Firewall Wizards mailing list archives
firewall architectures
From: Kelly Scroggins <kelly () cliffhanger com>
Date: Thu, 18 May 2000 09:20:33 -0500
In the book 'Building Internet Firewalls', several architectural designs are discussed. I beleive the 'screened subnet' architecture is the best. In a discussion with a freind, the argument that the sreened subnet is old, outdated, and should no longer be considered and option, was presented. He argued that it introduced too much latency. It is true that the more devices a packet has to go through, the more latency will be involved. But is it enough to be noticed? I disagree with this idea. I'm wondering what others opinions are on this. What architecture do you prefer? I've included a picture of what I'm calling a screened subnet below. kelly internet | \ / | +------------------+ ******************************* | choke router 1 | ********** * +------------------+ * * | * * ---------------------------------------------- * * | | | | * * +----+ +----+ +----+ | * * | | | | | | | Firewall * * | | | | | | | (DMZ) * * +----+ +----+ +----+ | * * email dns http/ | * * proxy | * * +------------------+ * ******************************* | choke router 2 | ********** +------------------+ | | | | | There could be more than one choke router on the inside network. But there shouldn't be more than one access point to the internet. Kelly
Current thread:
- firewall architectures Kelly Scroggins (May 19)
- <Possible follow-ups>
- firewall architectures Kelly Scroggins (May 19)
- Re: firewall architectures Bill_Royds (May 21)