Re: [fw-wiz] Network design change



shadow floating a écrit :
Hi All,
My company has two sites in to 2 different locations that are
connected via high speed link at the core layer ( I've attached a
link to the diagram :
http://img18.imageshack.us/img18/77/questionhk.jpg for ease of
explanation)
in each site I've 1 DMZ , the network team wants to connect the DMZ
switches in both sites for better performance and "security" - the
link under investigation is shown in red in the picture - via high
speed link without passing at all by the core network layer, as they
say that will aid more in the replication between server A and backup
server A in the DMZs and also this will help if any of the 2 firewalls
had failure to access both DMZs from any firewall.
Is that better from security point of view?
If it's possible, I'd rather use a link between both firewalls
to connect the DMZ.

If you connect directly the dmz switches, and if someone can get access
to your dmz, he will get access to the other one as well, as there won't
be any filtering between the DMZs.

do the DMZ share the same network addresses ?

if not, just use an unused interface on each fw, connect both via a
link, then create some routes to allow trafic between the DMZs.

The performance can be also an issue, so it depends on the replication
traffic basically.

If you can replicate when there is less traffic, the existing firewall
can be enough. If you can't, it's perhaps time to upgrade the firewalls.


appreciating your great help and advice
thanks alot

Regards,
Nad
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: Firewall Info/Recommendations?
    ... > firewall with 3 interfaces or "DMZ capability" listed. ... > acceptable DMZ architecture for a small network to have two firewalls ... > internal network to the internet... ... will do exactly what we currently want for maybe less than the cost of a ...
    (comp.security.firewalls)
  • Re: Firewall Info/Recommendations?
    ... > firewall with 3 interfaces or "DMZ capability" listed. ... > acceptable DMZ architecture for a small network to have two firewalls ... > internal network to the internet... ... will do exactly what we currently want for maybe less than the cost of a ...
    (comp.security.firewalls)
  • Re: One Firewall with DMZ versus Two Firewalls
    ... >> Ones without DMZ ports are about a third the cost. ... >> by using a router to feed two firewalls instead (one for the web server ... A NAT Router/Firewall combo with three NICs on the same box is more of a ... pseudo-DMZ than a true DMZ. ...
    (comp.security.firewalls)
  • Re: One Firewall with DMZ versus Two Firewalls
    ... >> Ones without DMZ ports are about a third the cost. ... >> by using a router to feed two firewalls instead (one for the web server ... A NAT Router/Firewall combo with three NICs on the same box is more of a ... pseudo-DMZ than a true DMZ. ...
    (comp.security.firewalls)
  • Re: [fw-wiz] Network design change
    ... connected via high speed link at the core layer (I've attached a ... in each site I've 1 DMZ, the network team wants to connect the DMZ ... speed link without passing at all by the core network layer, ...
    (Firewall-Wizards)