You don't say what kind of firewall you have, but
in general, no you don't have to have them on
separate broadcast domains. You do open
another possible avenue of attack for your
DMZ machines, though.
If address space is the concern, in similar situations
I've done address translation or reverse proxy to
get the requests onto my DMZ net from the "outside" address
space.
Ryan
dear netters:
If I have a 3-legs FW machines configured ( 3 NICs, connecting to Internet,
DMZ net and intranet, respectively), do I have to put NIC-to-Internet and
NIC-to-DMZ in seperated network segments ?
In details, for instance I only have one public IP class like
207.46.130.0/24 ( I am stealing MS's IP as example here :-) ),
can I do it like
-- 204.46.130.1 /255.255.255.0 for my FW's Internet NIC
-- 204.46.130.10 /255.255.255.0 for my FW's DMZ NIC
* 204.46.130.12 /255.255.255.0 for my web svr in DMZ
* 204.46.130.22 /255.255.255.0 for my ftp svr in DMZ
Since I already have FW software to check the traffic, do I have
to partition my network for Internet and for DMZ using subnet
mask ?
Thanks,
--Chris
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
