Hello, I have some questions about not a specific problem,configuration or installation but I am looking for answers of a "WHY?" list. I don't mean to bother anyone but I cant help myself to look deeper of these questions. In my opinion these are really important basic questions to ask yourself before designing an internet/intranet security. 1. WHY back-to-back DMZ is more secure than the 3-NIC DMZ? What is my advantage of buying another license and dealing with lots of configurations instead of working with 3-NIC DMZ? Is it only because of isolating the subnets not only with a software code but also physically? And if it is so, don't we have to trust that code? If it fails physical isolation saves me really?? Because I have another failed or ready to be hacked firewall software at the other end! 2. WHY is it a DMZ security violation to have an internal domain member server in the back-to-back DMZ scenario? If I ask this question in a very simple way, WHAT is the difference between a hacked member server and a hacked stand-alone server? Front-End<->Back-End Exchange 2000 architecture requires the Front-End Exchange server to be as a member server. Also Microsoft has an article to deal with this configuration which even lists the desired ports to be opened. IF this is a DMZ violation WHY MS violates its own firewall security? 3. WHY is it more secure to chain the ISA firewalls? What is security failure or hole if I don't chain the internal and external firewalls in a back-to-back DMZ scenario? 4. IF I open a VPN tunnel inside from one of the DMZ server to reach some of the resources at the internal domain is it a DMZ security violation or is it better and more secure than creating lots of packet filters and tons of configuration for that DMZ server? If I configure a packet filter only for that server and if someone simulates a IP packet that has the same source IP as the DMZ server's IP it can reach that specific resource. But if I configure this server as a L2TP VPN client properly don't I make sure of incoming source exactly? 5. WHY publishing a server is more secure than putting it in the DMZ? (comparison of public IP DMZ and private IP DMZ). What is the difference between ISA server publishing and DMZ server publishing? When you publish a server it means that someone can open a session to that server and can exploit whatever he/she wants if it is possible. Isn't the same for DMZ server publishing? What are the benefits or losses of publishing a server against DMZ server publishing? I know I have to read books and I can find these topics. However, I just need some push or a start to go further. Answers or comments with one or two sentences would make this great! Thanks and regards for anyone who even reads these, GOKTUG YILDIRIM