> BUT ... the external screening router is used to filter out everything
> except that which is desired - eg only permits certain ports < 1024
> (news,mail,dns,...) and established connections > 1023. I've probably
> forgotten some, but you get the picture. That way you have some control
> over what actually reaches the bastion. That is also why it is called a
> `screening' router - it is filtering out all the unwanted traffic.
This same thing can be done by not running extra services on the bastion
host and/or using tcp_wrappers and when someone breaks into the bastion
host via sendmail they are still outside your network.
The other reason I like having the bastion host outside the screening
router is that there is a mind set that that machine is outside the
security perimiter and therefore more administrative notice should be
taken of it. It's not just another machine on my network.
If you have the hardware/money I most like the idea of having a two
screening router (best if from different vendors) with the bastion host
on a DMZ network between them. This allows you to filter garbage
traffic from the Internet before reaching the bastion host and putting
the bastion host outside the soft chewy nugget center of my network.