Firewalls: Re: Screening & routers

Firewalls
(August 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Screening & routers
From:	Geoff Mulligan <mulligan @ future . Eng . Sun . COM>
Date:	Tue, 02 Aug 94 14:56:43 PDT
To:	padgett @ tccslr . dnet . mmc . com (A. Padgett Peterson, P.E. Information Security)
Cc:	Firewalls @ greatcircle . com
In-reply-to:	Your message of "Tue, 02 Aug 94 07:45:25 EDT." <9408021145 . AA01962 @ uvs1 . orl . mmc . com>

>  Problem is that now a cracker just needs to subvert the "Bastion host" which
>  is visible to the outside. If this is done, the screening router will permit
>  the traffic, thus creating a "single point vulnerability". With the router 
>  first, both need to be subverted particularly if the basion uses aliases.

The problem either way is that cracker just needs to subvert the bastion
host.  Even with a screening router the bastion host is visible to the
outside world, or it wouldn't be reachable.  I'm not convinced that
putting the bastion host inside the screening router is better and I
think that it may in fact be worse.

	geoff

Follow-Ups:

Re: Screening & routers
From: sgcccdc @ citec . qld . gov . au (Colin Campbell)

References:

Screening & routers
From: padgett @ tccslr . dnet . mmc . com (A. Padgett Peterson, P.E. Information Security)

Indexed By Date	Previous:	Port 20 From: Kenneth Duda <kjd @ DSG . Stanford . EDU>
Indexed By Date	Next:	"established" data connections and ftp From: z056716 @ uprc . com (LaCoursiere J. D. (Jeff))
Indexed By Thread	Previous:	Screening & routers From: padgett @ tccslr . dnet . mmc . com (A. Padgett Peterson, P.E. Information Security)
Indexed By Thread	Next:	Re: Screening & routers From: sgcccdc @ citec . qld . gov . au (Colin Campbell)