# Consider the following:
#
# IGW and EGW are dedicated routers, with intelligent filtering.
# AGW is a 'secured' UNIX machine running Application Gateways, plus mail and
# DNS services. There are no user accounts, and no unecessary servers running.
#
# Configuration 1:
#
# ---------------------------------------- Internal net
# |
# IGW AGW
# | |
# ---------------------------------------- DMZ Ether
# |
# EGW---> Internet
#
#
# Configuration 2:
#
# ---------------------------------------- Internal net
# |
# IGW AGW----> Internet
# | |
# ---------------------------------------- DMZ Ether
#
# In configuration 1, the Internet link is handled by a separate router. In 2,
# it's handled by running SLIP or PPP on the Unix box. IPForwarding is turned
# off in the kernel, so logically, the two should be the same.
#
# My question is, what are the implications of using the second scenario
# (instead of the first)? In short, what security flaws am I forgetting this
# time? :-)
It might be worth noting that configuration #1 has (if I read
it correctly) two points which can fail. Logically they're the same,
practically #1 has this 2nd box with its own set of problems, and
weaknesses.
Andrew
|
|
