Networks

Easiest and most correct way - install firewall to interconnect LAN and DMZ. It depends on your budget. Theoreticaly you should not use routers as your only solution for security. General idea is in using firewall since it provides statefull security (it tracks your incoming and outgoing TCP sessions and UDP flows).

What can you do in this situation:

1. Buy 3-4 interfaces firewall. I prefere Cisco PIX or Checkpoint, but it can be anything.

2. Connect your 2 Internet routers together through small hub or switch. Or connect both T1 cards to one router and configure "policy routing", when you send one type of traffic through one link, and rest of the traffic through another.

3. Connect all your "public" servers to DMZ interface and configure appropriate rules and address translations.

4. Connect your LAN to "inside" interface.

It's very general view of "best security practices". Sure, you may just install router between your "servers lan" and "users lan", configure NAT and routing, but again, its not recommended solution.

If you have more questions on network and security design, send me e-mail.

Good luck,

Michael Shavrov
CCSP, CCNP, CCDP, CSS1, Security+, MCSE W2K, Checkpoint CCSA.

Either add routes on your "T1 Modem router" to each network, statically, or connect the two internal routers together via Ethernet connection and add those LAN routes to each LAN on each router.

If you have a free port on each router the easiest and safest way would be to run a link between the routers and then place an entry in each table to allow the private network router to send to the other router but not allow the reverse, ie one way traffic is established. This will restrict connection establishment to those in the restriceted network.