Understood. I expected as much but thought I'd ask. Most of my suggestions would require more knowledge of the layout to be filtered out. I really don't know what you'd find that would do what you want in this case, based on the requirements stated previously. Sorry =/ I'd look more to finding a way to make it a truly isolated unit that they could audit personally, instead of a distributed zone with boundaries in the middle. -Blake On Tue, Jul 30, 2013 at 5:39 PM, William Herrin <bill@herrin.us> wrote:
On Tue, Jul 30, 2013 at 5:36 PM, Blake Dunlap <ikiris@gmail.com> wrote:
Well, I guess my first question is: Is this a design you are stuck with for some reason or alternately, is there a good reason for it, and I need to be educated as to real world design? It seems rather odd to put a firewall boundry between a LB and its associated cluster as opposed to in front of the LB.
Howdy,
Paperwork. The customer owns 3 servers in a system of a consisting of a hundred or so. He wants his security people to accredit it. They won't accredit individual servers, so his options were: duplicate the full system just for him (very expensive) or create a security boundary where he can say, "This is my enclave. Accredit my enclave."
Naturally his security people decide that they don't want the firewalls to be additional servers running Linux. That would make it far too easy to secure his system. I don't yet know if they'd accept an appliance running Linux underneath. :/
-Bill
-- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004