We have a T-1 line that goes to a packet firewall-> that branches off by forwarding ports to either the web server (port 80) or to other ports. The web server is running Zone alarm software firewall. The zone alarm firewall allows no traffic into the internal network or back out of the web server.
Is there a better way to do this interms of protection to the network and reducing un-necessary traffic? Would that be the way of a true DMZ? What would be an example? The only reason I can think of doing a formal back-end firewall would be to take the traffic froom hitting the internal switch possibly effecting the traffic going to other servers on the network? Thanks.