| 1. A while ago, someone is discussing (not sure in the FW list or | FW-Wizard list) the possibility of using a switch in the DMZ so that even | a machine on the DMZ is compromised, it cannot be used for sniffing | traffic on the DMZ. However, it was also pointed out by somebody a switch | doesn't make a lot of difference. So is it possible to do something like | - | | web server | | | | | | | Internet ----- router ----- bastion host ----- router ----- internal | net | | The "web server" above could possibly be a whole ethernet segment with | other services. This is a pretty typical DMZ setup. Usually I've used packet filtering hosts (pc hardware with OpenBsd or linux) over Cisco type routers. I like the local logging capability. | 4. If only console access to the router is allowed, what normally do you | use for the "console" machine, can this machine be also used as a logging | machine for the router log ? Get a machine with a hefty multiport serial card. Enable only ssh into this host, and use it as a terminal server into all the hosts in the firewall. If you drop two lines to each machine in the firewall, you can log over one line, and log in interactively over the other. Adam -- Just be thankful that Microsoft does not manufacture pharmaceuticals.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:56:15 PDT