[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewall design for evaluation

Bernd, thanks for the constructive criticism. I've
added some more questions below: 
> Now you can eighter filter by Mac to be a bit more
> safe about spoofing, or
> use VLANs instead of Secure mode, with the firewalls
> attached to the trunk
> ports. I would not do the .252 subnet stuff, since
> it is a big waste of time
> and does absolutely add no protection over VLAN or
> secure mode.
I did notice the missing switch after graphing it all
out. An associate had thought of the VLAN trick
earlier, but we weren't sure how it'd work and didn't
try it. Good to hear it's working somewhere! BTW, are
you talking about something like VLAN kernel support?

> So you want to have your LAN connect to the DMZ?
> This is ugly. You do not
> need Fibre for it, and you forget to mention how you
> are going to protect
> LAN from DMZ?
The LAN would connect to the DMZ because it contains
machines I thought best homed in there (like email).
Should the LAN not connect to the DMZ at all? We want
things to be secure, but we still want email too.
Another plan was to have email on the LAN and have
SMTP forwarders in the DMZ punt messages to it, is
this favorable?
There are three choke firewalls that protect the LAN
from the DMZ and there are no connection around them.
My design is just an elaboration of a standard setup,
being internet-gatewayfw-DMZ-chokefw-LAN

> You can simulate this with VLAN or Secure mode. VLAN
> is a bit better for the
> Firewall, cause th Firewall can detect which port on
> the switch is used to
> send traffic, secure mode is a bit more classic and
> therefore more simple,
> less error prone.
That sounds like a winner to me. I'll be trying this
for sure!
Thanks again for all the help. I want to do this
right, and I look forward to your next reply.

Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.

Reply to: