[EMAIL PROTECTED] wrote:
>
> First. I am not trying to start a flame war with this post.
Noted :)
> [Snip standard DMZ setup explanation]
>
> My idea is to run an application gateway such as Sidewinder or
> CyberGuard with a dedicated OS (UNIX) on the bastion host with
> all routing on turned off. This would in effect isolate the segments
> connected to the bastion host.
Except for via the channels that you open.
> The powers that be wish to use a PIX as the bastion host.
> Because the PIX is a stateful inspection device, in my opinion, it is
> a router on steroids, as is any stateful inspection device. If my
> assumption is correct, using the PIX defeats the security measures
> of my design.
>
> Questions:
>
> Am I correct in my assumptions on stateful inspection firewalls?
Errrrr... If you tell a stateful inspection firewall to not allow any
traffic,
it won't be doing any routing.
This would in effect isolate the segments connected to the bastion host.
> If not could someone put me in the proper frame of mind regarding
> the differences between the two types of firewalls?
>
> Any other comments, corrections, and advice is very much
> welcome.
I second your first line: not trying to start a flame war here.
I fail to see how a stateful inspection firewall would defeat
your security measures (maybe you haven't described them well enough?).
You are quite capable of installing a three-nic stateful inspection
machine and hooking it up to your three networks as you described, then
only allow the communication that you dictate.
So, from a connectivity point of view, I don't see the problem with
using either kind of firewall in your setup.
You might want to weigh application level inspection needs into your
overall picture.
Choose a simple stateful inspection firewall and you'll get no
application level inspection.
Choose a bad proxy firewall and you'll get no application level
inspection.
Both flavours are conceptually quite capable of analyzing app data
to your heart's content.
The PIX is able to do app level inspection on a variety of protocols,
exactly which ones I won't expand on since I haven't used it enough.
I won't expand on the app inspection capabilities of sidewinder or
cyberguard, since I haven't used them at all.
All in all, to me, it sounds like you can go choose any of those three
firewalls and end up with an equally secure implementation?
Just my $.02
Regards,
Mike
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-248 00 33
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
