> o Configuration #2 has the DMZ protected by the packet filter only
> (which is essentially NO protection).
It's not that easy. Configuration #2 can be a major Speed improvement.
And for Bastion Hosts in DMZs packet filters are a big security win. They
stop attackers from the outside from ip-spoofing and accessing most of the
Ports of the firewall. That is more than enough in most Environments (IF you
bastion host is securely configured. But if it is not I doubt your firewall
is that effective anyway.)
> Configuration # 1 offers as little protection as configuration # 2.
Configuration #2 still is more secure, since the Packetfilter
in the Firewall can stop the Bastion Host from sending spoofed IP-Packets
which seems to come from the outside. This is especially dangerouse, since
the Hacked Bastion Host is able to snoop the Anserws directed to the Source
of the spoofed Packages. Therefore you can spoof Connections from the DMZ
Host comming from possibel trusted Hosts of the Internet (yes, bad Thing,
but very common).
Configuration 1 is the winner, but only if you can afford it, since you need
a faster Hardware with an additional Network interface. Of course for
low-traffic Sites the Hardare speed inst a big issue.