yaoweihung wrote: |
1. Which Firewall product is more powerful, Check Point NG or Cisco PIX 506? I would like to know which Firewall I should setup as internal Firewall.
2. If I want to setup a VPN for remote management purpose, where this VPN server should goes and how to setup these two Firewall? 3. From your demonstration, you have both DMZ and internal Firewall connected to the e same hub/switch. Would it be better if I have dual NICs in all servers located inside DMZ? By doing this, I have my external Firewall connected to one subnet address (say, 192.168.1.xxx) and my internal Firewall connected to another subnet address (say, 192.168.2.xxx). |
kantan wrote: |
What difference does it make if i directly connect my external firewall to the internal firewall rather than bypassing it via the DMZ hub / Switch. |
kantan wrote: |
I think u'hv got my question wrong. The DMZ hub/switch exists and the respective servers that need to go in the DMZ are connected to the DMZ hub/switch. My concern now is... what happens if i connect the external firewall directly to the internal firewall rather than connecting it via the DMZ hub/switch. Does that compramise the security in anyway?[/code] |
Colonel_Panic wrote: |
Users need to use INSERT, SELECT, UPDATE and even DELETE (in other words, php script access needs these priviledges). If it happened that the webserver got rooted, what would it help if the db was inside secure network? Whoever has the root can change my php and mess with the data. So, is there even theoretical possibility to secure the data agains someone who manages to hack the webserver? |
Colonel_Panic wrote: |
Another thing. Say one would like to give access to, say consultants and other third-party staff, to the internal network. They have to have access to machines located inside the internal "protected" network, because it needs the entire enviroment that surrounds it (like databases, shares etc), and therefor cannot be putted in dmz. How would one implement such a solution..? |
danielrm26 wrote: |
Ideally, one would have a three tiered architecture for their web/app/db environment, and each would reside in their own network. Apache, Websphere, and Oracle, for example.
|
danielrm26 wrote: |
This offers additional protection vs. the direct attacks on the database from the webserver that resides in the DMZ, and I know of many top 10 companies that do just this. The coolest one does the entire thing in VMWare - Check Point boxes, servers, and all. |
output generated using printer-friendly topic mod, All times are GMT + 2 Hours