On Thu, 15 Aug 2002, Steve Evans wrote:
Right now I have my Filer 810 connected via a gigabit Ethernet to our main internal subnet. I'm thinking of taking one of the 100 bit ports and sticking that in the DMZ. The DMZ nic won't have any access at all to anything on our internal subnet. I'm thinking about doing this so our web server could store it's files on their easily. Could somebody comment on this idea.
I don't quite trust filers enough to be firewalls ;-), so we don't do it that way here. Of course, this depends on how much security you have around your internal network and DMZ. Our network infrastructure "stack" looks like this:
-=={ Public network }==- || [ Public firewalls ] || [ Public-facing servers ] || -=={ Storage network }==- || [ Netapp filers ] || [ Private firewalls ] || -=={Internal network }==- || [ Internal servers and filers ]
Even with the new Multistore vfiler stuff, I wouldn't trust have a filer bridge security zones. Physical separation still can't be beat in a lot of cases.