>
> First, a hearty thank you to all those who replied to my fwtk vs seal
> question last week. I got a lot of quality replies that pretty much said
> that fwtk is plenty good, and that the most important factors are the
> knowledge and ability of the administrator and the site security policy.
>
> Next question....
>
> While suggesting a firewall for my organization myself, we have another
> gentleman who insists he can do everything with filters in his bridge
> that I can do with a firewall.
>
> I would greatly appreciate hearing your best arguments for or against
> bridge filters vs a firewall as far as security is concerned.
>
> ----------------------------------------------------------------------------
> It's *amazing* what one can accomplish when
> one doesn't know what one can't do!
>
Most of the firewall tutorials and guides recommend that a firewall consist
of a mix of routers and bastion-hosts. I'd be suprised if your friend could
implement a proxy server with his filters (Am I missing something, or don't
most filters on router only determine who can get through the router, not
interperate/massage/authenticate the data)!
You use filters on a router (on both sides of the DMZ leg) to determine who
can get into the DMZ and where in the DMZ they can go. You have a
BASTION HOST in the DMZ to allow connectivity between the two sides of the
DMZ. Without the bastion host, you (in most likely hood) would be updating
the filters on a TO frequent of a bases, when someone on your side of the DMZ
want's to go to a diffent host on the other side of the DMZ.
Bastion-hosts and router-filters cover different aspects of security in
a firewall environment. Without a delicate balance of both, you are
usually just inviting trouble.
References:
|
|
