How do you handle multiple external network connections (Internet + B2B partners) in a firewall architecture?
B2B partner networks are external but trusted differently from the Internet — they need their own zone with their own rules. Two designs: route partners through the same firewall as the Internet, or use a dedicated separate firewall for partner traffic.
* Two ways to place multiple external connections: one firewall with many zones, or a dedicated partner firewall. *
Design 1 — single FW, many legs: each external network (Internet, Partner X, Partner Y) gets its own "leg" (zone) on the same firewall, which also fronts the DMZ and Intranet. Pros: simpler, one management point. Cons: all partners share the same firewall — a misconfiguration affects all.
Design 2 — dedicated partner FW: a separate firewall (FW₂) sits between the Intranet and the B2B partners, while FW₁ handles the Internet + DMZ. Pros: total separation of policy domains; the partner FW can be run by a different team. Cons: more hardware, more management.
Why B2B traffic deserves special treatment:
| Concern | Solution |
|---|---|
| Partner network security may be weaker than yours | Treat partner zone as semi-trusted, not fully trusted |
| Specific protocols (SAP, EDI, AS2) used | Custom rules different from Internet-facing rules |
| Compliance (e.g., automotive supplier networks) | Dedicated logging and monitoring |
| Regulatory audits | Partner traffic must be auditable separately |
The "mehrere externe Netz" reality:
In a typical large enterprise, you'll see:
- 1 Internet connection (or 2 for redundancy)
- 5-50 B2B partner connections (suppliers, customers, payment processors, banks)
- Multiple cloud connections (AWS Direct Connect, Azure ExpressRoute)
- Multiple branch offices via SD-WAN/MPLS
Each is a "zone" with its own policy.
Tip: Modern FW designs use zone-based policy — rules are written between zones (Internet, DMZ, Intranet, B2B-PartnerX) rather than between specific IPs. New connections from a partner just join the existing zone and inherit its policy. This is far more maintainable than per-IP rules.
Go deeper:
Network segmentation (Wikipedia) — zone-based separation of differently-trusted external networks.