>> We thought that connecting each bastion host to the perimeter network via
>> a bridge would limit the traffic that could be sniffed to just the traffic
>> exchanged by the bastion host. For example, if an intruder captured the
>> anonymous ftp bastion host and installed a sniffer, the intruder would not
>> be able to capture any SMTP traffic (which is handled by a different bastion
>> host). We believe the bridges to be sufficient for this purpose and do not
>> understand how adding an additional router on the perimeter network would
>> achieve the same affect.
I can't remember precisely what your diagram looks like but if
memory serves, it would seem that all that is necessary is a router
with multiple interfaces between your perimeter and the other
bastions. This router would have filters ( access lists whatever
name you know them by ) which would allow smtp traffic to/from
smtp-bastion only; and you would then explicitly block smtp traffic
from ftp-bastion and vice versa, for example. In this way
ftp-bastion would never see any smtp traffic and vice versa.
If what I am describing is in fact what your setup would be like
then you save the cost of multiple bridges by purchasing a single
router.
Wed Aug 31 11:50:09 EDT 1994
===========================================================================
Larry Chin {larry @
cchtor .
ca .
cch .
com} System/Network Administrator
CCH Canadian Ltd. (416) 441-4001 ext. 349
===========================================================================
Hippogriff, n.:
An animal (now extinct) which was half horse and half griffin.
The griffin was itself a compound creature, half lion and half eagle.
The hippogriff was actually, therefore, only one quarter eagle, which
is two dollars and fifty cents in gold. The study of zoology is full
of surprises.
-- Ambrose Bierce, "The Devil's Dictionary"
|
|
