Maybe I am tired, but I don't see any reason to go for option 2.
In my experience option 1 is a best practice. Your Internet
accessible servers are clearly segregated from your internal
network. You have a secured DMZ subnet.
You can do a many to one NAT for your internal networks
using an address from the external subnet, add
the corresponding static routes to from IF3 to
the internal network and you are good to go.
Don't forget a rule to allow the internal nets to the DMZ.
-Art
At 02:12 PM 11/19/99 -0500, Magowan, Richard M. (ITS) wrote:
>I am installing a new ISP service via UUNET and their managed Checkpoint FW.
>I am trained in the use of FW1 (Unix) so I sort of understand how the thing
>works. My question has to do with the options available to construct my DMZ.
>
>
>Option 1. I want a three legged FW, IF1 to the ISP Router, IF2 to the DMZ,
>IF3 to my inside network. My plan was to build the new web farm (which is
>supposed to be Internet accessible) on the DMZ off IF2, use real legal
>addresses as provided by UUNET and just have DNS entries made as the
>machines are installed with the appropriate rules base entries to allow
>access.
>
>Option 2. The other option suggested to me is the build a "private DMZ" off
>IF3, use FW rules and NAT to provide access to the web farm and use just one
>"Real" interface to the Internet via IF1.
>
>For the sake of what I think is simplicity, I want to go with option 1 but I
>admit to not being any kind of expert as far as build Internet accessible
>networks. I lean to Option 1 because there won't be so many rules and NAT
>things needed in the FW and since this is a managed service (not my choice
>but...) I feel not having to request FW changes every time I want to add a
>host will allow me to more rapidly respond to user request to get machines
>up an running on the Internet.
>
>Is there any "best practices" type things for DMZ construction ? Are there
>any strong opinions one way or the other on the option1, option 2 business
>suggested here? Any opinions greatly appreciated. Thanks.
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
>
===========================================
Art Coble
Lucent - Netcare Professional Services
Senior Network Consultant
Email: [EMAIL PROTECTED]
Page: 800 INS 1 INS
=============================================
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
