> > At 3:25 PM 9/17/96, Chris Garrigues wrote about Mark's picture
> > of a "triple homed" firewall:
> >
> > >I see maps like yours all the time, but I'm uneasy about real
> > >routing happening on my firewall. It just seems to me like
> > >there's potential risk in running routing software on a firewall.
> >
> > Quite so. Correct packet flow must be enforced by something more than IP
> > level routing. The picture only makes sense if you've set up a firewall
> > proxy to enforce the flow. All web server accesses should be sent to the
> > isolated subnet containing the Web server and no incoming Internet
> > connections should be allowed to flow directly into the database server's
> > net. The "routing" in this case isn't handled by the IP layer, it's handled
> > by socket layer proxies.
> >
> > Rick.
>
Also, in the above mentioned configuration, if the web server is
compromised, it doesn't automatically give it the ability to go into promiscuous
mode and read all traffic passing between the firewall & the outside. It also
give you the ability to use the firewall audit utilities in order to log data.
Centralization, and potentially better reporting mechanisms than you would have
elsewhere.
Jeromie Jackson
Garrison Technologies
jeromie @
garrison .
com
|
|
