Great Circle Associates Firewalls
(February 1994)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: questions
From: lacoursj @ uprc . com (Jeffrey D. LaCoursiere)
Date: Tue, 15 Feb 1994 14:29:01 +0600
To: firewalls @ greatcircle . com

Many thanks to those who have responded to my initial newbie
questions :->

YANQ (yet another newbie question)

If one were running a screened subnet and using SOCKS or some
equivalent proxy service for ALL incoming/outgoing connections
(i.e. ALL traffic between internet and internal net blocked),
would that be no different than wrapping a dual-homed gateway
host with two screening routers?


(screened subnet with all internet-internal net traffic blocked)

Internet -----[router]-------|-------[router]-----Internal net
                             |
                      [bastion host]



(dual-homed gateway wrapped with screening routers)

Internet -----[router]----[bastion gateway]----[router]-----Internal net



Is there any advantage, one over the other?  I suppose you save an
ethernet card in the first config.  It seems that the first config
is more vulnerable, as the attacker could open a direct connection
to the internal net by compromising both routers (granted this may
not be easy).  In the second scenario, he would have to compromise
bothe routers AND the bastion host to make the connection.  Am I
over-simplifying things?

Jeff LaCoursiere
Network Admin
UPRC
Ft. Worth, TX



Follow-Ups:
  • questions
    From: francis @ avalle . insoft . com (John [Francis] Stracke)
Indexed By Date Previous: Re: genp.c potential weakness
From: long-morrow @ CS . YALE . EDU (H Morrow Long)
Next: Re: YAATBAFM
From: mjr @ tis . com
Indexed By Thread Previous: Re: genp.c potential weakness
From: long-morrow @ CS . YALE . EDU (H Morrow Long)
Next: questions
From: francis @ avalle . insoft . com (John [Francis] Stracke)

Google
 
Search Internet Search www.greatcircle.com