Firewall Wizards mailing list archives

Re: SingleHomedHost

From: Joseph S D Yao <jsdy () cospo osis gov>
Date: Tue, 29 May 2001 10:27:15 -0400

On Thu, May 24, 2001 at 03:45:26PM +0000, Al.G. Protosimaki wrote:

I am hoping someone can help with this problem.

I am reading Building Internet Firewalls (Oreilly)

In their design section, they discuss a Screened Host deployment, which 
consists of:

1. A packet-filtering router
2. A single homed host running a Proxy Server
3. A LAN


INTERNET  -------  PFR  ------------- LAN
                               |
                               |
                              PS

I understand why the Packet-Filtering Router needs to be configured so
that it will only allow incoming connections that are destined for the Proxy 
Server.

I also understand why the Packet-Filtering Router should drop outgoing 
packets, unless they originate from the Proxy Server.

However, since the Proxy Server only has one NIC, and since it appears to be 
on the same segment as the internal LAN, how does the Proxy Server intercept 
outgoing traffic?

Building Internet Firewalls seems to suggest that the NIC needs to be put 
into promiscuous mode, so that it can intercept all outbound traffic. This 
seems to me to be a strange solution.

For example, if the LAN uses a switch, how can the PS intercept
the traffic?

I guess my problem is that I do not understand, from a network design 
perspective, how one can design a network system that forces all outgoing 
traffic to be diverted to the single-homed box.


Your mistake is assuming that the other systems on that network are
accessible and accessed from the outside.  They are not.  Only the PS
IP address is available from the outside.  This is enforced by the PFR.
The PS proxies all requests from the inside and outside so that both
inside and outside appear to be addressing a single IP address as
proxy, but that one machine - and only that one machine - has access to
both worlds.

At least, as I understand it.

I hope that this helps.

I prefer a dual- or multi-homed proxy server.

-- 
Joe Yao                         jsdy () cospo osis gov - Joseph S. D. Yao
OSIS Center Computer Support                                    EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

SingleHomedHost Al.G. Protosimaki (May 25)
- Re: SingleHomedHost Drew Simonis (May 25)
- Re: SingleHomedHost Ryan Russell (May 25)
- Re: SingleHomedHost Joseph S D Yao (May 30)
- <Possible follow-ups>
- RE: SingleHomedHost Elizabeth Zwicky (May 25)