Firewall Wizards mailing list archives
firewall architectures
From: Kelly Scroggins <kelly () cliffhanger com>
Date: Thu, 18 May 2000 09:20:33 -0500
In the book 'Building Internet Firewalls',
several architectural designs are discussed.
I beleive the 'screened subnet' architecture
is the best.
In a discussion with a freind, the argument
that the sreened subnet is old, outdated, and
should no longer be considered and option,
was presented.
He argued that it introduced too much
latency. It is true that the more devices a
packet has to go through, the more latency
will be involved. But is it enough to be
noticed?
I disagree with this idea. I'm wondering
what others opinions are on this. What
architecture do you prefer?
I've included a picture of what I'm
calling a screened subnet below.
kelly
internet
|
\
/
|
+------------------+
******************************* | choke router 1 | **********
* +------------------+ *
* | *
* ---------------------------------------------- *
* | | | | *
* +----+ +----+ +----+ | *
* | | | | | | | Firewall *
* | | | | | | | (DMZ) *
* +----+ +----+ +----+ | *
* email dns http/ | *
* proxy | *
* +------------------+ *
******************************* | choke router 2 | **********
+------------------+
|
|
|
|
|
There could be more than one choke router on the inside network. But
there shouldn't be more than one access point to the internet.
Kelly
Current thread:
- firewall architectures Kelly Scroggins (May 19)
- <Possible follow-ups>
- firewall architectures Kelly Scroggins (May 19)
- Re: firewall architectures Bill_Royds (May 21)