Firewall Wizards mailing list archives
Re: Q on external router
From: Adam Shostack <adam () homeport org>
Date: Wed, 22 Apr 1998 10:24:43 -0400 (EDT)
| 1. A while ago, someone is discussing (not sure in the FW list or | FW-Wizard list) the possibility of using a switch in the DMZ so that even | a machine on the DMZ is compromised, it cannot be used for sniffing | traffic on the DMZ. However, it was also pointed out by somebody a switch | doesn't make a lot of difference. So is it possible to do something like | - | | web server | | | | | | | Internet ----- router ----- bastion host ----- router ----- internal | net | | The "web server" above could possibly be a whole ethernet segment with | other services. This is a pretty typical DMZ setup. Usually I've used packet filtering hosts (pc hardware with OpenBsd or linux) over Cisco type routers. I like the local logging capability. | 4. If only console access to the router is allowed, what normally do you | use for the "console" machine, can this machine be also used as a logging | machine for the router log ? Get a machine with a hefty multiport serial card. Enable only ssh into this host, and use it as a terminal server into all the hosts in the firewall. If you drop two lines to each machine in the firewall, you can log over one line, and log in interactively over the other. Adam -- Just be thankful that Microsoft does not manufacture pharmaceuticals.
Current thread:
- Re: Q on external router, (continued)
- Re: Q on external router tqbf (Apr 23)
- Re: Q on external router Paul D. Robertson (Apr 24)
- Re: Q on external router Eric Vyncke (Apr 24)
- Re: Q on external router tqbf (Apr 24)
- Re: Q on external router darrenr (Apr 24)
- Re: Q on external router Roger Marquis (Apr 24)
- Re: Q on external router tqbf (Apr 25)
- Re: Q on external router Adam Shostack (Apr 26)
- Re: switched DMZ (was Q on external router) Roel JT Jonkman (Apr 23)
- Re: Q on external router Bennett Todd (Apr 23)
- Re: Q on external router tqbf (Apr 24)