Re: Q on external router

[Bennett Todd <bet () rahul net>]

1998-04-22-22:47:23 Vinci Chou:
> [ asks about using the external screening router to partition the DMZ
>   into separate subnets ]

This is my favourite architecture. In fact, I tend towards using as many
separate router interfaces, with separate subnets (e.g. 192.168.*.*,
from RFC 1918, and NAT as needed) as I have separate machines in the
DMZ.

I like it for many reasons, not least of which is that I've got a fairly
high degree of trust in the security of a tightly-configured Cisco
router --- and its holes if any are probably independant of any holes in
host security. It is also offers nice performance over a wide range of
price/performance points.

Matthew Patton, describing to me his firewall design[1], pointed out to
me that if you have zero budget, you can achieve a similar goal much
more cheaply by having N interfaces on the bastion. And then it occurred
to me that if _that's_ too expensive you can still help matters ---
only losing protection if a DMZ host is root-level compromised --- by
using one DMZ interface on the bastion, and a hub for the hosts in the
DMZ, and a trick: assign each DMZ host an address on a separate net
--- again perhaps using the RFC 1918 addresses and NAT in the bastion.
Give the bastion's DMZ interface, connected to the hub, addresss on all
the nets. Have the clients in the DMZ, each on their own separate net
(travelling over the same ether) all use the bastion for their default
router. Then let the bastion's ipfw or ipfilter or whatever provide
access restrictions among the DMZ hosts.

-Bennett

[1] <URL:http://www2.sysnet.net/~patton/firewall_guide.html>