Inline firewalls vs. Inline firewalls "spaced out"

From: Bartel, Matt (Matt.Bartel@qg.com)
Date: 07/20/01 

Message-ID: <FDFB62A695DDD411ACD7000102CCA0306F17DA@sxexch1.qgraph.com>
From: "Bartel, Matt" <Matt.Bartel@qg.com>
To: "'security-basics@securityfocus.com'" <security-basics@securityfocus.com>
Subject: Inline firewalls vs. Inline firewalls "spaced out"
Date: Fri, 20 Jul 2001 08:34:22 -0500

Hello.

After reviewing the long discussion on suggestions for the best way to
network webservers, db servers and an internal network, I have a question:

Many people suggested the following setup (perhaps with slight variations):
Internet<->Firewall1<->Web DMZ<->Firewall2<->DB DMZ<->Firewall3<->Internal
Network

Why wouldn't you just do the following?:
Internet<->Firewall1 from Vendor A<->Firewall2 from Vendor B<->Firewall3
from Vendor C, just to be psycho<->Web DMZ, DB DMZ and Internal Network

Most people stated the reason for using two FWs was in the hope that if one
of the FWs is exploited that the other (or, the other two) will not fall
prey to the same attack. This setup, with two FWs "inline" provides even
greater security to your web boxes than the first design. Granted, it will
slow your website since all requests must now run through two FWs (or
three)...If security was this large of an issue, though, you would probably
go for the much enhanced security over the added marginal delay, no?

You could, in this instance, let the webserver(s) and db server(s) talk
freely, since you are screwed if someone gets back there anyway.

What does everyone think?
-Matt