> From: cyerkes @
> Filtering routers can work, but can they authenticate using a
> SecureID? Can the leave a detailed audit trail? Can they allow ftp
> users to "get" but not "put"? Can they be easily audited by a Unix
> SA? and for smaller companies are they cost efficient? I can take
> a US$1300 IPC with an extra ethernet card or just a PPP connection
> and have a firewall that I trust. Larger companies would probably
> have routers ANYway, so it's an option.
What your IPC can't do, at least under SunOS 4.x, is tell which interface
a packet came in on. On a Cisco router (for e.g.) you can block
"outside" net traffic that has an "inside" net source address. This
means that a bad guy can't flange up a packet with an internal
source address, fool your source-IP-based access control list.
This isn't too much of a problem if you don't support proxies, but
if you have proxies with only IP address for access control you
are vulnerable, unless you can determine which interface the
packet came in on. I guess that there are PPP implementations that
will let you do that (Morningstar?) but not all do.
The low end Cisco ether-serial routers are around $3,000. I've now
built a firewall each way, with and without freestanding routers.
For light duty the workstation-only method isn't bad, but with a
router I can cut my risks form spoofing. With routers on either side
of the bastion host I can not only cut down on the probability
of spoofing, I can choke down access to my internal net from the
bastion host, further limiting access in the event that the bastion
You're vulnerable to typoes whatever you do for security. Morningstar
had a vulnerability in its PPP; Sun has lots of security-related bugs
in its OSes. There are no arguments against router-inclusive firewalls
that don't apply to workstation-only systems, too.