Firewall Wizards mailing list archives
Re: Network design change
From: pkc_mls <pkc_mls () yahoo fr>
Date: Thu, 12 Nov 2009 12:38:39 +0100
shadow floating a écrit :
Hi All, My company has two sites in to 2 different locations that are connected via high speed link at the core layer ( I've attached a link to the diagram : http://img18.imageshack.us/img18/77/questionhk.jpg for ease of explanation) in each site I've 1 DMZ , the network team wants to connect the DMZ switches in both sites for better performance and "security" - the link under investigation is shown in red in the picture - via high speed link without passing at all by the core network layer, as they say that will aid more in the replication between server A and backup server A in the DMZs and also this will help if any of the 2 firewalls had failure to access both DMZs from any firewall. Is that better from security point of view?
If it's possible, I'd rather use a link between both firewalls to connect the DMZ. If you connect directly the dmz switches, and if someone can get access to your dmz, he will get access to the other one as well, as there won't be any filtering between the DMZs. do the DMZ share the same network addresses ? if not, just use an unused interface on each fw, connect both via a link, then create some routes to allow trafic between the DMZs. The performance can be also an issue, so it depends on the replication traffic basically. If you can replicate when there is less traffic, the existing firewall can be enough. If you can't, it's perhaps time to upgrade the firewalls.
appreciating your great help and advice thanks alot Regards, Nad _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Network design change shadow floating (Nov 10)
- Re: Network design change pkc_mls (Nov 15)
- Re: Network design change sai (Nov 15)