I am installing a new ISP service via UUNET and their managed Checkpoint FW.
I am trained in the use of FW1 (Unix) so I sort of understand how the thing
works. My question has to do with the options available to construct my DMZ.
Option 1. I want a three legged FW, IF1 to the ISP Router, IF2 to the DMZ,
IF3 to my inside network. My plan was to build the new web farm (which is
supposed to be Internet accessible) on the DMZ off IF2, use real legal
addresses as provided by UUNET and just have DNS entries made as the
machines are installed with the appropriate rules base entries to allow
access.
Option 2. The other option suggested to me is the build a "private DMZ" off
IF3, use FW rules and NAT to provide access to the web farm and use just one
"Real" interface to the Internet via IF1.
For the sake of what I think is simplicity, I want to go with option 1 but I
admit to not being any kind of expert as far as build Internet accessible
networks. I lean to Option 1 because there won't be so many rules and NAT
things needed in the FW and since this is a managed service (not my choice
but...) I feel not having to request FW changes every time I want to add a
host will allow me to more rapidly respond to user request to get machines
up an running on the Internet.
Is there any "best practices" type things for DMZ construction ? Are there
any strong opinions one way or the other on the option1, option 2 business
suggested here? Any opinions greatly appreciated. Thanks.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
