One problem you will run into with simply having a firewall with three ports in it is load. By bringing your Internet connection directly into the firewall and using one port for the internal network and one port for the DMZ you are forcing the firewall to act as your gateway router as well. Depending on what routing protocols your network is running, or your upstream provider is running, the routing table on the firewall can grow quite large. Now the firewall has to statefully inspect each packet as well as route it. In even a moderately sized organization, this can cause a tremendous load on your firewall.
You've also severely limited your ability to grow the network with this approach. If you want to add a second Internet connection, DMZ, or internal network in the future you will have to rebuild your firewall, as well as re-write your rulesets. I prefer to use two firewalls to create a DMZ, but if circumstances (read: budget) don't allow for that, I'll use a router / firewall combination. -Ben -----Original Message----- From: Bufferzone [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 03, 2002 3:10 PM To: Derrenbacker, L. Jonathan; 'Security-Basics Subject: SV: DMZ - 2 firewalls, or 1 firewall + 1 router Neither One firewall with 3 network carts inserted Regards Kim -----Oprindelig meddelelse----- Fra: Derrenbacker, L. Jonathan [mailto:[EMAIL PROTECTED]] Sendt: 2. april 2002 20:41 Til: '[EMAIL PROTECTED]' Emne: DMZ - 2 firewalls, or 1 firewall + 1 router I heard that you can make a DMZ with a router and a firewall. Is that a good way to make a DMZ, or should you use 2 firewalls? Thanks in advance.
