2 Tier firewall design

Similar Messages

• Two-Tier Firewall Config

  We want to setup a Data Center Network for core banking with all the application and Database servers.For the same we are planning to design a Two-Tier firewall network architecture. First Tier firewall (Cisco PIX in failover mode) will have Web servers in DMZ as front end application server. Second Tier firewall (PIX firewall Failover mode) will have the Application and database servers in DMZ as back end servers.
  Flow of data will be such that any user logging from internet will access web servers at the first level, get authenticated and web servers will in turn talk to the internal application servers for any data request.
  Is the above design OK….
  Pls find attached topology diagram….
  Also provide me with the sample PIX config for the above Two-Tier firewall architecture implementaion of application and database servers.
  Hi,
  IP Scheme is as listed below.
  Lan IP = 192.168.1.0/24 - 192.168.24.0/24
  Internet Firewall DMZ Network (Tier-1) = 192.168.252.0/28
  Internet Firewall Internal Network (Tier-1) = 192.168.252.16/28
  Intranet Firewall External Network (Tier-2) = 192.168.252.16/28
  Intranet Firewall DMZ Network (Tier-2) = 192.168.252.32.0/28
  PiX Firewall Internal Network (Tier-2) = 192.168.252.48.0/28
  Regards

  Hi Collin,
  This server is lync edge server. My idea is one network card for to NAT with public IP adddress ( 172.16.2.x NAT with Public IP ). One is for the Internal Firewall To NAT with internal network. (20.20.0.x NAT with internal IP 10.10.0.x).
  Your suggestion is want to use one NIC with one IP address for DMZ server going to both firewall, is it ?
  Please advise me, thanks.
    Thanks,
     Ko Htwe

• Audit Vault and DB Firewall Design

  I have and application (JAVA Based) connected to the database 11g using JDBC,
  I am going to implement Audit Vault and DB firewall R12 for three reasons:
  1. monitoring the traffic
  2. blocking un wanted SQL statements.
  3. blocking un wanted IPs/Users
  Our two Physcial servers that will be used for Audit Vault and DB Firewalls contain two NIC each.
  My Questions:
  1.  How to put these two servers in our network to be able to mointor as well block traffic, we don't need to change anything to our exisiting network configuration.
  2.  How to DB Firewall will block unwanted incomming traffic from the JAVA application to our database.
  please any usefull documents, links, ideas, network design
  I tried official Oracle Document, it is useless

  hi,
  1. if you plan to block sql using the firewall you will need 3 NICs in the firewall appliance since apart from the management interface you will need to setup a bridge (with 2 NICs) to physically route the traffic through the firewall, this also requires you to patch the appliance properly inside your datacenter between the protected database and the client or middle tier servers, so you can't do  this w/o changing anything in your nw configuration.
  2. you will need to compile a whitelist based on what your trusted applications are doing normally, this is an iterative process, then the firewall will be able to block sql not in the whitelist (replace it with something like select 1 from dual), since the only physical network path from the java clients to  the secured target db goes via the bridge
  Comment: so if you have a chance: pull one NIC out of the AV server (it only needs 1) and plug it into the firewall appliance.
  greetings,
  Harm ten Napel

• Cisco ACE and firewall design

  Guys,
  If I have servers protected behind a firewall and I need to load balance some servers , where should I place the ACE?
  Sent from Cisco Technical Support iPad App

  Hi,
  With one-arm i believe the question is where you want to place the firwall. As long as the client is able to reach the VIP and server replies back to ACE i dont see any problem with this design.
  Firewall ---------Switch ---------------- Load Balancer ---
  As you know with one-arm requires a source NAT and might not be a good fit for application that are using the source IP address to track client usage patterns. PBR avoids this problem but adds other considerations, such as routing complexity, asymmetrical routing for non-load-balanced flows, and VRF support; PBR is not available on VRFs.
  Regards,
  Siva

• Firewall Interface design

  We plan a two tier firewall with the physical topology like this:
  WWW --------------- FW1-----------FW2-----------------INTERNAL
  We will have multiple DMZ zones off FW2 and our VPN termination point off FW1. FW2 will be responsible for the NAT'ing in the design.
  My plan will to have Internal IP addresses (RFC1918) between FW1 and FW2 so that FW2 cannot be accessed publically.
  If we have multiple DMZ interfaces off FW2, do I need to logically separate them in the 'Intermediate' zone (between FW1 and FW2) ?
  So for example, FW2 will have two subinterfaces, Gi0/0.100 = DMZ1, Gi 0/0.200 = DMZ2. Should this be carried over a logical path between FW1 and FW2, or should it just use the single interface on FW1 and FW2?
  Hope this is clear.

