>>Reply to your message of 1/2/97 12:42 PM
>>
>>I'm trying to make a case for a firewall design. I've narrowed the choices
>>down to two options. Option A looks like:
>>
>>
>> internal internal dual-homed external
>> network --- filtering --- bastion host with --- filtering --- internet
>> router TIS toolkit router
>>
>>option B looks like:
>>
>> internal internal bastion host(s) external
>> network --- "firewall" | filtering --- internet
>> system* ---- DMZ network ---- router
>>
>>*(Cisco PIX or similar device)
>>
>>With both options, we would need to proxy or masquerade all internal
>>connections to the internet (we use private IP addresses). I'm pretty sure
>>both options would give us what we want (internet connectivity + security).
>>The trade-offs I see are the lower cost of A (most of the pieces are already
>>in place) vs. the ease of use and extensibility of B. My own preference is
>>for option B but I'll need some backup before I can make a case for spending
>>$10K+.
>>
>>Has anyone else made or seen such a (third-party) analysis before? I have
>>the O'Reilly Firewalls book but they don't really cover option B.
<snip .sig>
Rich:
Have you thought about some of the other commercial products rather than just the TIS toolkit or the router/DMZ approach? There are several very good ones produced for a variety of platforms. Price has always been an objection, but now many of them are available for the same cost as the range you mentioned for the router/DMZ. They offer improved security over the router/DMZ approach as well. What ever route you decide to go, best of luck.
Don Flint
|
|
