Re: PUBLIC: boxed "multi-purpose" firewalls - overkill??

[peter.vaterlaus () ubs com]

     Michael,
     
     IMO a bastion host usually uses a single NIC only. Therfore only 
     application gateways can be implemented there. Most 'boxed' firewalls 
     are designed with multiple NICs and a distinction between 'secure', 
     i.e. intranet, and 'insecure' NICs. The rules then apply either in the 
     direction from 'insecure' to 'secure' side or opposite.
     
     For this type FWs you need a design router <--> FW <--> router. 
     Depending on your security requirements and your firewall you can also 
     omit one or both of the routers.
     
     Wheter you require a 'pass through' FW or one or more 'classical' 
     bastion hosts or a mix of all of them depends mainly on:
     1) the security requirements (policy)
     2) the applications (IP-protocols)
     and in most cases also on the experience and preferences of the FW 
     designer of course!
     
     If you are not very experienced in FW implementations, I recommend you 
     a multiple NIC solution. But as mentioned above, it finally depends on 
     your requirements.
     
     Regards
     Peter Vaterlaus
     
     Note: I speak here for my own, not for my employer


______________________________ Reply Separator _________________________________
Subject: PUBLIC: boxed "multi-purpose" firewalls - overkill??
Author:  mjd at zhux/DD.RFC-822=mjd () interaxon gr
Date:    14.10.98 15:47


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
     
hi all
     
I am putting together a firewall, only on paper for now, and a few 
questions concerning the usefulness of boxed "muti-purpose" firewall 
products have surfaced.  I hope some of you guys can give me your 
thoughts on the matter.
     
suppose...
I have set up a screened network architecture firewall which is 
connected to the internet via an ISDN router (a baynetworks clam), and 
then this dmz is connected to my internal network via a packet 
filtering router (suggestions most welcome).  Ok, so now I need a 
bastion host to proxy my smtp, dns, and WWW.  So I think .. the client 
wants ease of use and reporting etc etc, has to be NT based, they have 
no nix skills at all.. so what about a boxed NT firewall product .. ok 
I say, how about Eagle (as everyone else is on about FW-1, and I like 
to be different), it does all I want and more.. packet filtering.. but 
I am sat here wondering why do I need this packet filtering?  I 
certainly dont want to combine this bastion host with my choke router.
 Perhaps I could put it after my ISDN router, but is this really
neccessary?
     
So I am wondering why spend big bucks on a "multi-purpose" firewall 
package like Eagle is it only for the  reporting capabilities?
     
i would be interested in hearing how others see the use of these 
products.
     
mike
     
- ---------------------------------------------- 
Michael J. Dilworth             Interaxon ltd.
                                8 Rizariou St.
tel:(+301)6801013/4             Halandri 
Fax:(+301)6801015               15233 Athens
                                Greece
- ----------------------------------------------
     
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.5.3i for non-commercial use <http://www.pgpi.com>
     
iQA/AwUBNiSRX26RYzC+RAvaEQKgeQCg8CG8pL7tZ13PIsH0IPsJFhvx3IoAoJFG 
8B32OrGgwnz3JV2pGPtGq73K
=Gf+0
-----END PGP SIGNATURE-----