> > Problem is that now a cracker just needs to subvert the "Bastion host" which
> > is visible to the outside. If this is done, the screening router will permit
> > the traffic, thus creating a "single point vulnerability". With the router
> > first, both need to be subverted particularly if the basion uses aliases.
> The problem either way is that cracker just needs to subvert the bastion
> host. Even with a screening router the bastion host is visible to the
> outside world, or it wouldn't be reachable. I'm not convinced that
> putting the bastion host inside the screening router is better and I
> think that it may in fact be worse.
BUT ... the external screening router is used to filter out everything
except that which is desired - eg only permits certain ports < 1024
(news,mail,dns,...) and established connections > 1023. I've probably
forgotten some, but you get the picture. That way you have some control
over what actually reaches the bastion. That is also why it is called a
`screening' router - it is filtering out all the unwanted traffic.