Re: [fw-wiz] Network design change

not good from a security point of view.

I would prefer to connect the routers, at the internet cloud level not the
DMZ level. I'd have the 2 core switches connected as you have.

2 reasons:
[1] gives me redundant internet connectivity in case one of the isps goes
down (assuming multiple isps and routing that can handle one link going
[2] the DMZs should be separate. the more segments you have the better.
connecting the 2 at switch level gives you just one DMZ. my way, the
replication connection has to go through firewalls (which might be a problem
if you have low end firewalls) but so does the attacker (and remember that
the dmz is there because the attacker is going to get there some day).


On Tue, Nov 10, 2009 at 8:58 PM, shadow floating

Hi All,
My company has two sites in to 2 different locations that are
connected via high speed link at the core layer ( I've attached a
link to the diagram : for ease of
in each site I've 1 DMZ , the network team wants to connect the DMZ
switches in both sites for better performance and "security" - the
link under investigation is shown in red in the picture - via high
speed link without passing at all by the core network layer, as they
say that will aid more in the replication between server A and backup
server A in the DMZs and also this will help if any of the 2 firewalls
had failure to access both DMZs from any firewall.
Is that better from security point of view?

appreciating your great help and advice
thanks alot

firewall-wizards mailing list

firewall-wizards mailing list