Re: Network design change

[pkc_mls <pkc_mls () yahoo fr>]

shadow floating a écrit :
>  Hi All,
>  My company has two sites in to 2 different locations that are
>  connected via high speed link at the core layer ( I've attached a
>  link to the diagram :
> http://img18.imageshack.us/img18/77/questionhk.jpg for ease of
> explanation)
>  in each site I've 1 DMZ , the network team wants to connect the DMZ
>  switches in both sites for better performance and "security" - the
>  link under investigation is shown in red in the picture -   via high
>  speed link without passing at all by the core network layer, as they
>  say that will aid more in the replication between server A and backup
>  server A in the DMZs and also this will help if any of the 2 firewalls
>  had failure to access both DMZs from any firewall.
>  Is that better from security point of view?
If it's possible, I'd rather use a link between both firewalls
to connect the DMZ.

If you connect directly the dmz switches, and if someone can get access
to your dmz, he will get access to the other one as well, as there won't
be any filtering between the DMZs.

do the DMZ share the same network addresses ?

if not, just use an unused interface on each fw, connect both via a
link, then create some routes to allow trafic between the DMZs.

The performance can be also an issue, so it depends on the replication
traffic basically.

If you can replicate when there is less traffic, the existing firewall
can be enough. If you can't, it's perhaps time to upgrade the firewalls.

>  appreciating your great help and advice
>  thanks alot
>
>  Regards,
>  Nad
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards