I'm not from Cisco, but I can tell you that the drawing below is currently
impossible with PIX. Only two interfaces are supported and only on
Ethernet. Those are my big annoyances with the PIX. One note here,
the PIX is designed to filter traffic - not to proxy it. The
proto-typical firewall has been the pair of routers and bastion host
design. Now with more technology, like stateful packet filtering, dynamic
"proxying" (like PIX), many of the proto-typical designs don't quite fit
anymore. (Note: that does *not* make the proto-type invalid - just that
the need is there to reconsider new proto-types). Proxies are still
important as are packet filtering devices, but how do these new devices
change the equation? Can the use of "stealth" firewalls (like PIX or a
quiet "pass-through-only" multi-homed firewall) change the need for the
dual router config??
I think that perhaps a good discussion here would be what new proto-types
these new firewall devices offer - how does stateful-packet filtering
change the need for dual routers - how can proxies be used more
effectively (and in ways that reduce the latency, overhead, and
frustration that some users encounter in trying to use them....), and
how can we back up to a conceptual design that sets goals of the firewall
design. I'd like to hear some unique designs that use these devices that
thereby can offer some levels of security that routers and bastion hosts
can not - while also allowing an enhanced range of services. These are
new devices that can *potentially* offer great advantages for us firewall
builders....how can we use them most effectively??
On Thu, 28 Nov 1996, Craig I. Hagan wrote:
> could someone from cisco give an opinion on whether the following
> would be a reasonable use for their PIX firewall, and whether
> this is the intended use:
>
> 'net ---- PIX --- proxy app server
> |
> |
> internal net
>
> thus the PIX machine (or competing product) could give me protocal layer
> protection for both the internal net and the proxy app server. the proxy
> app server would then handle certain applications which required
> additional action above and beyond what PIX,et al, provides -- http
> proxying/activeX blocking, perhaps it would might be a java VM which could
> execute java and relay display information to the desktop, etc, process
> mail to reduce the chance that someone could ship tainted binaries or
> whatever in attachments, etc etc etc. [note: if you want to argue the
> merits of the above kooky ideas, lets make it an offline thread, i'm
> making them up as i go]
>
>
> -- craig
>
> -------------------------------------------------------------------------------
> Craig I. Hagan "It's a small world, but I wouldn't want to back it up"
> hagan @
cih .
com "True hackers don't die, their ttl expires"
>
>
>
>
>
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Daniel Blander =8^)
Sr. Systems Engineer Applied Computer Solutions
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Phone: (714) 842.7800 Fax: (714) 842.8299
Email: Daniel .
Blander @
acsacs .
com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Official Applied Computer Solutions Home Page
and Tech Tip of the Week:
http://www.acsacs.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Follow-Ups:
References:
|
|
