Any opinions on this?
The definition of a "screened host gateway" specifies that the firewall shall
consist of a screening router which blocks traffic to all internal hosts except
the bastion host.
My question is whether or not it would be a good design compromise to move the
bastion host to the outside. Then the screening router would be configured to
block traffic to all internal hosts, except for traffic originating from the
bastion host. These crude ASCII drawing may help clarify:
Normal:
Bastion Host
|
Internet -----> Screening Router -------|
|
Inside Network
Modified:
Bastion Host
|
Internet -----|-----> Screening Router ----> Inside Network
The reason I would like to do this is because I plan to implement the TAMU
Drawbridge as the packet filter, and to have the TAMU Monitoring utilities
running on a Sun *outside* the packet filter. To include a bastion host
in this arrangement would require another Sun *inside* the packet filter,
unless it is a workable compromise to combine the TAMU Montitoring utilities
and the bastion host proxy agents on a single Sun outside the packet filter.
Would it be better to have the single Sun (running the TAMU Monitoring
utilites and the proxy agents) placed inside the packet filter. Is there a
tradeoff
between enhanced security and monitoring capability here?
Thanks,
David Margrave
Follow-Ups:
|
|
