maybe my drawing was not completely clear.
The outer firewall is NATting whereas the inner is routing to keep the DMZ and the secure network apart. We were planning to provide server hosting for remote networks but the design included dual hosted servers with a SAN device on the seconf dentwork. I thrashed this for secuirity reasons because any attacker on the remote parts of the net would automatically be invited to the sacred shrine.
Anyway, last office day today, tomorrow sailing along the Lycian coast.
Hope to hear from all of you in 2 weeks time....
And....
Thanks
Erich
At 19:40 23.10.2003, Lynn Avants wrote:
On Thursday 23 October 2003 02:50 am, Erich Titl wrote: [...] > There is no NAT on the inner firewall, but then there is no NETBIOS traffic > either through the firewall.
Hmmm... so it is running proxy-arp on the inner firewall (assuming this is the only way you can filter w/o routing).
> I know that routing is going to be tricky, we will probably drop the > extrudet subnet idea as it is too big a security risk to have a subnet > extended right into the heart of our secure zone.
Yeah, if the firewall is answering a /16, then it is likely not the best idea to keep them on the same subnet. It might be a better idea to proxy-arp the DMZ and route/NAT the internal net which keeps the DMZ on a seperate subnet behind the firewall. --
THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16
------------------------------------------------------- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
