LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What's a high-security architecture (Hoch-Sicherheit) with two firewalls back-to-back, and why is it more secure?

Two firewalls in series — one between Internet and DMZ, another between DMZ and Intranet — give defense in depth. An attacker must compromise both firewalls to reach the Intranet, and using different vendors ensures a single vulnerability doesn't take down both layers.

Screened subnet: Internet → FW1 (vendor A) → DMZ → FW2 (vendor B) → Intranet.

* Dual-firewall screened subnet, different vendors per layer. *

Two firewalls in series: an outer firewall facing the Internet, a DMZ in the middle, an inner firewall protecting the LAN.

* Dual-firewall (screened-subnet) DMZ for defense in depth. — Pbroks13, Public domain, via Wikimedia Commons. *

The architecture:

[Internet] ──→ [FW₁ outer] ──→ [DMZ: Web + Email] 
                                     ↓
                                  [FW₂ inner] ──→ [Intranet]

Why this beats a single multi-leg firewall:

Aspect Single FW Two FWs
Single point of failure Yes (if FW compromised, all rules bypassed) No (need to compromise both)
Vendor diversity All eggs one basket Use different vendors → different attack surfaces
Misconfiguration risk One mistake exposes everything Two configs must both be wrong
Cost Lower ~2x hardware + management

The "different vendors" practice:

Outer FW Inner FW Logic
Palo Alto Fortinet A Palo zero-day doesn't help against the Fortinet
Cisco ASA Check Point Different code bases, different exploit researchers
Open-source (pfSense) Commercial (e.g., FortiGate) Different security models entirely

Where this is used:

Environment Justification
Banks Regulatory requirements (FINMA, BaFin) often mandate dual-firewall DMZ
Government Classification levels need physical and logical separation
Healthcare (HIPAA) Strict patient-data isolation requirements
Critical infrastructure NIS2, KRITIS regulations in EU

The cost / benefit reality:

For most companies, two firewalls is overkill. As of the 2026 source window, the most common breach vector is phishing — the attacker tricks a user into running malware, which then "phones home" through allowed outbound channels. Both firewalls happily allow that traffic.

Two FWs prevent direct external attacks, which are now a smaller share of breaches. They don't prevent assumed-breach scenarios.

Tip: Modern thinking shifts focus from perimeter defense (more FWs) to assumed breach (segmentation + EDR + identity controls). A single well-tuned FW + strong endpoint security often beats two FWs + weak endpoint security.

Go deeper:

From Quiz: INTROL / Firewall Fundamentals | Updated: Jul 14, 2026