Problem solve Get help with specific problems with your technologies, process and projects.

Front-end/back-end firewalls vs. chassis-based firewalls

Network security expert Mike Chapple explores the different characteristics of devices using a front-end/back-end topology and chassis-based firewalls.

What are the differences between front-end/back-end firewalls and chassis-based firewalls?

There are a couple of different technologies referenced in your question. The use of a front-end/back-end topology doesn't prevent you from using a chassis-based device. Let's explore the different characteristics of a firewall.

The front-end/back-end topology is commonly seen in multi-tier applications where the user interacts with a front-end presentation server, and that server interacts with a back-end one. A scenario where this is commonly seen is in the deployment of email systems, such as Microsoft Exchange. Users often interact with a front-end Web server -- running, for example, Outlook Web Access -- to read and send email. That Web server must interact with the back-end mail server, but Internet users do not need to interact directly with the one dedicated to mail. The front-end/back-end topology dictates that a firewall should be placed between the Internet and the Web server, and also between the Web server and the email server, providing maximum security.

A chassis-based firewall is a piece of hardware that runs the firewall software in a dedicated fashion. Often referred to as a firewall appliance, it is sold as a bundle including both hardware and software. The alternative is to purchase firewall software and install it on your own hardware.

From a security perspective, there isn't much of a difference between the two approaches. I generally tend to prefer appliance products from a support perspective because they make a single vendor responsible for any hardware or software issues with a device, preventing multiple vendors from participating in a "blame game" where they try to pass the buck to each other.

More on this topic


This was last published in January 2009

Dig Deeper on Network device security: Appliances, firewalls and switches