1998-04-22-22:47:23 Vinci Chou: > [ asks about using the external screening router to partition the DMZ > into separate subnets ] This is my favourite architecture. In fact, I tend towards using as many separate router interfaces, with separate subnets (e.g. 192.168.*.*, from RFC 1918, and NAT as needed) as I have separate machines in the DMZ. I like it for many reasons, not least of which is that I've got a fairly high degree of trust in the security of a tightly-configured Cisco router --- and its holes if any are probably independant of any holes in host security. It is also offers nice performance over a wide range of price/performance points. Matthew Patton, describing to me his firewall design[1], pointed out to me that if you have zero budget, you can achieve a similar goal much more cheaply by having N interfaces on the bastion. And then it occurred to me that if _that's_ too expensive you can still help matters --- only losing protection if a DMZ host is root-level compromised --- by using one DMZ interface on the bastion, and a hub for the hosts in the DMZ, and a trick: assign each DMZ host an address on a separate net --- again perhaps using the RFC 1918 addresses and NAT in the bastion. Give the bastion's DMZ interface, connected to the hub, addresss on all the nets. Have the clients in the DMZ, each on their own separate net (travelling over the same ether) all use the bastion for their default router. Then let the bastion's ipfw or ipfilter or whatever provide access restrictions among the DMZ hosts. -Bennett [1] <URL:http://www2.sysnet.net/~patton/firewall_guide.html>
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:56:16 PDT