Guidelines on Securing Public Web Servers

Figure 8.2: Two Firewall DMZ

This two firewall DMZ offers superior protection over a router based DMZ since the dedicated 

firewalls can have a more complex and powerful security rule set. In addition, the dedicated 

firewall is often able to analyze incoming and outgoing HTTP traffic, it can detect and protect 

against application layer attacks aimed at the Web server.  Depending on the configuration of 

the firewalls and the level of traffic the DMZ receives; this type of DMZ may result in some 

performance issues.   

For organizations who desire the security of the two firewall DMZ but who do not have the 

resources to purchase two firewalls, there exists another option called the  service leg  DMZ.  

In this configuration, a firewall is constructed with three (or more) network interfaces.  One 

network interface attaches to the border router, another interface attaches to the internal 

network, and a third network interface connects to the DMZ (see Figure 8.3).   

Figure 8.3: Three Interface Firewall DMZ

This configuration subjects the firewall to an increased risk of service degradation during a 

DoS attack aimed at the Web server.  In a standard DMZ network configuration (discussed 

above), a DoS attack against the Web server will generally only affect the Web server.  In a 

66