Actually, at first this looks like lunacy.
Look at where the "DMZ" is - at BEST it's one NIC away from the internal
LAN.
I would have first assumed that the 'Net' and 'Internet' labels are
transposed. A second look, however, shows that there would then be no router
between the Internet and the first firewall.
So I assume that there's been some problem with the text diagram. This is
far more lenient that assuming that the person that designed this
architecture is a psychopath.
ASCII art. So wonderful for people who only send or receive mail in 80
columns in courier.
Now that I've finished being grumpy...
This is the classic "screened subnet" architecture from several of The
Books, however it has a dangling firewall (FW1) towards the inside network.
Leaving aside the placement of the DMZ, which should probably be as close as
practical to the OUTSIDE (in otherwords 'netwards of FW2), I wonder why they
have both FW1 and the router next to it?
Surely one of these devices is redundant. What extra security can a packet
screen provide if it's right in front of a firewall - if the firewall is
that insecure then why bother having it?
The only reasonable use I could find for this architecture is a "double
DMZ". I'm not sure why anyone would want such a thing, but it would mean
that you could have DMZ one just netwards of FW1 and DMZ2 (the Internet DMZ)
just LANwards of R1. I would probably swap R1 and FW1 to improve speed
however.
If the level of trust in the Internal LAN were not great, or the information
/ resources used in the LAN DMZ were that critical, then I guess this
architecture could be useful.
[Explanatory ASCII Art]
LAN
Router1
DMZ for LAN users
FW1
No man's land
FW2
DMZ for Internet users
Router2
Cheers,
--
Ben Nagy
Network Consultant, CPM&S Group of Companies
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-----Original Message-----
From: Shubinsky, Slava [mailto:[EMAIL PROTECTED]]
Sent: Saturday, September 04, 1999 2:51 AM
To: [EMAIL PROTECTED]
Subject: In line firewalls...
I've seen an interesting architecture...
Net---FW1----R----FW2---R---Internet
|
DMZ
At first this seems to be a tighter security architecture,
but at a closer look this might be wasteful especially if
the two firewalls are the same type. Has anyone run
into something like this? What are the general thoughts?
Thanks!
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
