Apologies in advance if this is a stupid question. I have just started exploring network designs and firewalls.
I have come across a network design where there is single firewall between internet, DMZ and the internal network.
From my understanding, DMZ works best if at least two firewalls are utilised in a network design; one as the perimeter firewall and the other as internal firewall. Why would someone design the network with DMZ with just one firewall? Is there a significant benefit (or risks) by designing the network as such?
I have also read that the use of DMZ is to make intrusions to the internal network more difficult. So the servers/services sitting in the DMZ zone is not important? Or are they just some kind of bait/honyepot or are they just supposed to be expendable assets? I am confused with this because I have seen web servers and FTP servers sitting there. Does it mean they are not important servers??
Thanks
Best Answer
While not necessarily the answer you're looking for... (a) simplicity, and (b) cost. One firewall is half the cost of two. With enterprise grade hardware being rather expensive, when one springs for two, they are most often setup in a high availability failover pair.
Having one firewall for internal LANs, and one for DMZ(s) does provide greater isolation between the two. The DMZ(s) can be completely, physically, isolated from the rest of the enterprise. Rarely is that level of security and isolation required. (military, banks, etc.) Using one firewall with a DMZ interface -- or VLAN -- is a reasonable compromise. Yes, you run the risk of configuration faux pas exposing your internal network to the DMZ systems.
The reason to have a DMZ -- the purpose to all this isolation -- is to keep the public, internet facing services in a place that their compromise doesn't expose your entire enterprise. The DMZ is where you put the "dirty" systems -- the things people are going to attack. They're kept in their own network with their own set of extremely restrictive access rules where they can be monitored diligently.