Firewalls: Dual-porting of DMZ systems, why?

Firewalls
(December 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Dual-porting of DMZ systems, why?
From:	Michael Smith <ms @ gf . org>
Date:	Thu, 19 Dec 1996 14:08:41 -0500
To:	Firewalls @ GreatCircle . COM

I'm wondering just what class of attack scenarios is 
thought to be prevented by dual-porting the DMZ 
systems, thus: 

             |---DMZ sys---|
             |             |
             |             |
             |             |
outer        |             |    inner
boundary-----|---DMZ sys---|----boundary
router       |             |    router
             |             |
             |             |
             |---DMZ sys---|


As opposed to:

             |---DMZ sys
             |             
             |             
             |---DMZ sys             
outer        |                 inner
boundary-----|-----------------boundary
router       |                 router
             |                        
             |---DMZ sys


The only thing I can think of that the first one gives you 
and the second one doesn't, is protection against some subversion
of the outer boundary router. Are there other benefits that 
I've overlooked? 

  

--Michael Smith
  ms @
 gf .
 org

Indexed By Date	Previous:	snmp setup From: Costin Enache <costin @ mediafax . mediafax . ro>
Indexed By Date	Next:	Re: Strange log in my Firewall From: Joe Loiacono <jloiacon @ csc . com>
Indexed By Thread	Previous:	snmp setup From: Costin Enache <costin @ mediafax . mediafax . ro>
Indexed By Thread	Next:	Re: Dual-porting of DMZ systems, why? From: Frank Willoughby <frankw @ in . net>