At 02:08 PM 12/19/96 -0500, Michael Smith <ms @
gf .
org> allegedly wrote:
>I'm wondering just what class of attack scenarios is
>thought to be prevented by dual-porting the DMZ
>systems, thus:
>
> |---DMZ sys---|
> | |
> | |
> | |
>outer | | inner
>boundary-----|---DMZ sys---|----boundary
>router | | router
> | |
> | |
> |---DMZ sys---|
>
>
>As opposed to:
>
> |---DMZ sys
> |
> |
> |---DMZ sys
>outer | inner
>boundary-----|-----------------boundary
>router | router
> |
> |---DMZ sys
>
>
>The only thing I can think of that the first one gives you
>and the second one doesn't, is protection against some subversion
>of the outer boundary router. Are there other benefits that
>I've overlooked?
>
>
>
>--Michael Smith
> ms @
gf .
org
>
The thing that jumps to mind first is that you need a firewall.
While some may consider a router to be a "firewall", I don't as
it does not provide adequate protection from the hazards of the
Internet. You might try using an Application Gateway which
supports User->Firewall Encryption.
Best Regards,
Frank
Fortified Networks Inc.
Expert Information Security Consulting
Phone: (317) 573-0800 Fax: (317) 573-0817)
http://www.fortified.com
|
|
