For all of you who have been complaining about philosophical threads,
here is one that may be more on the technical side:
We've come up with the TCP/IP firewall configuration illustrated below. I'd
appreciate some feedback on weak points (or overkill) in this configuration
or suggestions on alternative implementations.
(Includes:
Corporate traffic and
OUTSIDE Internet traffic)
|
| (Filter for:
Screening Internal address spoofing,
Router #1 Established connection spoofing,
| Source packet routing, and
| ICMP packets)
|
+------------+------------+
| | | (Filter for:
Bridge Bridge Screening Restricting service access to
| | Router #2 Bastion Hosts and/or OUTSIDE)
| | |
Bastion Bastion |
Host Host INSIDE
| |
Logging Logging
PC PC
Bridges are used to limit sniffer software installed on a compromised
Bastion Host from seeing any traffic besides what is directed to the
compromised Bastion Host. These will probably be used, low-end bridges
as we don't expect
1) high traffic levels to individual Bastion Hosts,
2) the need for high throughput rates for individual bridges,
3) the need for large bridging tables (overflow leaking should
not be a problem).
Bastion Hosts are used to provide specific services - breakdown is:
#1 - Anonymous ftp server
#2 - SMTP & restricted DNS
#3 - NNTP
#4 - Proxy server for: ftp, telnet, & http
Segregation is both for security concerns and for resource utilization
concerns. These will be low to mid-range systems will disk resources
based upon needs (e.g. lots of disk space on the NNTP bastion and little
disk space on the SMTP & restricted DNS bastion).
Logging PC connected by serial line to Bation Host, used as "vault-like"
depository for logging information. Non-network mechanism will be used
to prevent filling of PC disk and to verify that PC logging is functioning.
Also, a firewall expert suggested the configuration below, which evolved
to the configuration presented above. A vendor has also seconded the
configuration below. Personnally I don't see the advantage of this second
configuration over the one presented above, but perhaps someone out there
does and can explain it to me.
OUTSIDE
|
Screening
Router #1
Screening |
+------------+----- Router #3 ---------+
| | |
Bastion Bastion Screening
Host Host Router #2
| | |
Logging Logging INSIDE
PC PC
The purpose of Screening Router #3 is the same as that of the bridges in the
previous illustration - limit sniffer software installed on a compromised
Bastion Host from seeing any traffic besides what is directed to the
compromised Bastion Host.
Any comments or flames will be cheerfully accepted.
For those that remember (and responded to) my previous request regarding
network/firewall policy, I have been working on a summary and hope to
have it posted in a few days.
Bob Schneider
Enterprise Core Network Team ras @
cacd1 .
cacd .
rockwell .
com
Design Support Engineering ras @
131 .
198 .
128 .
108
Rockwell International ras%27746 .
decnet @
consort .
rockwell .
com
400 Collins Road NE M/S 106-103
Cedar Rapids, IA 52498
Voice: 319/395-3863 Comments expressed are strictly my own and are not to
FAX: 319/395-5999 be construed as statements endorsed by my employer.
Follow-Ups:
|
|
