My thinking on this subject is that the best way to set up a firewall
1. Filtering Gateway (packet filter router)
2. Application Gateway.
3. Harden the interior machines on an individual basis as much as
possible (large shops will have problems with this because of
This type of setup is commonly known as a ``Screened Host Gateway,''
and is considered to be reasonably secure. It is, of course, a
``Bastion Host'' combined with a ``Filtering Gateway'' (packet
The hardware configuration would be your router (something like a
Cisco), then a separate dedicated machine for the Application Gateway
(firewall), then your internal network.
As to whether this type of setup is overkill or not, that depends on
your attitude and considerations of company data, reputation, and time
and expense to rebuild your network in case of a breakin.
As to price, this type of system runs about $15K plus about $120 a
month for software upgrades. (Good computer systems are like airplanes
-- they don't come cheap.)
----- Begin Included Message -----
From: Doug Kaye <dkaye @
Date: Fri, 13 Oct 1995 08:34:21 -0700
Subject: Re: Firewall1 Comparison -Reply
I'm seeing a lot of discussion on pack filters vs. application
gateways. Does it make sense to implement both? Is it too expensive
or overkill? If you implement both, where does the filter go -- on the
public side of the application gateway? Is it possible to run both on
the same hardware?
Doug Kaye <dkaye @
com> Rational Data Systems, Novato, CA
Tel:415-382-8400 FAX:415-382-8441 http://www.rds.com
----- End Included Message -----