medical records, web server, & stateful firewall vs packet filter

["Adam Greene" <maillist () webjogger net>]

Hi,

Looking for opinions about the following situation:

Our customer runs a medical imaging service. There are three components: web
server, image server and SQL server. The web server needs to be publically
accessible over the Internet. The web server needs to be able to access the
image and SQL servers directly (the image server link in particular needs to
be >1Gbps because the images are so large). The image and SQL servers need
to be accessible from the Internet only via VPN.

My plan so far is to bond multiple 1Gbps NIC's on the web and image servers
and connect them via etherchannel on a Cisco 3750. The 3750 would act as a
packet filter between the servers. The SQL server would attach to that too.
Then I would set a Cisco ASA 5510 between the 3750 and the Internet, to
terminate VPN connections as well as provide stateful firewall and maybe
some application filtering services for the webserver.

My question at this point is: am I making a mistake by placing a stateful
firewall between the webserver and the Internet? Maybe a simple packet
filter would be less prone to DoS attacks. I could stick a Cisco 2800 there
instead. I have always believed that a stateful firewall device like a PIX
or ASA 5500 would offer better overall protection than a packet filter (I
need to limit access to the image and SQL servers too), but some feedback
I've received recently is causing me to question this assumption.

Anyone care to point me in the right direction?

TIA,
Adam

[p.s. tried posting this on 11/3; not sure why it didn't go through...]

---
[This e-mail was scanned for viruses by Webjogger's AntiVirus Protection System]

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards