> Ahh, see there's your first problem. You trust your users :) I don't > even trust myself, I'm certainly not about to trust my users :) At > any rate, sounds like you don't have a solid need for the physical > separation, it's best practice, but not always the right answer to the > problem at hand. Any separation is better than no separation. And > honestly, if your DMZ gets compromised, the LAN is likely the least of > your worries - the hope would be that you have good enough logging > practices that if the DMZ is compromised that you _catch_ it before > the attacker makes it to the LAN.
Logical and physical separation is the ideal, however implementing it in the real world carries with it some trade offs. Having seen one bank implement multiple racks of Nokia IP-650s with 20 interfaces each for market data services, the alternative using a pair of Cat 6509s trunked into to say 4-6 firewalls would have been far less expensive, had much lower ongoing costs, been simpler to configure, & given far better port density and carried a lot less operational risk. Of course their Nokia & Checkpoint account managers were very happy with that deal Greg
