On 7 Sep 99, at 4:15, Bernd Eckenfels wrote:
> On Tue, Sep 07, 1999 at 08:15:00AM +1000, Pearson, Arran wrote:
> > this is a good point, time after time I see this type of configuration at
> > client sites and have yet to understand the full reasoning behind it - you
> > are really using a screening router to protect a firewall? Does not make
> > sense.
>
> If has a few advantages.
>
> a) a router before or behind the firewall can be used to do the actual
> (dynamic) routingm, can run routing protocols and can be used to connect
> quite different medias.
>
Yes and no. If the router in front has multiple uplinks, dynamic routing
makes sense (OSPF, BGP4, ...). But I would never recommend to do dynamic
routing to the inside. It�s always more secure to use static routes, even
if it�s more work for you. Dynamic routes are due to be changed
accidentally or intentionally ;-)
> b) a screening router before the firewall can keep a compromised firewall
> from sniffing any traffic which is not destinated to the firewall.
>
Yes. The problem is, that the firewall admin has to cover two different
firewall systems. Discarded packets from the screening router should be
logged as well, and the log should be checked from time to time.
You can use a screening router in front of your true firewall to discard
the following packets:
- IP addresses from internal networks (spoofing)
- packets originating and heading for MS network ports (like udp 137 and
so on)
- packets with bootp requests and related stuff
- routing protocols like OSPF and RIP
- source routed packets
The rest gets to the firewall. Stuff like Back Orifice or Netbus can be
masqueraded with NAT to a honeypot machine. If you want to trap hackers,
a port scan is not enough to catch them. A honeypot gives you the chance
and the proof to take some countermeasures, like informing CERT or
authorities...
Kind Regards / Mit freundlichen Gruessen,
--
Frank M. Heinzius MMS Communication AG
mailto:[EMAIL PROTECTED] Eiffestrasse 598
http://www.mms.de 20537 Hamburg, Germany
Phone: +49 40 211105-40 Fax: +49 40 210 32 210
-- spam forbidden -- -- PGP key available --
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
