After some more thought (and talking with another Unix/Linux guy I know),
I'm thinking now that I'll just put the new BSD machine out there on it's
own. Unfortunately, the PIX 506 doesn't support more than 2 interfaces, and
the boss wants seperate IP addresses for both websites. So I think I'll end
up with something like this:

Cable Modem -> Switch -> Cisco PIX and existing network
-> New BSD server

I think this should be ok, and I plan on locking the new BSD machine down as
much as possible and keeping it patched religiously (FreeBSD 5.1, Apache 2,
and Qmail are all I plan on running on it, besides SSH for admin, etc. No
ftp or telnet).

"Bit Twister" <BitTwister@localhost.localdomain> wrote in message
news:slrnbhgetq.38b.BitTwister@wb.home...
> On Fri, 18 Jul 2003 13:28:51 -0400, Joe Beanfish wrote:
> >>
> >> Cable Modem -> Hub -> Firewall 1 -> Network and Old Server
> >> -> Firewall 2 -> New Server
> >
> > Do you really need the servers isolated from each other by firewall?
> > You could do this (which is probably more common)
>
> It would help keep malware installed on the New Server from
> getting easy access to boxes on the Old server network.