Stephen H. Goldstein writes:
> With a screened subnet, you only need one adapter and address:
>
>
> +--------+ +----------+ +---------+ +----------+ +---------+
> | Inside |---| Filter 1 |----| Bastion |----| Filter 2 |----| Outside |
> +--------+ +----------+ +---------+ +----------+ +---------+
>
> Filter 1 is set up to only allow connections between "inside" hosts and the
> bastion. Filter 2 is set up to only allow connections between the bastion
> and "outside" hosts. Thus the combination of Filter 1 and Filter 2
> prevents direct inside-outside communication, forcing everything to
> go through the bastion.
>
> Caveat: This is not necessarily an endorsement of this configuration, just
> confirmation that dual adapters and IP addresses for the bastion aren't
> a technical must for it to work. Some firewall implementations use
> dual IP stacks, one per interface to further enforce separation of
> inside and outside data. Based on your needs, this may or may not be
> overkill. Your mileage may vary. Coupon may not be photocopied.
This kind of configuration also makes the packet filter rule sets in each
of the filter routers a lot simpler and easier to code. This is especially
so if the filter "language" is limited to "linear match and commit" logic.
By "linear match and commit" I refer to rules where if the test does have
a positive match, you are committed to either deny the packet or accept the
packet without applying any other tests. It's like programming without any
"if" statements, loops, or function calls.
References:
|
|
