We thought that connecting each bastion host to the perimeter
network via a bridge would limit the traffic that could be
sniffed to just the traffic exchanged by the bastion host.
For example, if an intruder captured the anonymous ftp bastion
host and installed a sniffer, the intruder would not be able
to capture any SMTP traffic (which is handled by a different
bastion host). We believe the bridges to be sufficient for
this purpose and do not understand how adding an additional
router on the perimeter network would achieve the same
Such bridges are a good idea. Another possibility is to use a ``smart''