> > At 3:25 PM 9/17/96, Chris Garrigues wrote about Mark's picture
> > of a "triple homed" firewall:
> > >I see maps like yours all the time, but I'm uneasy about real
> > >routing happening on my firewall. It just seems to me like
> > >there's potential risk in running routing software on a firewall.
> > Quite so. Correct packet flow must be enforced by something more than IP
> > level routing. The picture only makes sense if you've set up a firewall
> > proxy to enforce the flow. All web server accesses should be sent to the
> > isolated subnet containing the Web server and no incoming Internet
> > connections should be allowed to flow directly into the database server's
> > net. The "routing" in this case isn't handled by the IP layer, it's handled
> > by socket layer proxies.
> > Rick.
Also, in the above mentioned configuration, if the web server is
compromised, it doesn't automatically give it the ability to go into promiscuous
mode and read all traffic passing between the firewall & the outside. It also
give you the ability to use the firewall audit utilities in order to log data.
Centralization, and potentially better reporting mechanisms than you would have