  Using the single interface between FW1 and FW2 will be fine.
  You just need to ensure your routing steers the traffic correctly, nat statements are aligned and access-lists allow the necessary flows.
  The one tricky bit would be the NAT. If the only place the public IPs connect to is FW1 yet the NAT from DMZ server real address to public IP is in FW2, you will need some static routing along with your access-list entries to make sure the requests for your DMZ servers' public addresses are passed through FW1 to the inside interface and on to FW2's outside interface. 

• Network Topology/Configuration Validation

  Hi,
  We are implementing a Two-tier firewall architecture using Fortigate and cisco ASA-5500 series firewall for our internal network.
  All the tiers will be redundant mode firewall (Active/Active)
  First tier firewall (Fortigate) will host the WEB servers (Front end servers)
  Second tier firewall (ASA-5520) will host the database (Back end servers) storage servers
  Pls refer the attached security-setup-final PPT for actual topology.
  Kindly Guide on the configuration in terms of :-
  1) Routing protocol to be used (OSPF/RIP)
  2) PRI dialup config (DDR) design for branches
  3) Firewall design validation
  4) IP Scheme validation (Attached)
  5) Wan setup termination point
  Pls suggest if the proposed setup and related IP scheme will work seamlessly
  Regards

  Hi,
  How many OSPF areas should be created.
  For Primary and DR site.
  Should both the site be configured in area 0 or different area.
  Also should we use single subnet for dialup (ISDN-BRI) for backup or should we use point to point subnet for each dialup location.
  Primary link will be channelized E1.

• Network Positioning of a Windows Server 2012 R2 Direct Access & VPN Server

  Reposted moved from Windows Server Forums- Security
  Hi
  I'm in the process of creating a new active directory forest with a single domain using AD.Contoso.com to use the Microsoft example. The reason I have decided on AD.XXXXXXXXX.com is to get way from using split horizon (Split Brain) DNS. The requirements
  for our new domain are :-
  2012 R2 AD
  Direct Access & VPN
  Exchange 2013 OWA, Active Sync Outlook Anywhere (Possibly a Hybrid Config where we have on premises mailboxes and some exchange online mailboxes Office 365 etc)
  Lync 2013 ?
  SharePoint 2013 ?
  Microsoft Active Directory Certificate Services
  System Center Configuration Manager 2012 R2
  Two way trusts between old forest and new to enable Transition/Migration
  Ok so that's what I'm aiming for so now the question.
  They are allowing me to purchase a next Generation Firewall may be a Barracuda NG firewall or a Cisco ASA X series so I need some advice on what type of network topology I should configure. I've read that using the two NIC configuration for
  the 2012 R2 Direct Access Server is preferable, one nic on the internal network one on the perimeter. The problem I have with this is that it bridges the internal network and the perimeter bypassing the backend Firewall see image
  The other alternative is to dispense with the perimeter network use the Direct Access server with a single NIC and setup the NG Firewall in a three-legged config with the DA server on the DMZ.
  So all you security experts out there what would be your design for this simple domain? we don't need any HA or Load Balancing.
  Thanks
  Simon

  Ok I'm not sure we are going to get any advice on this subject but one last effort. Our budget can only stretch to one next generation firewall so I'm considering the following three legged firewall design with a two NIC 2012 R2 Direct
  Access server. If someone could validate this configuration or suggest an alternative then I would be grateful.

