My coworker and I are discussing the pros/cons between two potential architecture options, and I would like to gather feedback on which option is better and why.
First, a description of the environment: We have a vertically segmented network into multiple levels. Level A is our internet facing level, with a firewall controlling boundary access from level A to the internet and vice versa. We then have Level B which is seperated with a firewall controlling access to and from level A. We then have level C which is seperated with a firewall controlling access to and from level B. Therefore, level C is more trusted than level B, which is more trusted than level A.
In an effort to reduce the amount of cross firewall traffic, as well as tighten the firewall rules associated with what can communicate between levels, we have decided to implement an ubuntu mirror in each level, from which machines on that level will update (e.g. Level B machines update from the level B repository, level C machines update from the level C repository, etc)
Now the options:
Option 1: create a mirror on level A which mirrors from archive.ubuntu.com, then create a mirror on level B which mirrors from the level A mirror, and then create a mirror on level B which mirrors from the level B mirror.
option 2: create a mirror on level B, which mirrors from archive.ubuntu.com, then create a mirror on Level A and C, both of which update from the Level B mirror.
Both of us have discussed the pros/cons of these methods, as well as our justifications for both of these options, however I do not want to introduce any bias, so I will not post up our justifications for either of these two options.
Many thanks.
