How many machines can be on DMZ ???

ahoangphan · ‎04-23-2002

Hi,

How many servers can be set up on DMZ? I have failover set up between 2 515s, each has 3 interfaces. In order to have failover to work with DMZ, should I need another switch to connect the DMZ ports of the 2 Pixes and rest of the servers ?? I'm planning to have 2 webservers and 1 mail server on DMZ. Or should I get a 4 port network card and install each server on each port?? Which way do you think is better ???

Thanks,

A.T.

gmiiller · ‎04-23-2002

It pays in these situations to have a look at the intended traffic-flow between the devices on your DMZ. We have several DMZ's where a large number of servers act independently from each other (and do not need to communicate directly) For security reasons we want to ensure that they cant, so we implement private vlans on the DMZ switch so that the variuous switch ports can only communicate to the firewall(s) at layer 2. Because the firewall won't do redirects or same-interface routing, that means the DMZ hosts can't communicate with each other.

Thats the cheaper way of doing large DMZ's, however, for govt clients this doesn't offer an accredited level of separation between hosts, so where accredited separation is required, more firewall interfaces it is.

thompson · ‎04-25-2002

Money is the issue.

$ You can do it with one switch/hub. Plug both the PIX and FO PIX into it, your 2 webservers and your mail server.

$$ Get two switches with a cross-overcable between them, make sure thay support spanning tree !!!(STP) put dual port ethernet cards in all three servers and connect one port to each switch. make sure your OS and NIC's support this!!!!

$$$$$$$$$$$$$$$$ Have some one else host this for you!!!!