On Sun, 12 Dec 1999, Bennett Samowich wrote:
>
> Are there any issues, pro or con, to having two physical firewall machines
> making up the perimeter versus one? If building with two machines should
Pro: Defense in depth, multiple administrators to give away the farm Con:
cost and management.
> they be the same or different?
Different generally.
>
> Scenario A:
> ,->DMZ
> Net->firewall
> `->Internal
>
> Scenario B:
> ,->DMZ
> |
> Net->firewall---->firewall->internal
>
I'd put the DMZ off of the first firewall on a different NIC so that
compromise of a DMZ host doesn't give layer 2 access to the internal
firewall's external adapter, or add a router to the DMZ segment.
That's my preferred architecture.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
