Hi I don't know what you want to fight off with your design but generally I would not do it like that. I once ran such a design but it caused too much uncontrollable network noise. If you can run with two leased lines (one for the internet servers and one for your LAN) you'll do best. If not, I'd do it like this: inet | | DMZ ---- Firewall1 | | Firewall2 | | LAN 1. Logging. Firewall1 logs everything. Firewall2 only logs stuff that tries to penetrate it. This'll keep your Firewall2 logs free of DMZ traffic pollution. 2. NIDS. Run a NIDS on all firewalls including one dedicated NIDS box in your DMZ -> could be instead of your win2k Domaincontroller. 3. Domain controller in a dmz: U don't need that. We're talking about network layers not about application layers. 4. Windows attached to the internet? If not a must for some reason, don't do it. Windows is expensive in any way. 5. Proxy: You'll be fine running it on Firewall2. 6. diversification: Firewall1 OS <> Firewall2 OS. HTH Philipp
-----Ursprüngliche Nachricht----- Von: Christoph Pernsteiner [mailto:chriz@aon.at] Gesendet: Dienstag, 4. Dezember 2001 16:24 An: Suse Security Mailinglist Betreff: [suse-security] Offtopic (maybe): Proposal for school network
Hello,
my name is Christoph and I attend a business school. Our school administrator formed a working group for network and computer related problems. Our first task is to review the existing security system and to improve it or create a new one. I worked on a new network design for the school network, and I first created a draft. The First version of the draft can be downloaded from http://www.festlinfo.at/schoolnetwork.jpg. Would somebody be so kind and make comments on it or critisize it because I want to improve it. I know a little bit about computer security and I want to learn more. I excuse for being off topic, but I wanted some experts to review the draft.
Have a nice day,
Christoph Pernsteiner
-- Black holes are where god divided by zero.
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com