[FW1] multiple fw design ...

[k c <kaptainkrypto@FW1-NOSPAMyahoo.com>]

i'm trying to slug thru pro's and con's of a multiple
firewall design, and how best to implement. wonder if
you guys would chime in on this, i'd appreciate it.

what we've got:

2 points of internet acces that split a class  B. lets
say that 65-75% of all traffic is at one point, so
i'll concentrate on that one:

inet -- router -- FW -- router -- internal net   , the
dmz hangs off a FW interface. FW is a CP v4 box.

the dmz hosts our www server as well as Outlook web
access.

we've got a VPN solution around the firewall.

i've got some dialin access to the internal network
that auths the user via a RADIUS server against an NT
domain.

i've also got some IPSec tunnels (cisco router to
cisco router) starting to happen. this tunnels thru
the FW and gets decrypted on the internal net.

also have dialin users connecting at the outside
router and coming in thru FW. this dialin location is
changing somewhere inside, just not sure where the
best place would be.


that said, here's what i can see happening....

adding more servers to the dmz, some of which will be
the only server (i.e. it won't be duplicated on the
inside net) so external dialin or soho ipsec tunnel
clients will need to hit it as well as internal users.
there's a buzz about e-commerce, so there would be
some sort of database driven e-commerce something or
other in the dmz. additional (load balaned) web
servers. the need to better log/monitor all those
pesky dialin and soho users.


what we were thinking was ...

inet -- router -- FW -- DMZ -- FW -- internal net

firewalls would not be from the same vendor. where do
i put the dialin users for the best and most secure
fit ? into the dmz or off   a 3rd nic on the inside
firewall. the dialin users are coming into a cisco
router and auth against a Radius server. we're a big
M$ shop except for all the important things like
firewalls and dns. there will most likely be need for
the dmz servers to talk to inside boxes. 


i'm looking to poke holes or throw some ideas around.
maybe we keep the single FW scheme and hang the remote
access users off a 4th nic on the firewall ? maybe.
but i'm not all to thrilled with that scenario.

your input's graetly appreciated.

thanks.

__________________________________________________
Do You Yahoo!?
Send instant messages & get email alerts with Yahoo! Messenger.
http://im.yahoo.com/


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================