• File to database adapter error

  I am trying to run the File2Database example shipped as part of database adapter samples.Though i have created the tables and modified oc4j-ra.xml as mentioned in readme file.I am getting merge error followed by table or view does not exist,but tables do exist under schema specified in oc4j-ra.xml.Do i need to configure anything else.Please let me know if anyone has faced similar problem.
  This is the log :
  =====================
  <2005-06-15 16:26:59,056> <INFO> <default.collaxa.cube.ws> <AdapterFramework::Outbound> Since unable to locate the JCA Resource Adapter deployed at 'eis/MyDBConnection', will then attempt to instantiate ManagedConnectionFactory oracle.tip.adapter.db.DBManagedConnectionFactory directly.
  <2005-06-15 16:27:08,738> <INFO> <default.collaxa.cube.ws> <Database Adapter::Outbound> <oracle.tip.adapter.db.ox.TopLinkXMLProjectInitializer initialize> Initializing an existing toplink project for use by the database adapter.
  <2005-06-15 16:27:09,755> <ERROR> <default.collaxa.cube.ws> <Database Adapter::Outbound> <oracle.tip.adapter.db.DBInteraction executeOutboundWrite> unable to execute the outbound merge operation on: File2Table.Purchaseorder
  <2005-06-15 16:27:09,817> <ERROR> <default.collaxa.cube.ws> <AdapterFramework::Outbound> file:/D:/OraBPELPM/integration/jdev/jdev/myWork/File2Table/DBOutbound.wsdl [ DBOutbound_ptt::merge(PurchaseorderCollection) ] - Could not invoke operation 'merge' against the 'Database Adapter' due to:
  ORABPEL-11616
  DBWriteInteractionSpec Execute Failed Exception.
  merge failed. Descriptor name: [File2Table.Purchaseorder].
  Caused by Local Exception Stack:
  Exception [TOPLINK-4002] (OracleAS TopLink - 10g (9.0.4.5) (Build 040930)): oracle.toplink.exceptions.DatabaseException
  Exception Description: java.sql.SQLException: ORA-00942: table or view does not exist
  Internal Exception: java.sql.SQLException: ORA-00942: table or view does not exist
  Error Code: 942
  at oracle.toplink.exceptions.DatabaseException.sqlException(DatabaseException.java:227)
  at oracle.toplink.internal.databaseaccess.DatabaseAccessor.executeCall(DatabaseAccessor.java:698)
  at oracle.toplink.threetier.ServerSession.executeCall(ServerSession.java:506)
  at oracle.toplink.internal.queryframework.CallQueryMechanism.executeCall(CallQueryMechanism.java:131)
  Regards
  Raju

  Hi Raju,
  Looking at the error your DBOutbound.wsdl has [location="eis/MyDBConnection"] although the sample shipped has [location="eis/DB/BPELSamples"]. So, I am guessing you have either modified the sample manually, or you may have rerun the db adapter wizard which could have caused this change. So, you could fix this in one of the following ways:
  1. Start with a fresh sample and follow the instructions to the dot
  2. Go ahead and define an entry in oc4j-ra.xml for eis/MyDBConnection with the appropriate connection parameters
  3. Currently, when the jndi name is not defined in the oc4j-ra.xml, the runtime tries to work with the design time connection information which is captured in the DBOutbound.wsdl. In your case, this doesn't seem to work for either of the following reasons: your runtime connection is different from design time connection, or else the design time connection info is not valid for the runtime assuming it is running on different m/c. I could pinpoint what is wrong if I had access to the DBOutbound.wsdl file.
  Couple of other best practices while we are on this issue:
  - the location attribute which ties the design time and runtime together follows a convention so that we don't have to make sure that it is unique across all of the various adapters: to help out on this front, we follow the convention of eis/<AdapterAbbrev>/<connectionName>. So, I'd change yours to eis/DB/MyDBConnection. By default the wizard generates locations using this convention although it is hand-editable.
  - from another error message below "file:/D:/OraBPELPM/integration/jdev/jdev/myWork/File2Table/DBOutbound.wsdl [" I get the feeling that you are copying the sample elsewhere. Is there a need to do that ? You could just add the jdev project (.jpr) for this sample to any existing jdev workspace and you should be able to deploy from there w/o making any changes. This approach would be preferable and would have helped you from running into the set of issues that you are seeing.
  Let me know if the above makes sense.
  Cheers,
  Shashi

