> I would like to build on this DMZ discussion and combine it with a post that > Matt had a few days ago. > My situation is that I am going to impliment a DMZ with the private switch, > and have a second firewall (MS ISA server) between the DMZ and internal > network. > > Here is a lame pic of what I want to do: > > Internet > | > | > | > |eth0 (IP assigned from RR) > LRP Box > | | > | |eth1(192.168.1.2) > | | > | |_____ 192.168.1.0/24 DMZ > | > eth2 (192.168.1.3) > | > 192.168.1.1 ISA ext. nic > 192.168.0.1 ISA int. network > | > | > Internal network (192.168.0.0/24) > > OK, now what I was thinking was, that the eth1 and eth2 would be on the same > subnet. This way, updating the web server from the internal network would > be fairly easy, because the internal nets default gateway is the ISA server, > and the external nic on the ISA server has a default gateway of the LRP box. > Same with the DMZ box. Assuming they penetrate the LRP box and hack the DMZ > server, they are still removed from the internal net by the ISA server. > > I want to allow the DMZ box access to a Access database on the internal > network (read only) and the DMZ box also needs access to relay SMTP messages > to an internal Exchange box. The DMZ box is a W2K server running IIS and > SMTP w/ ISA's message screener. (Everything is patched :-) > > Anyway, what do you all think? Any flaws you can see in this plan? > > I appreciate all the feedback you can give
You don't want to use a DMZ setup in this case. The architecture you're describing is essentially another form of a screened subnet architecture, only using two routers (the default DMZ setups in Dachstein are also screened subnet architectures, but use a single router). Basically, the "internal net" from the Dachstein box's perspective is your "screened subnet". Any systems needing inbound connections from the internet go on this network. Also connected to the screened subnet is your second firewall/router (ISA), which I'm assuming means "Internet Sharing Appliance". There's nothing fundamentally wrong with this architecture, other than requiring two boxes, but if you've already got the existing ISA configured, and don't want to change your existing internal network configuration while adding a protected server system, it's a good way to go. Basically, you should wind up with the following setup: Internet | eth0 LEAF Box eth1 | Hub/Switch | | | \-- Server system(s) | ISA | Internal network Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
