Firewall Wizards mailing list archives

Re: Network design change

From: sai <sonicsai () gmail com>
Date: Sat, 14 Nov 2009 17:00:41 +0500

not good  from a security point of view.

I would prefer to connect the routers, at the internet cloud level not the
DMZ level. I'd have the 2 core switches connected as you have.

2 reasons:
[1] gives me redundant internet connectivity in case one of the isps goes
down (assuming multiple isps and routing that can handle one link going
down)
[2] the DMZs should be separate. the more segments you have the better.
connecting the 2 at switch level gives you just one DMZ. my way, the
replication connection has to go through firewalls (which might be a problem
if you have low end firewalls) but so does the attacker (and remember that
the dmz is there because the attacker is going to get there some day).

sai


On Tue, Nov 10, 2009 at 8:58 PM, shadow floating
<nadengine () googlemail com>wrote:

 Hi All,
 My company has two sites in to 2 different locations that are
 connected via high speed link at the core layer ( I've attached a
 link to the diagram :
http://img18.imageshack.us/img18/77/questionhk.jpg for ease of
explanation)
 in each site I've 1 DMZ , the network team wants to connect the DMZ
 switches in both sites for better performance and "security" - the
 link under investigation is shown in red in the picture -   via high
 speed link without passing at all by the core network layer, as they
 say that will aid more in the replication between server A and backup
 server A in the DMZs and also this will help if any of the 2 firewalls
 had failure to access both DMZs from any firewall.
 Is that better from security point of view?

 appreciating your great help and advice
 thanks alot

 Regards,
 Nad
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Network design change shadow floating (Nov 10)
- Re: Network design change pkc_mls (Nov 15)
- Re: Network design change sai (Nov 15)