In message <199408312320 .
> We thought that connecting each bastion host to the perimeter
> network via a bridge would limit the traffic that could be
> sniffed to just the traffic exchanged by the bastion host.
> For example, if an intruder captured the anonymous ftp bastion
> host and installed a sniffer, the intruder would not be able
> to capture any SMTP traffic (which is handled by a different
> bastion host). We believe the bridges to be sufficient for
> this purpose and do not understand how adding an additional
> router on the perimeter network would achieve the same
>Such bridges are a good idea. Another possibility is to use a ``smart''
Riding on smb's coat tails, I agree. The real question is what you
want to do with the "bridges". If you are looking for some extra
filtering/logging to add suspenders to the bastion belts, then a
filtering bridge (e.g. Karl Bridge) will do the trick. If on the other
hand you are simply worried about sniffing attacks, the intelligent
10bT hubs are a better (dummer, less easily attacked) bet. It again
depends on what you are defending against.
Depending on the client I have used both, however I do make sure that
I have some way of disabling the hub remotely just in case I need to
chop the internet connection due to anomalies on the interior nets.
Senior Systems Administrator IDD Information Services
com Waltham, MA (617) 890-1576 x225
Senior Systems Consultant (SERL Project) University of Massachusetts at Boston
edu (preferred) Boston, MA, (617) 287-6480
My employers don't acknowledge my existence much less my opinions.