should only have TCP port 80 (HTTP) and, if required, TCP port 443 (HTTPS). Nothing else should be open. They could achieve this using packet-filtering firewalls or proxy firewalls. The type isn't particularly important here, just the filtering that is implemented and the performance characteristics of the system. A lot of ISPs use a simple packet filtering firewall, which is acceptable. Some use nothing at all, which concerns me!

For more information on this topic, visit these other SearchSecurity.com resources:
  • Ask the Expert: Role and placement of a DMZ on a network
  • Ask the Expert: How firewalls work
  • News & Analysis: Firewall best practices


    This was first published in February 2003