Patrick,
First, I'm generally not a fan of the interface to interface design for
firewalls for one simple reason: IDS. If you wanted to deploy any kind of
IDS, and I highly recommend that you do, you would not be able to place a
sensor between the Internet and Intranet firewalls. Switches are cheap and
add no amount of latency that will be noticable. I wouldn't do it this way.
As to the second question, it's best to keep servers on protected DMZ's. I
would place the servers in question on the Internet firewalls' DMZ for
consistency and simplicity of design.
HTH,
Kent
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Patrick Donlon
Sent: Wednesday, August 22, 2001 6:56 AM
To: [EMAIL PROTECTED]
Subject: PIX design question [7:16801]
We are in the middle of migrating to a new network, this includes replacing
Checkpoint firewalls with PIX. My question concerns the proposed design of
the Internet and IntrAnet PIX firewalls and in particular a connection
between the two firewalls. It has been suggested that we connect the
IntrAnet firewall's outside interface to one of the Internet firewalls DMZs.
I can see that this may reduce latency for traffic passing to the internet
from our intrAnet but I'd like to hear anyone's thoughts on this one,
routing or security issues perhaps.
Another design issue which was raised was the placement of some servers in
the same outside interface of the intrAnet firewall. These servers would
require access to one of the intrAnet firewall's DMZ and be accessible from
another DMZ on the internet firewall which are in turn are accessible from
the Internet. This seems a bit of a complicated design and could be a
security loophole (??). Thoughts and experiences please
regards Pat
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=17255&t=16801
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
