I have a question for all here on an issue of routing to the firewall from
the internal net.
Consider a very large net with many WAN links and a firewall to the outside.
Now a user wants to access the outside.
In the Bastion Host approach, the user connects to the bastion host (that is
reachable via standard routing info) and then requests the external
location. I.E. the internal network needs know nothing about the external
addresses.
In the Filtering Router approach, the user needs to connect to the real
address and so the internal network either needs to support the whole
INTERNET routing table (a tough act to do) or use a default route in the
routers (also relatively tough for large private nets).
This would seem to argue strongly against a filtering approach for large
nets. Of course it would seem that there goes 'user transparency' as well.
Why do I say this? Because a large net would want a couple of firewalls for
load spreading and redundancy. Then the default router routes really get to
be a mess.
My first question (other than being open to arguements on the above) is:
where do products like SOCKs fit in? Does SOCKS count on the routers to
route a packet addressed to an external address to the SOCKS firewall. Or
does the SOCKS client 'figure' out that the address is external and then
establish the connection to the firewall?
On 'leaking' the world's DNS in and the private DNS out:
Why would you want the world's DNS inside if any external requests have to
be explicitely directed to the firewall?
On leaking the private DNS out, if I have a 'dirty net' that is unreachable
from the inside, wouldn't I want two DNSs and thus it is academic about the
'no security added' issue. It is two DNSs for the corp and more of a pain
to merge them than to separate them?
I am sure that there are other questions that this invokes, but got a
meeting coming up here :(
Robert Moskowitz
Chrysler Corporation
(810) 758-8212
Follow-Ups:
|
|
