I have a situation where I utilize CacheFlow devices to serve up web content for a high traffic web site. In considering new secure architecture - I have two options, creating two seperate DMZ segments - one for the redundant CacheFlows and another that contains the physical web servers. The other option is creating one multi-tiered DMZ segment that utilizes another PIX between the CacheFlow segment (Outside) to the segment (Inside) where the physical web servers reside. From a security perspective, what are some of the advantages/drawbacks of each design. Thanks for any help that you provide.
The phrase multi-tiered DMZ doesn't really ring a bell. I don't remember coming accross such a term or having read about such setups and that would translate to only one thing, tougher troubleshooting. I would definately recommend going in for a design similar to what you are likely to see deployed commonly. That would not only help while troubleshooting but also help since a wealth of documentation is likely to be available.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...