I don't see the advantage of two firewalls over a 4th
NIC. Two firewalls of different makes gives you twice
the learning curve, and twice the chance to make a
mistake that leaves you open.
Even if you went with two Checkpoint firewalls (or two
of anything) you could have them both log to the same
management server instead of having to look in two
places to determine what is happening.
I use a 4th NIC so I can have 2 DMZs. One DMZ for the
world to access, and one for "trusted" users. I'd
also move the Cisco tunnel endpoint into the 2nd DMZ,
so you can see what's coming out of the tunnel. All
you should be able to see now is that there is a
tunnel.
HTH,
Pete Goodridge
--- k c <[EMAIL PROTECTED]> wrote:
>
>
>
> i'm trying to slug thru pro's and con's of a
> multiple
> firewall design, and how best to implement. wonder
> if
> you guys would chime in on this, i'd appreciate it.
>
> what we've got:
>
> 2 points of internet acces that split a class B.
> lets
> say that 65-75% of all traffic is at one point, so
> i'll concentrate on that one:
>
> inet -- router -- FW -- router -- internal net ,
> the
> dmz hangs off a FW interface. FW is a CP v4 box.
>
> the dmz hosts our www server as well as Outlook web
> access.
>
> we've got a VPN solution around the firewall.
>
> i've got some dialin access to the internal network
> that auths the user via a RADIUS server against an
> NT
> domain.
>
> i've also got some IPSec tunnels (cisco router to
> cisco router) starting to happen. this tunnels thru
> the FW and gets decrypted on the internal net.
>
> also have dialin users connecting at the outside
> router and coming in thru FW. this dialin location
> is
> changing somewhere inside, just not sure where the
> best place would be.
>
>
> that said, here's what i can see happening....
>
> adding more servers to the dmz, some of which will
> be
> the only server (i.e. it won't be duplicated on the
> inside net) so external dialin or soho ipsec tunnel
> clients will need to hit it as well as internal
> users.
> there's a buzz about e-commerce, so there would be
> some sort of database driven e-commerce something or
> other in the dmz. additional (load balaned) web
> servers. the need to better log/monitor all those
> pesky dialin and soho users.
>
>
> what we were thinking was ...
>
> inet -- router -- FW -- DMZ -- FW -- internal net
>
> firewalls would not be from the same vendor. where
> do
> i put the dialin users for the best and most secure
> fit ? into the dmz or off a 3rd nic on the inside
> firewall. the dialin users are coming into a cisco
> router and auth against a Radius server. we're a big
> M$ shop except for all the important things like
> firewalls and dns. there will most likely be need
> for
> the dmz servers to talk to inside boxes.
>
>
> i'm looking to poke holes or throw some ideas
> around.
> maybe we keep the single FW scheme and hang the
> remote
> access users off a 4th nic on the firewall ? maybe.
> but i'm not all to thrilled with that scenario.
>
> your input's graetly appreciated.
>
> thanks.
>
> __________________________________________________
> Do You Yahoo!?
> Send instant messages & get email alerts with Yahoo!
> Messenger.
> http://im.yahoo.com/
>
>
>
================================================================================
> To unsubscribe from this mailing list, please
> see the instructions at
>
> http://www.checkpoint.com/services/mailing.html
>
================================================================================
__________________________________________________
Do You Yahoo!?
Send instant messages & get email alerts with Yahoo! Messenger.
http://im.yahoo.com/
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
