Are two firewalls better than one?
As a rule, No.
Firewalls aren't like barricades that an attacker has to "defeat" to proceed. You bypass a firewall by finding some path through that isn't blocked. It's not so much a matter of how many obstacles you put up but rather how many pathways through you allow. As a rule, anything you can do with two firewalls (in the same spot) you can do with one.
Now, if you're putting the firewalls in different places for different reasons, that's another story. We can't all collectively share a single firewall.
There are both advantages and disadvantages having two firewalls. While firewalls are not commonly exploited, they are prone to denial of service attacks.
In a topology with a single firewall serving both internal and external users (LAN and WAN), it acts as a shared resource for these two zones. Due to limited computing power, a denial of service attack on the firewall from WAN can disrupt services on the LAN.
In a topology with two firewalls, you protect internal services on the LAN from denial of service attacks on the perimeter firewall.
Of course, having two firewalls will also increase administrative complexity - you need to maintain two different firewall policies + backup and patching.
Some administrators prefer to only filter ingress traffic - this simplifies the firewall policy. The other practice is to maintain two seperate rulesets with both outbound and inbound filtering. If you need an opening from LAN to WAN, you will have to implement the rule on both firewalls. The rationale behind this is that a single error will not expose the whole network, only the parts the firewall is serving directly. The same error has to be done twice.
The main disadvantage is cost and maintenance, but in my opinion the advantages outweighs these.
Are two firewalls better than one ? There are two perspective to that from a hacker point of view it doesn't matter as they look for open ports for exploitation. From a network administrator point of view firewall do create a single point of failure. Using Multiple firewall can provide redundancy if an active device firewall fails then service traffic is switched to backup firewall. Depending upon the type of firewall deployed there must be synchronization between two firewalls before link switchover. Furthermore Multiple Firewall can be deployed in.
- Active-Standby Mode (Having Backup firewall in place)
- Load Balancing (Both Firewall in active mode)
Source : White Paper Stateful failover Techniques
