Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Netapp>
  3. toasters
Multiple Subnet's
sevans at foundation
Aug 15, 2002, 4:12 PM
Post #1 of 2 (835 views)
Permalink
Right now I have my Filer 810 connected via a gigabit Ethernet to our
main internal subnet. I'm thinking of taking one of the 100 bit ports
and sticking that in the DMZ. The DMZ nic won't have any access at all
to anything on our internal subnet. I'm thinking about doing this so
our web server could store it's files on their easily. Could somebody
comment on this idea.


Steve Evans
Computing Services
(619) 594-0653
Re: Multiple Subnet's [ In reply to ]
taob at risc
Aug 15, 2002, 5:13 PM
Post #2 of 2 (778 views)
Permalink
On Thu, 15 Aug 2002, Steve Evans wrote:
>
> Right now I have my Filer 810 connected via a gigabit Ethernet to
> our main internal subnet. I'm thinking of taking one of the 100 bit
> ports and sticking that in the DMZ. The DMZ nic won't have any
> access at all to anything on our internal subnet. I'm thinking
> about doing this so our web server could store it's files on their
> easily. Could somebody comment on this idea.

I don't quite trust filers enough to be firewalls ;-), so we don't
do it that way here. Of course, this depends on how much security you
have around your internal network and DMZ. Our network infrastructure
"stack" looks like this:

-=={ Public network }==-
||
[ Public firewalls ]
||
[ Public-facing servers ]
||
-=={ Storage network }==-
||
[ Netapp filers ]
||
[ Private firewalls ]
||
-=={Internal network }==-
||
[ Internal servers and filers ]


Even with the new Multistore vfiler stuff, I wouldn't trust have a
filer bridge security zones. Physical separation still can't be beat
in a lot of cases.
--
Brian Tao (BT300, taob@risc.org)
"Though this be madness, yet there is method in't"

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal