What's a high-security architecture (Hoch-Sicherheit) with two firewalls back-to-back, and why is it more secure?
Two firewalls in series — one between Internet and DMZ, another between DMZ and Intranet — give defense in depth. An attacker must compromise both firewalls to reach the Intranet, and using different vendors ensures a single vulnerability doesn't take down both layers.
* Dual-firewall screened subnet, different vendors per layer. *
* Dual-firewall (screened-subnet) DMZ for defense in depth. — Pbroks13, Public domain, via Wikimedia Commons. *
The architecture:
[Internet] ──→ [FW₁ outer] ──→ [DMZ: Web + Email]
↓
[FW₂ inner] ──→ [Intranet]
Why this beats a single multi-leg firewall:
| Aspect | Single FW | Two FWs |
|---|---|---|
| Single point of failure | Yes (if FW compromised, all rules bypassed) | No (need to compromise both) |
| Vendor diversity | All eggs one basket | Use different vendors → different attack surfaces |
| Misconfiguration risk | One mistake exposes everything | Two configs must both be wrong |
| Cost | Lower | ~2x hardware + management |
The "different vendors" practice:
| Outer FW | Inner FW | Logic |
|---|---|---|
| Palo Alto | Fortinet | A Palo zero-day doesn't help against the Fortinet |
| Cisco ASA | Check Point | Different code bases, different exploit researchers |
| Open-source (pfSense) | Commercial (e.g., FortiGate) | Different security models entirely |
Where this is used:
| Environment | Justification |
|---|---|
| Banks | Regulatory requirements (FINMA, BaFin) often mandate dual-firewall DMZ |
| Government | Classification levels need physical and logical separation |
| Healthcare (HIPAA) | Strict patient-data isolation requirements |
| Critical infrastructure | NIS2, KRITIS regulations in EU |
The cost / benefit reality:
For most companies, two firewalls is overkill. As of the 2026 source window, the most common breach vector is phishing — the attacker tricks a user into running malware, which then "phones home" through allowed outbound channels. Both firewalls happily allow that traffic.
Two FWs prevent direct external attacks, which are now a smaller share of breaches. They don't prevent assumed-breach scenarios.
Tip: Modern thinking shifts focus from perimeter defense (more FWs) to assumed breach (segmentation + EDR + identity controls). A single well-tuned FW + strong endpoint security often beats two FWs + weak endpoint security.
Go deeper:
Network segmentation (Wikipedia) — the blast-radius / defense-in-depth rationale behind layering two enforcement points.