|
The terms "two-tier" and "three-tier" firewalls do not have a hard-and-fast
definition. They are applied to two different ideas. First off (and in
the most widely used terminology), the tiers refer to the number of
interfaces the firewall has. A two-tier firewall would have two interfaces:
the inside (protected) network and the outside (big, bad, scary) network.
A three-tier firewall would have inside and outside as well, but also includes
a side interface for a protected Demilitarized Zone (DMZ). On your DMZ,
you can put servers that need to be publicly accessible (such as Web
servers, mail servers and DNS servers), but also need to be protected.
In its other usage, the tiers don't refer to interfaces, but instead the
layers of firewalls you have. I admit, this usage is less common than
that above. So, a two-tier firewall would be like a firewall sandwich.
There is an external firewall, then a DMZ, then an inside firewall. With
this architecture, you could block elements with much more flexibility. A
three-tier architecture would include three firewalls: one on the outside
and two different layers on the inside.
The ISP should have a firewall that restricts all connections to their
protected host except those that are absolutely required. So, if the
protected system is a Web server, it should only have TCP port 80 (HTTP)
and, if required, TCP port 443 (HTTPS). Nothing else should be open. They
could achieve this using packet-filtering firewalls or proxy firewalls.
The type isn't particularly important here, just the filtering that is
implemented and the performance characteristics of the system. A lot of
ISPs use a simple packet filtering firewall, which is acceptable. Some
use nothing at all, which concerns me!
For more information on this topic, visit these other SearchSecurity.com resources:
Ask the Expert: Role and placement of a DMZ on a network
Ask the Expert: How firewalls work
News & Analysis: Firewall best practices
|