• GSS4492 provide different IP address depending on conditions

  Hi,
  I am new to GSSs to bear with me.
  We have 2 x GSS4492 configured as active/standby pair.  One exists in datacentre X whilst other exists in datacentre Y.
  We have a new requirement where by a 3rd part company will have a new WAN link connecting to our datacentre X and another to our datacentre Y. The 3rd party company will forward DNS lookups to the GSSs in both datacentres for a specific service - called application A. The GSSs sit behind a firewall in each datacentre. The GSSs will respond to a DNS query from 3rd party company with a NAT address on the firewall (designated as primary for the application) e.g. 10.10.10.10. 3rd party company then connects to the nat address etc. If the application A is not available in primary data centre then the GSSs will return an IP address for service in the other datacentre (nat address) 10.10.20.10. This is standard stuff - as far as I'm aware. 
  But, what they want is to use the same FQDN e.g. 'testing.test.co.uk' but require the GSSs to respond with a different IP address depending on a condition.
  - If application A is up in datacentre X and WAN link to data centre X is up (from 3rd party company) then GSS will respond to FQDN 'testing.test.co.uk' with 10.10.10.11 (local NAT address for service on this local primary datacentre)
  - If application A is up in datacentre X and WAN link to data centre X is down (from 3rd party company) then GSS will respond to FQDN 'testing.test.co.uk'  with 10.10.20.12 (other datacentre NAT address but this will be NAT'd to real address for application A in datacentre X)
  - If application A is down in datacentre X and WAN link to data centre X is up (from 3rd party company) then GSS will respond to FQDN 'testing.test.co.uk' with 10.10.10.12 (i.e. local datacentre NAT address but this is nat'd to real address of backup service in other datacentre i.e. application A in datacentre Y)
  - If application A is down in datacentre X and WAN link to data centre X is down (from 3rd party company) then GSS will respond to FQDN 'testing.test.co.uk' with 10.10.20.11 (backup datacentre Y)
  Can the GSS do this?  If so please indicate how it can be done (by the way the GSSs poll VIPs on ACEs in each datacentre).
  regards
  Mark

  yes. but then i have to go in and set my ip address manually everytime. because the the dhcp on both(work and home routers) just assigns whatever. i want to have a certain IP address depending on where i am, without having to actually tell the computer i'm at work now, or i'm home. because as soon as i walk into my office, i'm connected to the work wireless, so it should know, this address is 10.0.1.10, so the IP address should be 10.0.1.38. when i go home, it automatically connects to my home wireless, so it should look at the address and say, the IP should be this. just seeing if anyone figured how to do that?

• OSPF Multiple Processes

  Hi..
  Do All LSA updates travel between different router ospf processes or we need to manually redistribute the opsf process which we want its updates to be learned?
  One more question: what if two ospf processes are defined on a single router and F0/0 is configured for ospf 1 and area 0, F1/1 is configured for ospf2 and area 10, doest this setup filter all kinds of updates? Because I do not want the network on F0/0 to be advertised to F1/1 network.
  Thanks

  Thanks amit and hritter for your replies. Your answer hritter did clear up my confusion. One more clarification, is the area distribution a factor here, i.e. if all interfaces are in one area while two ospf processes are running, is the result the same, no updates advertised?
  I need your suggestions as well for the project I am doing.
  I am studying a typical design for one of our customers, where a router (but most probably a PIX firewall as per the customer's request) will be placed centrally, and for the firewall design, each of the inside, dmz and outside interfaces connect to 2600 routers running ospf, and the inside, dmz and internet networks lie behind theses 3 routers respectively.
  Now this makes the pix an ABR while the internet router acts as ASBR. I suggested to have 2 ospf processes, one for the inside and dmz while the other for the outside. The pix will be a 525 or 535 so the resources should not be a problem. This way the inside and dmz networks would not be advertized to the outside network, and the PIX can be used for OSPF and mainly its security features, much better than a router with IOS firewall feature set. The external ospf process will be redistributed.
  Thanks again

• Server 10.3.9 - Three NIC cards - Route between Three subnets

  I have a panther server with three nic cards, each one connected to a different network.
  xx.xx.1.x = private intranet used for storing video files- Has a DHCP server
  xx.xx.2.x = company intranet used for internet access-
  xx.xx.3.x = editors intranet
  I have a NAT set up to forward network activity from the .3 to the .2
  But the editors (.3) also need to access .1.
  Is there a way to connect the .3 to the .1 network through the server?
  Any help would be greatly appreciated.
  Here's a picture to show what I'm trying to say.
  http://www.kbdiondemand.org/client_files/routing.png

