At 11:57 AM 11/1/95 GMT, Danny Cox wrote:
>
>I suspect this may be a dumb question but bear with me. Given a screened
host or
>screened subnet firewall, my understanding is that the bastion only has one
>ethernet card. If I'm running proxies upon it, then don't I need two IP
addresses?
>
>Is it easy to set two IP addresses on one ethernet card - as I assume this
is what's
>necessary ?
>
>Thanks all,
>Danny
>
With a screened subnet, you only need one adapter and address:
+--------+ +----------+ +---------+ +----------+ +---------+
| Inside |---| Filter 1 |----| Bastion |----| Filter 2 |----| Outside |
+--------+ +----------+ +---------+ +----------+ +---------+
Filter 1 is set up to only allow connections between "inside" hosts and the
bastion. Filter 2 is set up to only allow connections between the bastion
and "outside" hosts. Thus the combination of Filter 1 and Filter 2
prevents direct inside-outside communication, forcing everything to
go through the bastion.
Caveat: This is not necessarily an endorsement of this configuration, just
confirmation that dual adapters and IP addresses for the bastion aren't
a technical must for it to work. Some firewall implementations use
dual IP stacks, one per interface to further enforce separation of
inside and outside data. Based on your needs, this may or may not be
overkill. Your mileage may vary. Coupon may not be photocopied.
---
Stephen Goldstein steveg @
cseic .
saic .
com
My first computer: A 24K Atari 800, Rev. A ROMS, November 1980
Disclaimer: That's not what I said.
Follow-Ups:
|
|
