Its pretty unfortunate that some vendors can't offer multiple
interfaces, or that they charge an arm and a leg for 'em.
However, my workaround would be to tell the vendors 'no
thanks,' and buy a new interface for the filtering router (assuming
you have one?). Since you only let ports 80 and 443 to the web
server, you wouldn't gain a whole lot by putting proxies there.
| This reminds me of another issue I had with firewall products. Although
| i had not made it obvious, the question was framed in the context that the
| web server would be in an arbitrary network behind the firewall. It seemed
| that a large chunk of firewalls out there do not offer flexible
| configurations as far as multiple network interfaces were concerned. How
| are large organizations (particularly financial institutions) dealing with
| this? Are there people still doing homebrew FWTK/screend setups for large
| For example, Borderware offered a third ethernet interface, but called it
| Something Special, and charged a huge chunk of money for just the 3rd
| interface (for DMZs). No more than 3 interfaces, too.
| In talking to resellers for TIS's Gauntlet, some of them were not willing
| to set up a firewall with more than 3 (and for one vendor, their limit was
| 2) interfaces. I was trying to arrange for 4.
| On Thu, 5 Sep 1996, Adam Shostack wrote:
| > I'd go for a demilitarized zone, a third interface off the firewall
| > with just the web server.
"It is seldom that liberty of any kind is lost all at once."