  Here is my newest routing table. I cleared everything out and started over.
  I have NAT enabled and it is working, but I removed the private address.
  http://www.kbdiondemand.org/client_files/routing3.png
  I'm starting to wonder if I need to create a divert rule in the firewall. NAT has a firewall divert rule to send traffic to the NAT service.
  So far, I haven't gotten the syntaxt correct for creating the divert rule. The error message is the port is incorrect?
  I haven't found the information on any of the panther server books out there. They shy away from using the server as a firewall or a router.
  excerpt from Essential Mac OS X Panther Server Administration
  Of all the things that a packet filter can do, Apple seems to have some pretty specific things in mind for the Firewall service in Mac OS X Server. Panther Server's Firewall service is targeted at protecting the server on which it is running. Configuring a firewall for this purpose is very different from configuring a firewall designed to sit at the border between a network and the Internet. Mac OS X Server is simply not well-suited for the tasks normally performed by a dedicated firewall.
  For example, Mac OS X Server needs to be rebooted for things like software updates, and does a fairly poor job of routing packets during the reboot. Surely you could configure Mac OS X Server as a router and then never touch it so that it wouldn't have to be rebooted, but that means no software updates. Just because Mac OS X Server can act as a router; that does not mean it's the most cost-effective or functional solution. Trying to shoehorn Apple's Firewall service into performing duties that it wasn't intended to provide is generally not a good idea.
  Apple also includes a Network Address Translation (NAT) service that works in conjunction with the firewall. This service could be used to provide Internet access to a workgroup by allowing the workstations to share the server's IP address. While the NAT service does work, better results may be found with the average $40 NAT router. The bottom line is that it's a very good idea to use dedicated network hardware, and not a personal computer, to perform critical network functions like routing. This reduces network downtime due to computer maintenance such as software updates.
  I will focus on using Apple's Firewall service for protection of services running on our server, and not to do routing or NAT for other computers.

• Distributed Authentication Service Server or Reverse Proxy

  My environment have two layers firewall in place. The DMZ is sitting on the first-tier firewall as general web sites while I plan to put Access Manager server on the second-tier firewall. As we know that, AM have to send SSO token back to the browser after authenticated. In this configuration, based on security policy we don't allow direct connection between the browser and AM. That's why we put DSSS or Reverse proxy on the DMZ zone and act as the gateway for internal & exteranl traffic.
  Can anyone post the comparison, pros and cons between DSSS and Reverse Proxy? Which one is better in term of features and easy-to-implement?
  Finally, Is there any other alternatives if don't want to use both DSSS and Reverse proxy? I ask this question because AM will be single point of failure of the whole system. If AM have been attacted from whether direct or indirect, all services will be unaccessable.
  Best Regards,
  mthekid

  Bernhard,
  Thanks for your response. Because my major concern is security so I want to prevent denial of service on Access Manager. It look like writing my own dist-auth equal mechanism will help. However, I have 3 different platforms in single sign-on environment. Does this mean I have to create 3 dist-auth-like ones ?
  Do you think if they are worth to do (I hope I can find documentation and guideline at http://docs.sun.com) ? Please tell me frankly. I am semi-technical and presales. If they are too complex and time consuming, I may decide to with dist-auth.

• SR520, ping reply

  Hi,
  Not very familiar with the ZBF on the SR520, can anyone please provide me with a config enabling the SR520 to send ping reply´s.
  Regards
  Eivind

  Zone-based firewall configuration can be confusing, especially if one is used to older CBAC-type FW configuration.
  Your best resource for this problem is the
  Zone-Based Policy Firewall Design and Application Guide
  http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml#app-b
  Appendix B has a sample config that would allow ping replies.
  There are four basic steps in setting up the firewall.
  1) Define the zones
  2) Define the class maps that identify traffic between zones
  3) Create a policy map that defines the action to take on the class map
  4) Configure the zone pair and apply the policy
  In Appendix B, you'll see the class map specifiying what traffic to inspect. The names of the class-map and policy-map could be anything.
  class-map type inspect match-any L4-inspect-class
  match protocol tcp
  match protocol udp
  match protocol icmp
  The policy map here indicates what action to take, and in this case, the only action is to 'inspect'.
  If it was 'drop', the connection would be denied.
  policy-map type inspect clients-servers-policy
  class type inspect L4-inspect-class
    inspect
  Hopefully that helps!
  Addis

