Hi there,
I am currently designing a firewall and am faced with a difficult
decision. Please help me out on this one...
Is there any difference in the security of a screened subnet firewall
using two routers (one serial-ethernet, the second ethernet-ethernet)
opposed to using one router with serial-ethernet-ethernet interfaces?
---------------------------------------------------------------------
First design:
-- DMZ --
Internet -->|R1|-------------|R2|----- inside net
-- bastion --
host
---------------------------------------------------------------------
The second one:
--
Internet -->|R1|------- inside net
--
b. |
host |DMZ
|
-
--------------------------------------------------------------------
In both instances, it is impossible to avoid going through the DMZ and
the bastion host (with packet filtering on the router(s)). The only
problem I see is breaking into the first router in the second design, but
if I allow access to the router only via console, then I see no
difference.
The second design also saves you around $3500 (at least here) for
a Cisco 2501 (I am thinking of using the 2514 for the dual-ethernet
router).
Many many thanks in advance,
--
Jan Bervar * jan .
bervar @
snet .
fer .
uni-lj .
si * http://www.fer.uni-lj.si/~janb
---------------------------------------------------------------------------
FER Security Team * The S-Net project * HP-UX & Linux admin * guitarist
|
|
