Three-Tier Firewall Network Design and Security Rules CSNT304

1. Network Layout

Internet ? FW1 ? Web DMZ ? FW2 ? App DMZ ? FW3 ? Internal LAN

• FW1sits between the Internet and your web server DMZ.
• FW2sits between the web DMZ and the app server DMZ.
• FW3sits between the app DMZ and your internal database network.

2. IP Addresses

• FW1
  • Outside (to ISP): lets say 203.0.113.10/24
  • Inside (to Web DMZ): 192.168.0.1/24
• Web Server
  • 168.0.10/24, gateway 192.168.0.1
• FW2
  • Web side: 192.168.0.2/24
  • App side: 192.168.1.1/24
• App Server
  • 168.1.10/24, gateway 192.168.1.1
• FW3
  • App side: 192.168.1.2/24
  • Internal side: 10.0.0.1/24
• Database Server
  • 0.0.10/24, gateway 10.0.0.1

3. Simple Firewall Rules

• FW1(Internet ? Web)
  • AllowHTTP/HTTPS from anywhere to 192.168.0.10
  • Denyeverything else headed for 192.168.0.0/24
• FW2(Web ? App)
  • AllowTCP 8080 from 192.168.0.10 to 192.168.1.10
  • Denyall other traffic between those two subnets
• FW3(App ? Internal)
  • AllowTCP 1433 (SQL) from 192.168.1.10 to 10.0.0.10
  • Denyall other traffic between those subnets

4. Ping Test in Packet Tracer

1. Hook up a PC to the Internet side (through a simulated ISP router).
2. Give that PC a gateway pointing to the ISP router, and have the router point 192.168.0.0/24 at FW1s 203.0.113.10.
3. Switch Packet Tracer into Simulation mode.
4. From the Internet PC, run:
   ping 203.0.113.10

5.P

Pros

1. Defense?in?Depth:
   With three firewalls arranged in series, an attacker who compromises your web server still faces FW2 before reaching the app server, and then FW3 before the database. This layered approach forces multiple breaches rather than a single point of failure. It also lets you apply tailored inspection and logging at each boundary, making it easier to detect lateral movement.
2. Granular Access Control and Auditing:
   Each firewall only permits exactly the ports and protocols needed for its tierHTTP/HTTPS on FW1, app?specific ports on FW2, database ports on FW3and blocks everything else. This minimizes the exposed attack surface, simplifies rule?set reviews, and generates clear, tier?specific logs you can use for compliance and forensic analysis.

Cons

1. Higher Cost and Operational Overhead:
   Deploying and maintaining three firewalls (whether physical appliances or virtual instances) requires additional hardware, software licenses, firmware updates, and configuration management. Your team must stay on top of three separate rule?sets, monitor more logs, and ensure consistent patching.
2. Performance Impact and Complexity:
   Every packet traverses three inspection points, which can introduce noticeable latencyespecially under heavy load or if you enable CPU?intensive features like deep packet inspection or VPN encryption. Troubleshooting can also become more complex, as you must trace traffic flows and rule interactions across multiple devices rather than a single firewall.