• Transparent mode with AIP-SSM-20

  I currently have an ASA5510 in routed mode with an AIP-SSM-20.
  There is a requirement to use a fibre optic connection between this ASA and another ASA across campus, so the AIP-SSM will have to be removed and replaced with the SSM-4GE.  This part should present no issue.
  However, this will remove the IPS device, and I still want to use IPS.
  So, what I am thinking is to get another ASA5510, install the AIP-SSM, configure ASA for transparent mode and put it in between the inside of the routed ASA and my LAN.  The transparent ASA would be functioning strictly as an IPS appliance.
  Setup would look something like this:
  Internal LAN <> transparent ASA with IPS <> routed ASA <> WAN
  Can the AIP-SSM still perform IPS with the ASA in transparent mode?
  Is there a way to configure the ASA and AIP-SSM such that traffic to/from a particular server completely bypasses the AIP-SSM?
  I have a couple of fileservers that generate heavy traffic and could overload the AIP-SSM.
  Regards.

  AFAIR, There is no problem to setup AIP in a transparent firewall.
  "An ASA in transparent mode can run an AIP.  In the event the AIP fails,
  the IPS will fail-open and the ASA will continue to pass traffic.
  However, if an interface or cable fails, then traffic will stop.  You
  would need a failover pair to account for this failure event, which
  means another ASA and matching AIP."
  And no there is no problem to exclude certain hosts/ports/subnets from inspection by IPS via MPF.
  http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html#wp1050744
  What I however consider however is if the ASAs 5510 as second tier firewall for 5520s will be enough.
  http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
  HTH,
  Marcin

• Questions about 6500/FWSM/CSM

  Hi,
  I have some questions regarding FWSM and CSM. Thank you in advance for your feedback.
  I am using a pair of 6513 with one fwsm and csm in each. I am setting up a dmz environment with these units. fwsm is the second tier firewall (a pair of PIX 525 are in perimeter).
  1. Do I have to use MSFC? I am connecting PIXes to the outside VLAN of the FWSM and two inside routers to inside VLAN of the FWSM. FWSM has a DMZ VLAN as well. I don't see any reason to involve MSFC in the picture. Is this correct? Is there any reason in the future that I may need MSFC (i.e. changing from single context to multiple or using load balancing for DMZ servers)?
  2. I am going to extend outside and inside VLANs of FWSM between two 6513 switches. Should I do this for DMZ as well? As I do not use gateway redundancy for my DMZ servers and it is a pure firewall configuration of 6513/FWSM, I don't think it is required.
  3. My understanding is with extending outside VLAN, if the link between primary PIX and primary 6513 fails or if primary PIX fails over to secondary for any reason, secondary PIX will have a way to get to the outside interface of primary FWSM. Is this correct? If not, then how I can make sure that PIX fail over will be transparent to primary 6513/FWSM which is not connected to secondary PIX?
  4. Any difference in spanning-tree configuration between this environment and a regular dual homed server based config?
  Thanks,

  Hi
  1) No you should be fine if you leave out the MSFC. Certainly you don't want the MSFC between your perimeter pix firewalls and the FWSM's as you could end up routing around the firewalls. You could have the MSFC on the inside of the FSWM's.
  Changing to multiple context will not requre that you need the MSFC for the above. It is quite feasible to have a separate context where the MSFC is involved and still have your above setup where you haven't involved the MSFC. You dictate this by how you allocate vlans to the FWSM.
  2) You will have to extend the DMZ, or at least you will have to allocate the DMZ vlan on both switches under the "firewall vlan-group .. " command. If you don't allocate the same vlans on each switch to the FWSM your failover will not work properley. If the DMZ servers are physically connecting into the 6500 chassis i would look to dual hone and include the DMZ in failover if you can. Can't see the reason not to use failover between chassis's if you can. (Of course depends on your have 2 NIC's in DMZ servers ).
  3)Assuming your 6500's are connected with a layer 2 trunk yes the secondary pix should still be able to get to the outside interface of the FWSM primary.
  4) For the FWSM not really. Just make sure you use a dedicated layer 2 trunk/etherchannel for the FWSM between the 2 switches.
  Hope this has answered some of your queries
  Jon