You will often see a multi-tier firewall or sandwich design topology deployed by an enterprise network. Instead of interfaces being dedicated to different subnets, a separate firewall can also be dedicated to server roles. In such a design, applications based on roles are sandwiched between firewalls, and a dedicated firewall moderates communications between adjacent subnets according to the application's architecture and security policy. The basic idea behind this architecture is to dedicate firewall roles for simple management and to look for the best size of hardware to support the amount of traffic expected on different application segments:
