Firewalls: Sreening hostes & routers

Firewalls
(August 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Sreening hostes & routers
From:	padgett @ tccslr . dnet . mmc . com (A. Padgett Peterson, P.E. Information Security)
Date:	Tue, 2 Aug 94 22:19:29 -0400
To:	"firewalls @ greatcircle . com"@UVS1.dnet.mmc.com

>The problem either way is that cracker just needs to subvert the bastion
>host.  Even with a screening router the bastion host is visible to the
>outside world, or it wouldn't be reachable.  I'm not convinced that
>putting the bastion host inside the screening router is better and I
>think that it may in fact be worse.

However, by putting the Bastion behind an ACLed router, you can limit the
forms of attack that can take place on the Bastion, impossible if
the Bastion is in front of the router. If subverted, the information on
the Bastion can provide information on how to get past the router while the
reverse is not true (Particularly if all the router knows is how to get to
the Bastion). 

IMHO put the dumbest device out front, it will be the least informative if 
corrupted.

					Warmly,
						Padgett

Indexed By Date	Previous:	Re: Screening & routers From: Geoff Mulligan <mulligan @ future . Eng . Sun . COM>
Indexed By Date	Next:	Re: "established" data connections and ftp From: sag1141 @ str . daimler-benz . com (Klaus-Dieter Lehle)
Indexed By Thread	Previous:	Re: "established" data connections and ftp From: paul @ hawksbill . sprintmrn . com (Paul Ferguson)
Indexed By Thread	Next:	magazine From: Didier Racheneur <drachen @ ub4b . eunet . be>