[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] multiple fw design ...
i'm trying to slug thru pro's and con's of a multiple firewall design, and how best to implement. wonder if you guys would chime in on this, i'd appreciate it. what we've got: 2 points of internet acces that split a class B. lets say that 65-75% of all traffic is at one point, so i'll concentrate on that one: inet -- router -- FW -- router -- internal net , the dmz hangs off a FW interface. FW is a CP v4 box. the dmz hosts our www server as well as Outlook web access. we've got a VPN solution around the firewall. i've got some dialin access to the internal network that auths the user via a RADIUS server against an NT domain. i've also got some IPSec tunnels (cisco router to cisco router) starting to happen. this tunnels thru the FW and gets decrypted on the internal net. also have dialin users connecting at the outside router and coming in thru FW. this dialin location is changing somewhere inside, just not sure where the best place would be. that said, here's what i can see happening.... adding more servers to the dmz, some of which will be the only server (i.e. it won't be duplicated on the inside net) so external dialin or soho ipsec tunnel clients will need to hit it as well as internal users. there's a buzz about e-commerce, so there would be some sort of database driven e-commerce something or other in the dmz. additional (load balaned) web servers. the need to better log/monitor all those pesky dialin and soho users. what we were thinking was ... inet -- router -- FW -- DMZ -- FW -- internal net firewalls would not be from the same vendor. where do i put the dialin users for the best and most secure fit ? into the dmz or off a 3rd nic on the inside firewall. the dialin users are coming into a cisco router and auth against a Radius server. we're a big M$ shop except for all the important things like firewalls and dns. there will most likely be need for the dmz servers to talk to inside boxes. i'm looking to poke holes or throw some ideas around. maybe we keep the single FW scheme and hang the remote access users off a 4th nic on the firewall ? maybe. but i'm not all to thrilled with that scenario. your input's graetly appreciated. thanks. __________________________________________________ Do You Yahoo!? Send instant messages & get email alerts with Yahoo! Messenger. http://im.yahoo.com/ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|