Re: [fw-wiz] Network design change



shadow floating a écrit :
Hi All,
My company has two sites in to 2 different locations that are
connected via high speed link at the core layer ( I've attached a
link to the diagram :
http://img18.imageshack.us/img18/77/questionhk.jpg for ease of
explanation)
in each site I've 1 DMZ , the network team wants to connect the DMZ
switches in both sites for better performance and "security" - the
link under investigation is shown in red in the picture - via high
speed link without passing at all by the core network layer, as they
say that will aid more in the replication between server A and backup
server A in the DMZs and also this will help if any of the 2 firewalls
had failure to access both DMZs from any firewall.
Is that better from security point of view?
If it's possible, I'd rather use a link between both firewalls
to connect the DMZ.

If you connect directly the dmz switches, and if someone can get access
to your dmz, he will get access to the other one as well, as there won't
be any filtering between the DMZs.

do the DMZ share the same network addresses ?

if not, just use an unused interface on each fw, connect both via a
link, then create some routes to allow trafic between the DMZs.

The performance can be also an issue, so it depends on the replication
traffic basically.

If you can replicate when there is less traffic, the existing firewall
can be enough. If you can't, it's perhaps time to upgrade the firewalls.


appreciating your great help and advice
thanks alot

Regards,
Nad
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards