Dual firewalls or Zero trust model
-
Hi All,
Currently our network is with two firewalls. First one ASA as external firewall and second one Fortigate as Internal firewall.
I want to have an advice on the network topology for firewall, should we have just single firewall (Next Gen Firewall) ? or shall we keep the dual firewall .
-
Do you know why you have two firewalls today?
Is there any equipment between the two firewalls?
This dual firewall setup is one form of DMZ (demilitarized Zone) setup. Traditionally you place servers that need to provide access to the outside world in the middle zone between the networks.
Though I'm not sure if this is considered common anymore? I normally see a single router with (at least 3) interfaces -
- internet
- LAN - where your PCs live
- DMZ - where your servers that provide services to the internet and your LAN live.
-
@Dashrender is right, we need a good understanding of your needs before we can make a recommendation. We don't know your needs right now.
-
Using two firewalls like this is like using two condoms. One of them is gonna break.
This is the kind of thinking that morons who install two AV products "to watch the other one" do.
Simplify yo' shit!
-
@PSX_Defector said:
Using two firewalls like this is like using two condoms. One of them is gonna break.
This is the kind of thinking that morons who install two AV products "to watch the other one" do.
Simplify yo' shit!
I was just thinking the same basic thing. I do not see why you would want to have two firewalls, as that is double management.
However there was a point in time just a few years ago that I did consider using two firewalls. But it was due to lack of funding and available knowledge. I had the main office network and a computer lab of about 17 computers. I needed to keep the lab separate from the office network.
I learned after some time, a VLAN would do the same thing. It was not implemented, but a VLAN suited better that dual Firewalls.
-
Go with keep it simple. That always helps.
Forexample, I am forcing my dad to use double NAT at the moment, because I am crashing at his place for another week and I needed my network up like normal.
So I stuck my ERL directly on his fiber connection and then plugged his netgear into my switch behind the ERL.Since all that they do on it is surf the web and use their tablets they do not even notice what I did and it keeps their network simple and normal while also letting me have my normal network. When I unplug everything next Monday, they will not even know the difference.
edit: On a related note, I am going to miss this when I move to Chicago.
-
@JaredBusch said:
Go with keep it simple. That always helps.
Forexample, I am forcing my dad to use double NAT at the moment, because I am crashing at his place for another week and I needed my network up like normal.
So I stuck my ERL directly on his fiber connection and then plugged his netgear into my switch behind the ERL.Since all that they do on it is surf the web and use their tablets they do not even notice what I did and it keeps their network simple and normal while also letting me have my normal network. When I unplug everything next Monday, they will not even know the difference.
I do the exact same thing, also with an ERL, when I crash with my brother in law.
-
It took me a moment to realize:
ERL
Edge Router Lite -
Yes,.. Keep it simple.
And @JaredBusch - You'll get your comeuppance you 'frog' Though I am a bit envious of that speed..
-
@Dashrender said:
Do you know why you have two firewalls today?
Is there any equipment between the two firewalls?
This dual firewall setup is one form of DMZ (demilitarized Zone) setup. Traditionally you place servers that need to provide access to the outside world in the middle zone between the networks.
Though I'm not sure if this is considered common anymore? I normally see a single router with (at least
Still common in Datacenters though it's virtual routers mostly these days.
-
@JaredBusch said:
Go with keep it simple. That always helps.
Forexample, I am forcing my dad to use double NAT at the moment, because I am crashing at his place for another week and I needed my network up like normal.
So I stuck my ERL directly on his fiber connection and then plugged his netgear into my switch behind the ERL.Since all that they do on it is surf the web and use their tablets they do not even notice what I did and it keeps their network simple and normal while also letting me have my normal network. When I unplug everything next Monday, they will not even know the difference.
edit: On a related note, I am going to miss this when I move to Chicago.
What are you going to miss? That is common here, if not higher. Heck I can nearly get that on my phone with ATT.
-
@Dashrender said:
@JaredBusch said:
Go with keep it simple. That always helps.
Forexample, I am forcing my dad to use double NAT at the moment, because I am crashing at his place for another week and I needed my network up like normal.
So I stuck my ERL directly on his fiber connection and then plugged his netgear into my switch behind the ERL.Since all that they do on it is surf the web and use their tablets they do not even notice what I did and it keeps their network simple and normal while also letting me have my normal network. When I unplug everything next Monday, they will not even know the difference.
edit: On a related note, I am going to miss this when I move to Chicago.
What are you going to miss? That is common here, if not higher. Heck I can nearly get that on my phone with ATT.
The download maybe but I doubt your upload is symmetrical
-
And that is pretty good latency too.
-
@thecreativeone91 said:
The download maybe but I doubt your upload is symmetrical
That's true, but unless he's uploading tons of stuff that probably doesn't matter.
and my ping times generally match this, depending on whom I'm testing against.
-
Well my dad, certainly does not even need the speed package he has.
I do upload ISO files quite often from home to remote servers and such. So, while not critical, something this is very welcome.
-
@JaredBusch said:
Well my dad, certainly does not even need the speed package he has.
I do upload ISO files quite often from home to remote servers and such. So, while not critical, something this is very welcome.
Do you need to keep those ISOs local to you? If not, you could store them in ODfB or Google Drive, etc and then copy them through a webbrowser at those hosted solutions upload speed, regardless of where you are.
-
@Dashrender said:
Do you need to keep those ISOs local to you? If not, you could store them in ODfB or Google Drive, etc and then copy them through a webbrowser at those hosted solutions upload speed, regardless of where you are.
I could. That would require me to get (and stay) more organized.