I am currently setting up a dual firewall configuration with a DMZ. I’m putting most of my security tools such as Suricata, pfBlockerNG, and ntopng on the frontend (FW1). And while the backend (FW2) has most of these tools installed. Should they be left there or removed? I will be installing other tools for the internal network. But it doesn’t quite make sense to have dual IDS/IPS and IP blocking configurations on the backend, if they already exist on the frontend.
If a flow would only go through the backend (FW2) I think it is important to have them there.
The frontend(FW1) will be handling multiple public IP’s and the DMZ. The backend will just be handling all internal networks. So the flow would be both and the backend(FW2) WAN will have the frontend(FW1) private IP from LAN.
If you want to inspect east/west traffic that goes through FW2 then I would run security services on it similar to FW1.
Yeah, after doing some reading and thinking about it. I would tend to agree on that.
That’s the beauty of Tom’s forum, we get to learn much from each other.