Re: muliple firewall design

[Magosányi Árpád <mag () bunuel tii matav hu>]

A levelezőm azt hiszi, hogy k c a következőeket írta:
[]
> inet -- router -- FW -- DMZ -- FW -- internal net
>
> firewalls would not be from the same vendor. where do
> i put the dialin users for the best and most secure
> fit ? into the dmz or off   a 3rd nic on the inside

I would put them on a separate leg of the inside firewall.
It directly comes from the domain separation principle
(separate systems should be separated), and if you think
a bit about the meaning and purpose of life and DMZ.

> firewall. the dialin users are coming into a cisco
> router and auth against a Radius server. we're a big
> M$ shop except for all the important things like
> firewalls and dns. 
<offtopic>
Once upon a time we also have been an M$ shop. Maybe
the bosses on the upper levels think we are still one:)
</offtopic>
> i'm looking to poke holes or throw some ideas around.
> maybe we keep the single FW scheme and hang the remote
> access users off a 4th nic on the firewall ? maybe.
> but i'm not all to thrilled with that scenario.

Having more than 2 legs of a firewall is the outcome of
a cost-reduction transformation: you transform the
fw1-dmz-fw2 setup such that fw1=fw2. 
But you don't have to do that for all costs:)

-- 
GNU GPL: csak tiszta forrásból

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards