Great Circle Associates Firewalls
(January 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: How secure can a screened host be?
From: Bill Stout <bstout @ osc . hitachi . com>
Date: Tue, 30 Jan 96 17:18:22 PST
To: Firewalls @ GreatCircle . COM 
I have a theoretical configuration where I would like to use a screened
host, AND Cisco policy routing.  The bennies would be the ability to
firewall multiple links with one router.  My concern is the overall security
of such an arrangement in comparison to a true DMZ.

<diagram follows>

         Business partner---Router----Internal Net(s)
                            /  | \
                 Internet--/   |  \---Firewall
                               |
                          Web Server(s)

In the Cisco, the policy routing would be enabled as follows:

Interface s0/1
 description Line to Internet
 ip policy route-map firewall
 ip access-group 2 out

Interface s0/2
 description Line to Business Partner
 ip policy route-map firewall
 ip access-group 2 out
...and so on.

route-map firewall permit 10
 match ip address 1
 set ip next-hop 'firewall_IP_address'

access-list 1 permit any
access-list 2 permit 'firewall_IP_address'


Comments??


William B. Stout
Senior Systems Administrator
Hitachi Data Systems
Open Systems Center
Santa Clara, California
Indexed By Date Previous: Re: Socksified ping for Sun
From: Brian Clapper <bmc @ telebase . com>
Next: Re: Socksified ping for Sun
From: "Richard L. Snow" <rich @ aoainc . com>
Indexed By Thread Previous: Re: Firewall review in Network World
From: "Joel M Snyder, writing fool" <Joel_M_Snyder @ Opus1 . COM>
Next: Java Applets via caching http proxy
From: Chris Woods <cjwoods @ Paladin . COM>
Google
 
Search Internet Search www.greatcircle.com