On Mon, 2007-11-19 at 22:53 -0700, Clint Pachl wrote: > In my DMZ research, some sources state that all services need to be > replicated in each DMZ. Following that advice, I would have to setup > Kerberos, ntp, backup, and DNS in each DMZ and the LAN; that sounds like > a lot of work. What do you guys think?
That you are basically bypassing your own firewall. Just create a third subnet for your management services and allow only the lan and dmzs to access it through the firewall. Not perfect but IMHO better than establishing a direct path between a dmz and a lan and adding complexity to monitor traffic on that path. ciao Luca