Re: [fw-wiz] Network design change

shadow floating a écrit :
Hi All,
My company has two sites in to 2 different locations that are
connected via high speed link at the core layer ( I've attached a
link to the diagram : for ease of
in each site I've 1 DMZ , the network team wants to connect the DMZ
switches in both sites for better performance and "security" - the
link under investigation is shown in red in the picture - via high
speed link without passing at all by the core network layer, as they
say that will aid more in the replication between server A and backup
server A in the DMZs and also this will help if any of the 2 firewalls
had failure to access both DMZs from any firewall.
Is that better from security point of view?
If it's possible, I'd rather use a link between both firewalls
to connect the DMZ.

If you connect directly the dmz switches, and if someone can get access
to your dmz, he will get access to the other one as well, as there won't
be any filtering between the DMZs.

do the DMZ share the same network addresses ?

if not, just use an unused interface on each fw, connect both via a
link, then create some routes to allow trafic between the DMZs.

The performance can be also an issue, so it depends on the replication
traffic basically.

If you can replicate when there is less traffic, the existing firewall
can be enough. If you can't, it's perhaps time to upgrade the firewalls.

appreciating your great help and advice
thanks alot

firewall-wizards mailing list

firewall-wizards mailing list