Firewalls: Re: One Router or Two?

Firewalls
(July 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: One Router or Two?
From:	wbunting @ ch . inri . com (Bill Bunting)
Date:	Fri, 7 Jul 1995 09:41:48 -0400
To:	ddill @ junix . ju . edu (Daniel Dill), firewalls @ GreatCircle . COM

At 06:04 PM 7/6/95 -0400, Daniel Dill wrote:
>Two.
>
>If for no other reason than that if may take extra time and activity to 
>get through the second.  Giving you a greater chance to notice the breach.
>

Yes, I agree.  But... Why not three or four routers?  If you can't get one
router correct then use two?  This does not really fix the problem.  There
must be better reasons to use two routers than just to delay the hacker
(although this is not a bad thing).

One good reason to use two routers and a bastion host in between is to force
a physical path that guarantees that the hacker must pass through the
bastion host.

(Who posted the original One or Two router question... Please summarize the
replies.  There has been a lot of good discussion.)

Also, to cut down on router configuration errors, you should use a certified
automated tool to configure the access lists on your routers.  Configuring
routers is still a very manual process and admins are going to make
mistakes.  Part of a firewall product should be automated router
configuration.  The firewall I put together automatically configures a Cisco
router's access lists, and when any configuration is being done, external
(untrusted) interfaces are brought down, etc.  After the user has configured
access lists by dragging services onto hosts, they select apply and the
router and bastion host's access lists are configured automatically.  Since
the process is automated, you are guaranteed that there will be fewer
configuration errors.

Another issue concerning one or two routers is cost.  Our customer would not
pay for two routers.

regards,
-Bill.

[opinions are those of the author and do not necessarily reflect those of
his employer.]

 --------------------------------------- 
|    Bill Bunting, Software Engineer    |     ******
|Inter-National Research Institute, Inc.|   ***_******_  __    _  
| 1441 Crossways Boulevard, Suite 102   |  ===//=/\**//=/- )==//=
|     Chesapeake, Virginia 23320        | {==//=//\\//=//||==//==
|    V(804)424-8675 F(804)420-4262      |  =//=//==\/*//=||=//===
|         (wbunting @
 inri .
 com)           |   *********  
|         (bunting @
 cs .
 odu .
 edu)          |     *****   
|    http://www.cs.odu.edu/~bunting     | 
 ---------------------------------------

Indexed By Date	Previous:	Re: Sending replies to blocked packets. From: Bob Snyder <rsnyder @ janet . advsys . com>
Indexed By Date	Next:	Re: xdmcp info From: wbunting @ ch . inri . com (Bill Bunting)
Indexed By Thread	Previous:	Re: One Router or Two? From: Mohamad A Khatoun <mak @ mak . is . ge . com>
Indexed By Thread	Next:	fwtk smap's problem with this list From: cxh @ mba . com (Cynthia He)