At 04:40 14-03-2000 -0500, you wrote:
>Another thought just occurred to me.
>
>I the case of a screened subnet firewall, the exterior router/firewall
>passes the traffic on to the appropriate server. This would suggest that
>actual resources are rarely accessed on the firewall itself. With this in
>mind couldn't one say that the ability to remotely compromise the firewall
>itself is diminished?
>
>In the case of the dual-homed host firewall, it is highly probable that the
>Internet services, (web, mail, news, etc), are performed by this machine as
>well. These services, especially web servers with CGI will most likely
>have some sort of language installed on them and have a higher chance of
>being vulnerable to some sort of remote exploit.
>
>I'm not saying that anyone should load compilers and the lot on firewall
>boxen, however, in comparing the two, couldn't one say that the first
>architecture would be safer? Consider the fact that remote users rarely
>have actual access to the box itself. Subsequently, isn't the purpose of a
>firewall to provide the administrator with a location of control amidst the
>chaos (assuming one is under attack)?
>
I agree with Bennett. The first architecture is the safest one because it
adds an extra layer of security by adding a perimeter network that further
isolates the internal network from the Internet. In this way, if an
attacker successfully breaks into the outer reaches of the firewall, the
perimeter net offers another layer of protection between him and the
internal systems. The internal screening router can (and should) be
configured to just give the amount of previledges needed to bastion hosts
running on the perimeter network.
Nuno
Nuno
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
