We have two domains that are isolated. First domain is the Corp LAN, the second is an hostile untrusted network with untrusted clients that could contain malware. Clients on the untrusted network create reports that need to be read by users on the Corp LAN. Currently the reports are copied from the untrusted network onto a USB scanned by the corp. AV then copied onto the Corp LAN. We would like to remove the need of the USB transfer and simplify the process. If we put a firewall at the edge of the untrusted network and a firewall at the edge of the Corp. LAN then in-between the firewalls host a staging server that the files can be stored. We could then open the Corp. LAN firewall to allow users to get to the files. Is this good practice? What is the risk of malware hoping from one domain to another? Are we opening up our corp. network to any risk?