Re: PIX design question [7:16801]

Tue, 28 Aug 2001 01:05:53 -0700 

Thanks for the comments, just to clarify things the inside interfaces will
be connected to 6k cats and the connection between the two firewalls ( if it
does happen ) will have a cat 2924.

cheers


""Kent Hundley""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Patrick,
>
> First, I'm generally not a fan of the interface to interface design for
> firewalls for one simple reason: IDS.  If you wanted to deploy any kind of
> IDS, and I highly recommend that you do, you would not be able to place a
> sensor between the Internet and Intranet firewalls.  Switches are cheap
and
> add no amount of latency that will be noticable.  I wouldn't do it this
way.
>
> As to the second question,  it's best to keep servers on protected DMZ's.
I
> would place the servers in question on the Internet firewalls' DMZ for
> consistency and simplicity of design.
>
> HTH,
> Kent
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Patrick Donlon
> Sent: Wednesday, August 22, 2001 6:56 AM
> To: [EMAIL PROTECTED]
> Subject: PIX design question [7:16801]
>
>
> We are in the middle of migrating to a new network, this includes
replacing
> Checkpoint firewalls with PIX. My question concerns the proposed design of
> the Internet and IntrAnet PIX firewalls and in particular a connection
> between the two firewalls. It has been suggested that we connect the
> IntrAnet firewall's outside interface to one of the Internet firewalls
DMZs.
> I can see that this may reduce latency for traffic passing to the internet
> from our intrAnet but I'd like to hear anyone's thoughts on this one,
> routing or security issues perhaps.
>
> Another design issue which was raised was the placement of some servers in
> the same outside interface of the intrAnet firewall. These servers would
> require access to one of the intrAnet firewall's DMZ and be accessible
from
> another DMZ on the internet firewall which are in turn are accessible from
> the Internet. This seems a bit of a complicated design and could be a
> security loophole (??). Thoughts and experiences please
>
> regards Pat




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=17507&t=16801
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to