On Thu, Jan 15, 2004 at 04:06:22PM -0500, Nick Laflamme wrote:
> However, and promise not to giggle if you're going to read the rest of
> this, our network security folks don't want GuestA talking to GuestB
> directly if they can help it; they'd sleep better at night if they could
> sniff each packet and be sure nothing hinky is going on. I'd love to use
> a Hypersockets LAN, but that wouldn't allow that. (Never mind that two
> AIX systems on the same subnet talk directly without being vetted by the
> firewall; this is Linux, and the network security folks are convinced
> that's less secure than our existing platforms.)
Your network security folks are smoking the big crack rock.
Anyhow, here's how you'd do that other thing I was talking about
Switch -----------FW--------------Switch
OSA OSA
Tier One GW Tier Two GW
GLAN GLAN
Tier One Hosts Tier Two Hosts
For a host on tier one to get to one on tier two, it talks over the
Guest LAN to its gateway. The gateway talks to its OSA (VSWITCH would
be fine here too). The OSA is connected to a switch. The switch is
connected to a second switch through a firewall (or the two switch ports
can only communicate through a firewall). That firewall talks to the
second switch, which talks to the second OSA, which is owned by the Tier
Two gateway, which talks to the Guest Lan containing the Tier Two hosts.
It works, but it pushes a lot of traffic off the box that doesn't ever
need to leave the frame.
Adam
Adam
