Simon,
The answer depends on what you are trying to achieve. If you are doubling the firewalls for redundancy or bandwidth reasons then scenerio one is the right choice. If you are looking for a more secure environment then scenerio two may be the better option. I've designed and evaluated sites with both configurations and to be honest, I find little difference in the security profiles between a single firewall with an external, DMZ and Internal interface and a scenerio two type configuration with two separate firewalls.
Most firewalls failures are do to misconfigurations and firewalls with three (or more) interfaces are more complex to configure which can lead to mistakes and vulnerabilities. Good luck for your endeavor.
Bill Stackpole, CISSP
| [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED] 07/12/00 01:56 AM
|
To: [EMAIL PROTECTED] cc: Subject: Firewall placement and the DMZ... |
Hi,
I was hoping some of you would be able to give me your opinions on how I
should proceed in my firewall placement strategy.
Here is some detail on our current setup:
Firewall = Watchguard firebox II.
- [LAN]
[Internet] - [Router] - [Firewall] ---
- [DMZ]
We will be replacing the Watchguard with Checkpoint Firewall-1 running on
NT (I know about NT, but this is what the business wants). I will be
wanting to implement 2 firewalls but I have yet to decide whether to go for
fault tolerance, or to place the secondary firewall between the DMZ and the
LAN:
Scenario1 (Fault tolerance)
- [LAN]
[Internet] - [Router] - [Firewall x 2] ---
- [DMZ]
Scenario 2
[Internet] - [Router] - [Firewall] - [DMZ] - [Firewall] - [LAN]
Scenario2 ( higher security)
Your suggestions will be greatly appreciated.
Regards
Simon
**********************************************************************
If you are not the intended recipient of this e-mail and have received it
in error, you are on notice that the e-mail and any attached files are
confidential. Please notify us immediately by reply e-mail and then delete
this message from your system. Please do not use, distribute, copy or
take any action in reliance on it as to do so could be a breach
of confidence. The sender does not accept any responsibility for any
loss, disruption or damage to your data or computer system which may occur
whilst using data contained in, or transmitted with, this e-mail. Thank
you for your co-operation. If you need assistance, please contact
Maritz Ltd - tel.: +44 (0)1628 486011 or e-mail: [EMAIL PROTECTED]
**********************************************************************
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
