At 5:11 PM 11/29/95, Cynthia He wrote:
>Hello, all firewall gurus,
>
>I am having difficulties understanding how a dual-homed host and screened
>subnet works in a firewall setup, as put forward in Chapman's 'Building
>Internet Firewall' book on page 81. This is what I have in mind:
>
>
> exterior router
> |
> |
> ---------------------- perimeter network
> | | | | |
> |
> dual homes host
> |
> |
> internal router
> |
> |
> ----------------------- internal protected network
> | | | |
>
>
>Is this what the author had in mind?
Yes, more or less. You actually have two perimeter nets now: one between
the dual-homed host and the exterior router (which you've identified
above), and another between the dual-homed host and the interior router
(which you don't call out separately on your diagram above, and which will
often have only the dual-homed host and interior router on it anyway).
>Also the author pointed out that quote: there is no point in running simple,
>straight-through proxies end quote. Why is that?
If you're running simple straight-through proxies (with no controls or
restrictions on their use), your dual-homed host isn't accomplishing
anything; you might as well use a single-homed bastion host as shown in
most of our diagrams, and avoid the cost (in both money and performance) of
running traffic through the dual-homed host.
>And what are the special
>issues that I should keep in mind when configuring the dual-homed host?
All of the issues outlined for bastion hosts in general in Chapter 5, plus
the issues outlined in the section on "Dual-Homed Host Architecture"
beginning on p. 63.
Good luck!
-Brent
----------------------+----------------------------+------------------------
Brent Chapman | Great Circle Associates | 1057 West Dana Street
Brent @
GreatCircle .
COM | http://www.greatcircle.com | Mountain View, CA 94041
----------------------+----------------------------+------------------------
Internet Tutorials from the Experts!
|
|
