Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] multiple fw design ...

To: Peter Goodridge <[email protected]>
Subject: Re: [FW1] multiple fw design ...
From: the kaptain <[email protected]>
Date: Mon, 25 Sep 2000 07:10:31 -0400
Cc: [email protected]
References: <[email protected]>
Sender: [email protected]

what about load then? if we intend to run our e-comm site thru it as
well as user access. how much would adding a 4th nic and running 2 dmz's
tax the box .... at this point i'm pretty sure that with either solution
i'm getting a bigger box, just how big? since you run a 4th nic w/ 2
dmz's i'm curious as to what additional load you saw.






Peter Goodridge wrote:
> 
> I don't see the advantage of two firewalls over a 4th
> NIC.  Two firewalls of different makes gives you twice
> the learning curve, and twice the chance to make a
> mistake that leaves you open.
> 
> Even if you went with two Checkpoint firewalls (or two
> of anything) you could have them both log to the same
> management server instead of having to look in two
> places to determine what is happening.
> 
> I use a 4th NIC so I can have 2 DMZs.  One DMZ for the
> world to access, and one for "trusted" users.  I'd
> also move the Cisco tunnel endpoint into the 2nd DMZ,
> so you can see what's coming out of the tunnel.  All
> you should be able to see now is that there is a
> tunnel.
> 
> HTH,
> Pete Goodridge
> 
> --- k c <[email protected]> wrote:
> >
> >
> >
> > i'm trying to slug thru pro's and con's of a
> > multiple
> > firewall design, and how best to implement. wonder
> > if
> > you guys would chime in on this, i'd appreciate it.
> >
> > what we've got:
> >
> > 2 points of internet acces that split a class  B.
> > lets
> > say that 65-75% of all traffic is at one point, so
> > i'll concentrate on that one:
> >
> > inet -- router -- FW -- router -- internal net   ,
> > the
> > dmz hangs off a FW interface. FW is a CP v4 box.
> >
> > the dmz hosts our www server as well as Outlook web
> > access.
> >
> > we've got a VPN solution around the firewall.
> >
> > i've got some dialin access to the internal network
> > that auths the user via a RADIUS server against an
> > NT
> > domain.
> >
> > i've also got some IPSec tunnels (cisco router to
> > cisco router) starting to happen. this tunnels thru
> > the FW and gets decrypted on the internal net.
> >
> > also have dialin users connecting at the outside
> > router and coming in thru FW. this dialin location
> > is
> > changing somewhere inside, just not sure where the
> > best place would be.
> >
> >
> > that said, here's what i can see happening....
> >
> > adding more servers to the dmz, some of which will
> > be
> > the only server (i.e. it won't be duplicated on the
> > inside net) so external dialin or soho ipsec tunnel
> > clients will need to hit it as well as internal
> > users.
> > there's a buzz about e-commerce, so there would be
> > some sort of database driven e-commerce something or
> > other in the dmz. additional (load balaned) web
> > servers. the need to better log/monitor all those
> > pesky dialin and soho users.
> >
> >
> > what we were thinking was ...
> >
> > inet -- router -- FW -- DMZ -- FW -- internal net
> >
> > firewalls would not be from the same vendor. where
> > do
> > i put the dialin users for the best and most secure
> > fit ? into the dmz or off   a 3rd nic on the inside
> > firewall. the dialin users are coming into a cisco
> > router and auth against a Radius server. we're a big
> > M$ shop except for all the important things like
> > firewalls and dns. there will most likely be need
> > for
> > the dmz servers to talk to inside boxes.
> >
> >
> > i'm looking to poke holes or throw some ideas
> > around.
> > maybe we keep the single FW scheme and hang the
> > remote
> > access users off a 4th nic on the firewall ? maybe.
> > but i'm not all to thrilled with that scenario.
> >
> > your input's graetly appreciated.
> >
> > thanks.
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Send instant messages & get email alerts with Yahoo!
> > Messenger.
> > http://im.yahoo.com/
> >
> >
> >
> ================================================================================
> >      To unsubscribe from this mailing list, please
> > see the instructions at
> >
> > http://www.checkpoint.com/services/mailing.html
> >
> ================================================================================
> 
> __________________________________________________
> Do You Yahoo!?
> Send instant messages & get email alerts with Yahoo! Messenger.
> http://im.yahoo.com/
> 
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- Re: [FW1] multiple fw design ...
  - From: Peter Goodridge <[email protected]>

Prev by Date: Re: [FW1] Proxy ARP for Nokia IP330
Next by Date: [FW1] FW1 fails when set up side by side
Previous by thread: Re: [FW1] multiple fw design ...
Next by thread: [FW1] multiple fw design ...
Index(es):
- Date
- Thread