Each server tier communicates to peer server tiers through a firewall. The purpose is to isolate compromised servers to prevent further attack. There will likely be only one physical firewall (or firewall cluster) that will route between all the tiers which are segregated by vLANs. Ideally, the only ports open on these firewalls are the ones necessary for the hosted applications to communicate. Unfortunately, many vendor representatives won’t readily know those ports, or in a worse case, the application negotiates and dynamically assigns port numbers at run time.