Hi Steve,
Well, if it were ME I would probably go with your approach, with the
exception being that I would consider (if not strongly advocate) running the
end-station clients through a proxy server farm and not give them direct
Internet access, period.
I would then parcel out direct Internet access using VLANs and extended DMZs
on an as needed basis using 1 to 1 translation. Of course the primary DMZ
could (and probably should) have live Internet IP addresses. Depending on
your needs, you might not even need anything beyond the primary DMZ,
possibly moving away from NAT altogether.
BTW, I understand where your security manager is going , (see Brian's
response), I think the key issue is where you want to draw the line between
security and performance. I tend to be more of a security hound, your
security manager is being a more liberal and performance minded and you seem
to be in-between.
Just my .02...
Casey
>From: Steve Smith <[EMAIL PROTECTED]>
>Reply-To: Steve Smith <[EMAIL PROTECTED]>
>To: "'[EMAIL PROTECTED]'"[EMAIL PROTECTED]
>Subject: security
>Date: Tue, 22 Aug 2000 20:34:54 +0000
>
>Hey gang, a little OT but here is goes. I need a few "expert" opinions on
>a
>sore subject.
>
>If you have a big WAN, ATM DS3 connecting 6 cities, with a single internet
>access point. Our "security" manger feels that we should have public IPs
>running in our DMZ and our WAN from city to city. Then NAT/PAT into each
>loction. The other way would be to have a DMZ at the internet access point,
>leave them public for web servers and such, then NAT/PAT through the
>firewall for the rest of the WAN.
>
>Any feelings?
>
>Thanks in advance.
>Steve
>
>
>
><< SteveSmith.vcf >>
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]