We're in the process of designing a firewall for our network. This will
include a 'screened' subnet with a bastion host running proxy agents
to permit specific incoming/outgoing services between our main network
and the Internet.
The most common setup I've seen for such is as follows (crude ASCII 'art'):
------ ---------- ------
| | | | | |
-------|router| |bastion | |router|------
Inter- | | | | | |internal
net | |-- | | --| | net
| | | | | | | |
------ | ---------- | ------
| screened subnet | |
|___________________|____________________|
Question... Is there any reason that I can't accomplish the same goals
using a multi-port router in place of the two separate routers - as
follows (yet more crude ASCII art):
------------------------
| Multi-port router |
| |
| |
|________________________|
| | |
| | |
---------- | ---------------
Internet | Internal net
|
|
Screened | --------------
subnet | | |
| | |
|--------| Bastion |
| | |
|______________|
I.e. can the two above examples be made functionally equivalent?
As it happens, I need the multi-port router anyway, so if I can avoid
purchasing a separate screening router, I'm a few $$$ ahead...
Thanks all!
Ross
--
Ross Parker | KotHFJ '88 FJ1200, '64 Matchless G80CS (500cc)
MPR Teltech Ltd. |
Burnaby, B.C., Canada | "Lisp has all the visual appeal of oatmeal
parker @
mprgate .
mpr .
ca | with fingernail clippings mixed in" -- Larry Wall
|
|
