> I'm looking for opinions about using the same firewall machine in
> order to conect the same organization with multiple services.
> For example, a Bank could use the same firewall in order to protect
> the private network from the Web Servers that are in the DMZ, and in
> order to give access to the Internet to the employees.
> An argument is that perhaps we do not want to consolidate them for
> performance reasons (we want to be able to isolate one service from
> another, so the traffic from one does not affect the performance of
> the second one).
> Any idea about why this consolidation could be good or bad, will be
I would keep them separate because:
1. Performance - If you are putting the DMZ as a segment off the
firewall machine, as the firewall gets bogged down, performance for
your internal users (to the Internet) and your external users of your
web servers will suffer.
2. Robustness - If the DMZ firewall machine goes down, both your
internal users will suffer as well as your external customers of your
web servers. You want to minimize the number of angry phone calls at
the same time.
3. Easier configuration - Rather than worry about both the web server
and your users on the same machine's configuration, you think of them
separately. Simpler configurations will reduce the chance of you making
Then again, if you don't have have enough money for more than one
machine, well, you will have one machine. I don't think that would be a
In either case, I think you want to make sure that one group or person
is administering both machines.
> Adrian F. Setton
> LighTech Voice: (54-1) 373-1141
> Ayacucho 563. Piso 13 Dto "A" FAX: (54-1) 373-1215
> Buenos Aires e-mail: asetton @
> Argentina URL: http://www.lightech.com.ar