The reason two routers are shown in the diagram is so
that you can do filtering on both sides... not needed for
a router that can do in/out on all interfaces. Two routers
might make it easier to maintain the access lists.
Two routers gives you half the reliability, since if either goes
out, the system (as a whole) is broken. There is no redundancy
in the design you've shown, and still isn't (of course) with
the 1 router design.
With two seperate routers, if the inside one goes down, you've
cut off inside users, but might still be able to provide services
to external users (assuming the externally reachable services
aren't dependant on something on the inside, like
SQL servers.) If the outside router goes down, you're
pretty well screwed all around.
Ryan
daemond @
ibm .
net on 01/17/98 05:30:45 PM
To: Ryan Russell/SYBASE
cc: firewalls @
GreatCircle .
COM
Subject: Re: SNI revised -- (was: Fraudulent SA's solved)
On Sat, 17 Jan 1998, Ryan Russell wrote:
* ->
* ->You can use 1 router with three interfaces (if available)
* ->instead of two with two, to get the same affect. At least,
* ->you can with Ciscos. Ciscos can do filtering on in and out
* ->at the same time, different lists. This might save some
* ->cost and help with your proposal. Do you know if they
* ->have a Cisco now, and what model it is?
* ->
* -> Ryan
Yes they do have a CISCO (I don't know the model), but they aren't even
implementing any packet filtering capabilities that it may posess. Also,
in
regard to using one router instead of two: two provides more redundancy,
more reliability, and allows one to be taken offline without taking down
security all together (imagine if one hub starts being problematic, if it's
the only hub in your security it could pose a serious problem). The two
hub
design is stronlg recommended (and with just the above few thoughts I can
see why) in one of the books that I read (I think it was Building Internet
Firewalls by Chapman and Zwicky). L8r.
---------------------------------------------------------------------------
--
Geoff Gowey | NetBSD: the best multi-platform OS
daemond(at)ibm.net | www.netbsd.org
***************************************************************************
**
Spammers beware: I do not buy from companies that spam and I keep track!
Above policy STRICTLY ENFORCED!
***************************************************************************
**
"All I ask is for the chance to prove that money can't buy me happiness"
or more simply put "SHOW ME THE MONEY!!!"
Follow-Ups:
|
|
