Firewall Wizards mailing list archives
Inspecting routers
From: Pierre-Yves <tchoubou_fr () yahoo fr>
Date: Mon, 25 Nov 2002 09:45:01 +0100 (CET)
Hi, One of my customers is migrating part of it's Internet architecture. We are aiming at a several-layered target, something like : Internet | External access router | Web services zone | Internal access router | Internal network There are _no_ outgoing connexions from the internal network to the Internet through those links (those connexions go to another ISP and route). The only trafic crossing the internal access router will be administration traffic (internal to web systems) and data requests (web systems to internal databases). The "web services zone" hosts several load balanced web systems, with reverse proxies and the like. No DNS/SMTP servers in this zone. Currently "pure web zone", and it should stay so. Throughput to the internet customers is a major constraint. Both routers have quite extensive IP filters (well, the external one basically has "deny if not TCP/80 or TCP/443 targeted to the web servers"). The customer is currently thinking about inspecting routers, to go "one step further than plain filtering". First question, does this low-level inspection really buy anything wrt security ? Secondly, I advise him to put his inspection stuff on the internal access router, where 1/ the throughput is far lower than on the external router 2/ we know exactly what should cross here 3/ if anything unusual comes this way, all hell should and will break loose. Would this be the best place to inspect packets ? What would we gain (or loose) by putting inspection on the external router ? Tia, -- Pierre-Yves ___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Inspecting routers Pierre-Yves (Nov 25)
- Re: Inspecting routers Lorens Kockum (Nov 25)
- Re: Inspecting routers Mikael Olsson (Nov 25)
- Re: Inspecting routers Kyle R. Hofmann (Nov 25)
- Re: Inspecting routers Lorens Kockum (Nov 26)
- Re: Inspecting routers Ng Pheng Siong (Nov 26)
- RE: Inspecting routers Ben Nagy (Nov 26)
- Re: Inspecting routers Lorens Kockum (Nov 25)