>> I have a theoretical configuration where I would like to use a screened
>> host, AND Cisco policy routing. The bennies would be the ability to
>> firewall multiple links with one router. My concern is the overall security
>> of such an arrangement in comparison to a true DMZ.
>>
>> <diagram follows>
>>
>> Business partner---Router----Internal Net(s)
>> / | \
>> Internet--/ | \---Firewall
>> |
>> Web Server(s)
>>
>
>My problem with this is that your firewall/bastion is neither logically
>nor physically between the internet router and the internal net(s).
>...
>Colin
Same initial thoughts here. 'By the book Firewall design' logic would state
there are obvious design flaws here. But the books were written before Cisco
introduced 'policy routing', where all traffic from specific ports are sent
to a specific IP address, which would be the firewall. The logical layout
would then be:
Business partner
\
Firewall----Internal networks
/ \
Internet Web Servers
Any additional segments can be directed to the Firewall also.
BTW - This is a sanity check, I want to find errors with this configuration.
William B. Stout
Senior Systems Administrator
Hitachi Data Systems
Open Systems Center
Santa Clara, California
|
|
