In message <9402152109 .
com>, mjr @
> >If one were running a screened subnet and using SOCKS or some
> >equivalent proxy service for ALL incoming/outgoing connections
> >(i.e. ALL traffic between internet and internal net blocked),
> >would that be no different than wrapping a dual-homed gateway
> >host with two screening routers?
> >(screened subnet with all internet-internal net traffic blocked)
> >Internet -----[router]-------|-------[router]-----Internal net
> > |
> > [bastion host]
> > (dual-homed gateway wrapped with screening routers)
> >Internet -----[router]----[bastion gateway]----[router]-----Internal net
> Not Needed
> You can use a dual-homed host and save a router for the
> cost of the ethernet adapter.
Well maybe. I like having the second router since I like to run
automated programs on the internal net that can shut down the second
router if it can't get the bastion host off line when it is
compromised. Most of the places I have dealt with preferred the option
of going off the internet when it looks like unauthorized connections
were being attempted from the bastion hosts to hosts in the internal
net. I can kill a shutdown attempt on the bastion host pretty quickly,
heck I could even write a shell script to do it, but it is more
difficult to prevent the shutdown of a router.
> The tradeoff is that you then *never* have the option of
> routing any traffic through. If you choose the first route, you
> can (if you dare) eventually add services through the router. You
> have a little more flexibility by using 2 routers -- the other
> important difference is that it makes you choose whether you
> use your routers to implement security at the network level, or
> your host.
Also if you want to have more than 1 bastion host (e.g. for
redundancy, or to offload traffic or for the use of a specific group),
then they all have to have dual ethernet interfaces. One site I worked
with has an host that sinks/sources an encrypted link running into one
of its bastion hosts for contacts from a couple of other sites.
Also, if you are going to be running without dual interfaces, I would
suggest setting up the second router to filter on MAC addresses so
that any attempts to go from the firewall router directly to the
internal router will fail unless the break the second router.
Special Projects Volunteer University of Massachusetts at Boston
edu (preferred) Boston, MA, (617) 287-6480
My employers don't acknowledge my existence much less my opinions.