I'm trying to make a case for a firewall design. I've narrowed the choices
down to two options. Option A looks like:
internal internal dual-homed external
network --- filtering --- bastion host with --- filtering --- internet
router TIS toolkit router
option B looks like:
internal internal bastion host(s) external
network --- "firewall" | filtering --- internet
system* ---- DMZ network ---- router
*(Cisco PIX or similar device)
With both options, we would need to proxy or masquerade all internal
connections to the internet (we use private IP addresses). I'm pretty sure
both options would give us what we want (internet connectivity + security).
The trade-offs I see are the lower cost of A (most of the pieces are already
in place) vs. the ease of use and extensibility of B. My own preference is
for option B but I'll need some backup before I can make a case for spending
$10K+.
Has anyone else made or seen such a (third-party) analysis before? I have
the O'Reilly Firewalls book but they don't really cover option B.
Thanks...
-Rich
--
Rich Lenihan System/Network Administrator
rich @
segue .
com 617.796.1247 (voice) 617.796.1610 (fax)
Segue Software, Inc. 1320 Centre Street Newton Centre, MA 02159 USA
|
|
