[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] multiple fw design ...
what about load then? if we intend to run our e-comm site thru it as well as user access. how much would adding a 4th nic and running 2 dmz's tax the box .... at this point i'm pretty sure that with either solution i'm getting a bigger box, just how big? since you run a 4th nic w/ 2 dmz's i'm curious as to what additional load you saw. Peter Goodridge wrote: > > I don't see the advantage of two firewalls over a 4th > NIC. Two firewalls of different makes gives you twice > the learning curve, and twice the chance to make a > mistake that leaves you open. > > Even if you went with two Checkpoint firewalls (or two > of anything) you could have them both log to the same > management server instead of having to look in two > places to determine what is happening. > > I use a 4th NIC so I can have 2 DMZs. One DMZ for the > world to access, and one for "trusted" users. I'd > also move the Cisco tunnel endpoint into the 2nd DMZ, > so you can see what's coming out of the tunnel. All > you should be able to see now is that there is a > tunnel. > > HTH, > Pete Goodridge > > --- k c <[email protected]> wrote: > > > > > > > > i'm trying to slug thru pro's and con's of a > > multiple > > firewall design, and how best to implement. wonder > > if > > you guys would chime in on this, i'd appreciate it. > > > > what we've got: > > > > 2 points of internet acces that split a class B. > > lets > > say that 65-75% of all traffic is at one point, so > > i'll concentrate on that one: > > > > inet -- router -- FW -- router -- internal net , > > the > > dmz hangs off a FW interface. FW is a CP v4 box. > > > > the dmz hosts our www server as well as Outlook web > > access. > > > > we've got a VPN solution around the firewall. > > > > i've got some dialin access to the internal network > > that auths the user via a RADIUS server against an > > NT > > domain. > > > > i've also got some IPSec tunnels (cisco router to > > cisco router) starting to happen. this tunnels thru > > the FW and gets decrypted on the internal net. > > > > also have dialin users connecting at the outside > > router and coming in thru FW. this dialin location > > is > > changing somewhere inside, just not sure where the > > best place would be. > > > > > > that said, here's what i can see happening.... > > > > adding more servers to the dmz, some of which will > > be > > the only server (i.e. it won't be duplicated on the > > inside net) so external dialin or soho ipsec tunnel > > clients will need to hit it as well as internal > > users. > > there's a buzz about e-commerce, so there would be > > some sort of database driven e-commerce something or > > other in the dmz. additional (load balaned) web > > servers. the need to better log/monitor all those > > pesky dialin and soho users. > > > > > > what we were thinking was ... > > > > inet -- router -- FW -- DMZ -- FW -- internal net > > > > firewalls would not be from the same vendor. where > > do > > i put the dialin users for the best and most secure > > fit ? into the dmz or off a 3rd nic on the inside > > firewall. the dialin users are coming into a cisco > > router and auth against a Radius server. we're a big > > M$ shop except for all the important things like > > firewalls and dns. there will most likely be need > > for > > the dmz servers to talk to inside boxes. > > > > > > i'm looking to poke holes or throw some ideas > > around. > > maybe we keep the single FW scheme and hang the > > remote > > access users off a 4th nic on the firewall ? maybe. > > but i'm not all to thrilled with that scenario. > > > > your input's graetly appreciated. > > > > thanks. > > > > __________________________________________________ > > Do You Yahoo!? > > Send instant messages & get email alerts with Yahoo! > > Messenger. > > http://im.yahoo.com/ > > > > > > > ================================================================================ > > To unsubscribe from this mailing list, please > > see the instructions at > > > > http://www.checkpoint.com/services/mailing.html > > > ================================================================================ > > __________________________________________________ > Do You Yahoo!? > Send instant messages & get email alerts with Yahoo! Messenger. > http://im.yahoo.com/ > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|