Multiple nics on inside of DMZ
Hey gang,
I'm currently learning my way through a Netfilter book and need to design a
firewall with a DMZ. It basically involves two multihomed firewalls: one
connected to the LAN, the other to the router, with a DMZ in the middle.
Pretty standard.
A weird addition I came up with involves having several nics on the 'DMZ
side' of either firewall. All machines within the DMZ would be multihomed,
with two point-to-point networks (255.255.255.252 subnet) connecting it to
both firewalls. I figured this was more secure; if a machine in the DMZ got
owned, all the other machines are on they're own network and much harder to
get to from the owned machine. If everything in the DMZ was simply connected
by switch, I don't think it'd take long for a good hacker to discover and
mess with the other machines as well (especially w/o the firewall to protect
them).
Although I'm new to netfilter I haven't found anything that will keep this
idea from working. However it is a lot of setup, and I've never really heard
of anyone doing this before (except maybe on small firewalls where the DMZ
is a single port on a lone firewall). Further complicating things is the
fact that there will be around a dozen machines in the DMZ, requiring
multiple quad NIC's. Any feedback on this crazy approach would be
appreciated, thanks!
Reply to: