LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

How does a 3-tier firewall architecture (DMZ → app → DB) compare to a simple zone-based architecture (Outside / DMZ / Inside)?

Both apply the same idea — multiple security tiers with firewall enforcement between them. A 3-zone design (Outside, DMZ, Inside) is a flat horizontal segmentation by trust level; the 3-tier architecture is a vertical application-stack segmentation (web → app → DB). Real production environments often combine both.

The horizontal zones:

[Outside (Internet)]
       ↓
   [Firewall]
   ┌───┼───┐
 [DMZ]  [Inside]
        (server + staff subnets)

Designed by threat trust level — public-facing (DMZ) vs internal (Inside) vs untrusted (Outside).

The 3-tier vertical:

Tier 1 (Web)         Tier 2 (App)         Tier 3 (DB)
│ Public-facing │ → │ Business logic │ → │ Data store │
   exposed              less exposed         most protected

Designed by application architecture — request-flow direction.

Combined in production:

Most enterprise designs use both axes:

Zone (horizontal) Tiers (vertical)
Outside Customer browsers
DMZ-Web Web servers (tier 1)
Inside-App App servers (tier 2)
Inside-DB Database servers (tier 3)
Inside-Staff Employees

A request from Outside hits Web (DMZ) → calls App (Inside-App) → queries DB (Inside-DB). Each transition crosses a firewall boundary with progressively narrower allowed traffic.

A common simplification:

This design keeps all internal hosts in one Inside zone — it doesn't model a true 3-tier app stack because that would require a web app + app server + database, more than an SMB context warrants. But the principle scales: add zones as the architecture demands.

The "blast radius" benefit (universal):

Whether horizontal (zones) or vertical (tiers), each FW boundary contains the damage of a breach to one segment. An attacker compromising the web server can only reach what the FW lets it reach — typically only the app server, on specific ports.

The cost — complexity:

Each additional zone/tier means:

  • More interfaces or VLANs to configure
  • More rules to maintain
  • More potential misconfigurations
  • More monitoring data

The right level of segmentation matches your threat budget vs management budget. SMBs use 3-4 zones; banks use 30+.

Tip: When auditing a firewall, draw the data-flow diagram first. Where does customer data enter? Where does it travel? Where does it rest? Each transition between trust levels should cross a FW boundary. Gaps are likely security holes.

Go deeper:

  • doc DMZ (computing) — Wikipedia — the trust-level segmentation principle behind this DMZ, including the single-firewall ("three-legged") model the PA-440 uses here vs. the dual-firewall design.

From Quiz: INTROL / Firewall Basics Lab (Palo Alto PA-440) | Updated: Jul 14, 2026