For what you've mentioned, it sounds like you only need one DMZ. Just put any computers that will need public access into a DMZ like the drawing shows. I did notice that since I put that together in a hurry, I left out DMZ switching, but you would obviously need one there.
Quote:
I know they will be DMZ so that I can enable them to be on their own security computers / firewalls.
|
I'm not sure what you mean by this, but you only really need one firewall for the scenario you described. The firewall should have multiple ports if you want a true DMZ, each port with a different address for a different interface. (ie. you would have a public IP address on the port that connects to the Internet router, a private IP on the port that connects to the DMZ switch, and a different private IP on the port that connects to the LAN switch). A firewall that does stateful packet inspection will use the rulebase that you create to determine what traffic is or isn't allowed to connect to each device on the different segments.
As far as VPN access from the laptops, there are multiple ways of accomplishing this. Some firewalls (ie. Checkpoint {always my first choice}, Cisco PIX) will have a VPN client that can be installed onto any computer and that will give access to the network for anyone with a user name and password that is defined in the firewall.
Depending on the OS, there are also other options. If you have any Microsoft servers, PPTP can be used for VPN. The firewall would need to have a rule that allows traffic on port 1723. Then the user account will need to have remote access enabled and the laptop will need to have the PPTP client (which is built in to XP) set up.
There are other options, and there are different valid ways of accomplishing some of the things you want, but this should point you in the right direction.