Three quick thoughts. First, I agree with Gary Flynn <[EMAIL PROTECTED]>. If
they are dictating to you what to use, then they don't want you to design
anything. Maybe they have a lot of Cisco credits to use up before the end
of the year? :-)
Cisco PIX is not a bastion host. A bastion host is a hardened general
purpose OS machine that is used as the basis for a firewall, but also may
be used as the basis for a secure server, for example a web server.
Maybe they are thinking of the PIX because they and you envision putting
the web server behind it. I can understand that. For a web server,
performance is typically the top requirement.
I'd put a router based firewall connected to the Internet on one side and a
service network on the other. Off of that service net I'd hang the web
server (hardened and set up to only talk HTTP with only HTTP allowed
to/from the Internet) and a stronger (more granular, if you need it)
firewall, the other side of which is connected to the inside network.
No stateful inspection firewalls on the market do everything the the
proponents of stateful inspection say such firewalls are *able* to do. Few
application gateway firewalls are pure application gateways. In both cases
you might make sure you've not allowed more traffic than is safe and that
you intended. Stateful inspection firewalls rely on packet filtering
(static/simple or dynamic) more often than application gateways in the
popular products and installations.
Fred
Avolio Consulting
16228 Frederick Road, PO Box 609, Lisbon, MD 21765, US
+1 410-309-6910 (voice) +1 410-309-6911 (fax)
http://www.avolio.com/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
