Three-Legged Firewall

A three-legged firewall approach can be used when it is not feasible to have two physically separate firewall devices separating traffic from the different network segments. Typically, a smaller organization does not have or want a back-to-back firewall, so a single device is used instead to logically construct the same functionality as a back-to-back firewall provides. This single firewall device is generally at least three physical network interfaces or “legs” that are all connected to different networks: one to the public Internet, one to the perimeter network, and one to the internal network. In this scenario, the Edge Server has all network adapters connected to the same network segment. Figure 27.5 shows the logical layout of a three-legged firewall design.

Figure 27.5 Three-Legged Firewall

Firewall rules can still be used to control the flow of traffic between each segment like in a back-to-back scenario, but the primary difference here is that all traffic is run through the same physical device. Whether it is external traffic destined for the perimeter network or perimeter traffic destined for the internal network, it all flows through the same device.

The primary advantage of a three-legged firewall is that it is generally less expensive because only a single device is required. The disadvantage is that although a three-legged firewall can be used to simulate a back-to-back configuration, setting up the rules can be more difficult to configure, manage, and troubleshoot. It can be easy to mistakenly associate a rule with the wrong source or destination interface.

Another downside compared to a back-to-back firewall design is that if an attacker compromises the firewall, access to all network segments is achieved. Instead of having to infiltrate both firewall devices, simply using one exploit grants access to all networks. That said, a three-legged firewall design is popular for small- and medium-sized businesses.