I went through this problem with our network as well. You are correct that this arrangement represents a security risk. Since you are dual homed into both your dmz and internal network, you have effectively negated the value of having segregated vlans. If your dmz server is compromised with an ftp exploit, then the attacker has a clear shot into your protected network over the other nic. The true degree of risk depends on your exact architecture and the rules you have implemented on your firewall. If you have only one way into the dmz from your internal network (that being through the firewall), you have a much less complex task of making sure that a compromise of your dmz server does not lead to compromise of your entire network. The type of architecture you describe is sometimes set up and justified in Windows networks to simplify Windows networking; when you segregate your vlans appropriately to ensure security, you start to run into problems with Windows name resolution and any rpc dependent applications you may be running. What is often overlooked however, is that a secure installation requires that these services be severely restricted anyway or turned off altogether in a bastion host residing on a dmz. So, you ARE corrcct; you'll likely need to do a careful analysis of the services running and any cross-vlan interdependencies, and then you can rationally plan to get rid of the unneccessary nic. Good luck.
Fred -----Original Message----- From: Jennifer Fountain To: [EMAIL PROTECTED] Sent: 2/14/03 2:42 PM Subject: Question about dmz security I need an opinion on a current design implementation in place. We have an ftp server sitting in our dmz. This box has two nics - one is plugged into the dmz hub and one is plugged into our network. I think this is a security risk and we should just allow internal users access to the box via the firewall by opening the port instead of having dual nics. they do not see a security risk. maybe i am just too new at this and need some education. what is the "best" way to implement this configuration? Thank you Jenn Fountain
