Re: Q on external router

[Adam Shostack <adam () homeport org>]

| 1. A while ago, someone is discussing (not sure in the FW list or
| FW-Wizard list) the possibility of using a switch in the DMZ so that even
| a machine on the DMZ is compromised, it cannot be used for sniffing
| traffic on the DMZ.  However, it was also pointed out by somebody a switch
| doesn't make a lot of difference.  So is it possible to do something like
| -
| 
|                  web server
|                      |
|                      |
|                      |
|    Internet ----- router ----- bastion host ----- router ----- internal
| net
| 
| The "web server" above could possibly be a whole ethernet segment with
| other services.

        This is a pretty typical DMZ setup.  Usually I've used packet
filtering hosts (pc hardware with OpenBsd or linux) over Cisco type
routers.  I like the local logging capability.

| 4. If only console access to the router is allowed, what normally do you
| use for the "console" machine, can this machine be also used as a logging
| machine for the router log ?

        Get a machine with a hefty multiport serial card.  Enable only
ssh into this host, and use it as a terminal server into all the hosts
in the firewall.  If you drop two lines to each machine in the
firewall, you can log over one line, and log in interactively over the
other.

Adam

-- 
Just be thankful that Microsoft does not manufacture pharmaceuticals.