RE: Shuttle & via epia... now firewalls

["Mark Harrison" <Mark.Harrison@xxxxxxx>]

Andy wrote:

!!! ITYF it was something along the lines of....

!!! Internet > firewall > web server > firewall > back end
server > firewall > LAN

Yup! That's the way to do it in a simple commercial web site. (See
below

However, a bit over the top for even my home LAN :-)

My home LAN is protected by a single firewall. I would not, under any
circumstances, store data on that firewall. Not because I am worried about
that data being lost if the firewall were compromised, but because the act
of enabling "data sharing" irrevocably compromised the
firewall.

"data sharing" means, among other things, web servers, Microsoft
File Sharing, NFS...



I said "simple"... for reference, here's medium-complex. There's
a separate switch between each tier. Each firewall should be different if
possible...

- ISP's Intrusion Detection System

- Port filtering switch

- Firewall A (pair) (eg Cisco PIX)

- Firewall B (pair) (eg Nokia)

- Load-balancer (eg Alterian)
- Web heads (eg Linux)

- Firewall C (eg Sun)

- Application servers (normally internally load-balanced these days) (eg
Sun)

- Firewall D (probably Sun again)

- Database _cluster_ (eg Sun / Veritas)

- Firewall E (eg Cisco PIX again)

- Private WAN

- Corporate Network


Regards,

Mark


For more information: http://www.automatedhome.co.uk
Post message: ukha_d@xxxxxxx 
Subscribe:  ukha_d-subscribe@xxxxxxx 
Unsubscribe:  ukha_d-unsubscribe@xxxxxxx 
List owner:  ukha_d-owner@xxxxxxx

Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.