Hello Markus, thanks for your answer. I think there is a little missunderstanding. I thought of the following basic setup: LAN <->PROXY<->DMZ<->FIREWALL<->INTERNET ^->MAILSERVER The DMZ is an IP-Network with 3 computers attached: Proxy, Firewall and Mailserver. The router between DMZ and Internet is the firewall. Between the LAN and the DMZ there is the proxy. My idea was to give each computer another network interface and connect them to an IP network, the administrative net. What I understood you thought about was a firewall with Interfaces to the LAN, to the Internet and to the DMZ acting as one router between them all. Proxy and Mailserver as to computers in the DMZ offering services. Of course you are right saying that each link imposes another risk - but how would you weigh it against the benefit of separating productive and administrative traffic. Greetings, Stefan