1999-12-14-15:53:59 [EMAIL PROTECTED]:
> I have been tasked with designing a "firewall" to protect an e-
> business site as well as the internal network. The design that I
> proposed was a three legged bastion host on a screened sub-net
> architecture.
>
> One NIC on the bastion would connect to the access router with
> connects to the Internet.
>
> The second NIC would connect to a web server and split DNS via a
> stub network.
>
> The third NIC would connect to the choke router and on to the
> internal network.
That's one arch, and it might be a good fit for your needs.
I personally don't like to run firewalls in front of internet-accessible web
servers; I prefer to run them on hardened hosts and tighten them down to the
point where they don't need a firewall to protect them.
My reasoning is that if the web server can't protect itself without a
firewall, it's probably still vulnerable with one, since the only
hard-to-protect parts of the web server (the stuff done by the very complex
and hairy web server with its CGIs and whatnots) remain visible to the
internet through the firewall anyway. The rest of the protecting --- e.g.
making sure untrustworthy daemons like e.g. database managers and rpc
portmappers and whatnot aren't visible --- I do with packet filtering
(ipchains or ipfilter) right on the server.
> The powers that be wish to use a PIX as the bastion host.
> Because the PIX is a stateful inspection device, in my opinion, it is
> a router on steroids, as is any stateful inspection device. If my
> assumption is correct, using the PIX defeats the security measures
> of my design.
I disagree with that one. These days, the biggest surviving difference between
a stateful inspection firewall and an application proxy firewall is that the
latter will sometimes do more sophisticated analysis of the data streams
passing through; the complexity of analyzing content is beyond human coding
abilities in the very low-level expression language of state transition
tables.
Do PIXes do packet fragment reassembly? If not, that might be another issue
worth considering. In principle, the difference between a stateful inspection
and a proxy is that the stateful inspection is making a go-nogo decision on
whether to forward the packet, while the proxy is tearing the payload out of
the packets and then regenerating them from scratch, so any weirdo cleverness
people try and pull in IP and TCP headers doesn't get passed through.
-Bennett
PGP signature
