My only point with regards to the dual firewall was that
in some cases this is a feasible solution in that if you have
customers that need to access certain machines, and you wish
to restrict access to other machines on the network, this is
one way to do that (one of many, and probably not the best
one). But at any rate it is one way this can be used (referring
to the origional question).
On Tue, 24 Jun 1997 Robin .
> Although you can run more than two interfaces on one box there are
> some problems, the two that spring straight to mind are:
> - Increasing complexity of the configuration when simplicity should
> always be an aim. This increase the danger of mis-configuration
> especialy if changes have to be made at a later date.
> - If the worst happens and your first machine is compromised a second
> box will delay the cracker again before they get into your main
> network. You don't have this extra line of defense if all is on one
> As always you have to balance all the requirements in your setup there
> is no one answer fits all.
> ______________________________ Reply Separator _________________________________
> Subject: RE: Dual firewall solution (??)
> Author: owner-firewalls-outgoing @
COM at INET-1
> Date: 6/24/97 12:48 PM
> Ok, I thought of that too.
> However, Firewall-1 (like - I think - any commercial Firewall) allows several
> interfaces, so there's no need to have 2 of them. My point is, can't you
> 'mathematically' reduce a solution with 2 cascaded firewalls to 1 firewall,
> given that it has 2 or more interfaces? As I see it, it will only cause an