From: Deric Giles <d .
Date: Tue, 8 Apr 1997 16:44:10 +0100
I like the idea of an extra layer of security in the screened subnet
architecture for a firewall as described in Brent's book. This works
fine while we have an Ethernet internal network and a slowish Internet
connection. However in the near future our site is likely to be
connected to a MAN running at maybe 155Mb/sec and our internal network
upgraded to ATM at a similar speed. Having two routers in the path
acting at layer 3 now seem to pose a bottleneck.
Two routers in the path instead of one is a difference of just one router hop
in your connection to how many router hops between yours and the other end
of any communication over the Internet? If you use routers capable of 155 Mbps,
I cannot see that you would have introduced a noticeable problem.
You should never consider loss of control of a router in your critical data path
as a reasonable part of your network design. I suggest you invest in strong
protection for the Internet router, if not for your own good, for the rest of us.
I assume you have already blocked outgoing packets without valid source addresses.
Where your security policy permits access that cannot be implemented with packet screens,
which is why you might have hosts on the screened subnet, consider a really fast firewall
application proxy that can support multiple fast (100 Mbps) ethernets.
(not intended as a trawl for firewall advertizing)
While you are designing your next-generation Internet perimeter, you might want to consider
putting your screened subnet out of the path that most traffic takes to/from the Internet.
The down-side of any sacraficial host on the screened subnet is that it could be used
as a packet sniffing (sorry Network General) spy on the rest of the traffic. Just an extra
round trip through the screening router for the portion of traffic that needs proxy help
could help isolate the hosts at risk from the traffic that doesn't need the proxy.
I am sure you earned the envy of most of us on this list by bragging that you will have
155 Mbps Internet access "in the near future". Congratulations.