Example: 1 Firewall 1 Mailserver 1 Proxy
Firewall has 3 NICs: 1 connected to the internet showing no open ports 1 connected to the DMZ showing no open ports 1 connected to the administrative IP network providing SSH This is ok (anything else wouldn't work ;)
Mailserver has 2 NICs:
1 connected to the DMZ providing SMTP-service 1 connected to the administrative IP network providing SSH No - The mailserver needs only one. The firewall can allow access to the ssh port of the mail server only from the administrative network. To provide further safety, the mailserver itself should check source ip, too. The problem with your setup is, that IF someone hacks your mailserver, access to the adminstrative network is gained, with no barriers in between!
Proxy has 3 NICs: 1 connected to the DMZ showing no open ports 1 connected to the LAN providing several proxy services 1 connected to the administrative IP network providing SSH Same as above, one or max. two NICs are enough. If you don't care about people circumventing your proxy (or you have all ports blocked, so people must use it), one is enough (on the LAN side). The proxy should then be allowed to go outside (masquerading). Of course, ssh only works, if you have access to the LAN from the administrative network, and allow only access from a specific IP/maybe MAC address. If not, you will surely need a second NIC. But remember: the more links you have, the more can be a weakness! Use as little cross-links as possible - the weakest link will break first, and If you have a lot of links, this is harder to handle!
regards, Markus Gaugusch -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \