Re: [fw-wiz] Network design change



not good from a security point of view.

I would prefer to connect the routers, at the internet cloud level not the
DMZ level. I'd have the 2 core switches connected as you have.

2 reasons:
[1] gives me redundant internet connectivity in case one of the isps goes
down (assuming multiple isps and routing that can handle one link going
down)
[2] the DMZs should be separate. the more segments you have the better.
connecting the 2 at switch level gives you just one DMZ. my way, the
replication connection has to go through firewalls (which might be a problem
if you have low end firewalls) but so does the attacker (and remember that
the dmz is there because the attacker is going to get there some day).

sai


On Tue, Nov 10, 2009 at 8:58 PM, shadow floating
<nadengine@xxxxxxxxxxxxxx>wrote:

Hi All,
My company has two sites in to 2 different locations that are
connected via high speed link at the core layer ( I've attached a
link to the diagram :
http://img18.imageshack.us/img18/77/questionhk.jpg for ease of
explanation)
in each site I've 1 DMZ , the network team wants to connect the DMZ
switches in both sites for better performance and "security" - the
link under investigation is shown in red in the picture - via high
speed link without passing at all by the core network layer, as they
say that will aid more in the replication between server A and backup
server A in the DMZs and also this will help if any of the 2 firewalls
had failure to access both DMZs from any firewall.
Is that better from security point of view?

appreciating your great help and advice
thanks alot

Regards,
Nad
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


Relevant Pages

  • Re: Firewall Info/Recommendations?
    ... > firewall with 3 interfaces or "DMZ capability" listed. ... > acceptable DMZ architecture for a small network to have two firewalls ... > internal network to the internet... ... will do exactly what we currently want for maybe less than the cost of a ...
    (comp.security.firewalls)
  • Re: Firewall Info/Recommendations?
    ... > firewall with 3 interfaces or "DMZ capability" listed. ... > acceptable DMZ architecture for a small network to have two firewalls ... > internal network to the internet... ... will do exactly what we currently want for maybe less than the cost of a ...
    (comp.security.firewalls)
  • Re: XP PRO Hack Attack--How?
    ... DMZ, and possibly a site for an online Taipei game that a member of my ... whole program looks like a security breach. ... configured, are there security advisories for ZA, is it UPNP ... Firewalls, ...
    (comp.security.firewalls)
  • Re: One Firewall with DMZ versus Two Firewalls
    ... >> Ones without DMZ ports are about a third the cost. ... >> by using a router to feed two firewalls instead (one for the web server ... A NAT Router/Firewall combo with three NICs on the same box is more of a ... pseudo-DMZ than a true DMZ. ...
    (comp.security.firewalls)
  • Re: One Firewall with DMZ versus Two Firewalls
    ... >> Ones without DMZ ports are about a third the cost. ... >> by using a router to feed two firewalls instead (one for the web server ... A NAT Router/Firewall combo with three NICs on the same box is more of a ... pseudo-DMZ than a true DMZ. ...
    (comp.security.firewalls)