Another thought just occurred to me.
I the case of a screened subnet firewall, the exterior router/firewall
passes the traffic on to the appropriate server. This would suggest that
actual resources are rarely accessed on the firewall itself. With this in
mind couldn't one say that the ability to remotely compromise the firewall
itself is diminished?
In the case of the dual-homed host firewall, it is highly probable that the
Internet services, (web, mail, news, etc), are performed by this machine as
well. These services, especially web servers with CGI will most likely
have some sort of language installed on them and have a higher chance of
being vulnerable to some sort of remote exploit.
I'm not saying that anyone should load compilers and the lot on firewall
boxen, however, in comparing the two, couldn't one say that the first
architecture would be safer? Consider the fact that remote users rarely
have actual access to the box itself. Subsequently, isn't the purpose of a
firewall to provide the administrator with a location of control amidst the
chaos (assuming one is under attack)?
Scenario:
If the mail server on a perimeter were compromised, one might have a chance
to shut down the internal firewall, securing the internal network and
providing an opportunity to monitor/trace/bait/etc. the attacker before
shutting down the external firewall.
Anyway, just another thought...
- Bennett
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
