Firewall Wizards mailing list archives

Inspecting routers

From: Pierre-Yves <tchoubou_fr () yahoo fr>
Date: Mon, 25 Nov 2002 09:45:01 +0100 (CET)

   Hi,

   One of my customers is migrating part of it's Internet architecture.
We are aiming at a several-layered target, something like :

           Internet
              |
     External access router
              |
       Web services zone
              |
     Internal access router
              |
       Internal network

   There are _no_ outgoing connexions from the internal network to the
Internet through those links (those connexions go to another ISP and
route). The only trafic crossing the internal access router will be
administration traffic (internal to web systems) and data requests (web
systems to internal databases).
   The "web services zone" hosts several load balanced web systems,
with reverse proxies and the like. No DNS/SMTP servers in this zone.
Currently "pure web zone", and it should stay so. Throughput to the
internet customers is a major constraint.
   Both routers have quite extensive IP filters (well, the external one
basically has "deny if not TCP/80 or TCP/443 targeted to the web
servers").
   The customer is currently thinking about inspecting routers, to go
"one step further than plain filtering".
   First question, does this low-level inspection really buy anything
wrt security ?
   Secondly, I advise him to put his inspection stuff on the internal
access router, where 1/ the throughput is far lower than on the
external router 2/ we know exactly what should cross here 3/ if
anything unusual comes this way, all hell should and will break loose.
Would this be the best place to inspect packets ? What would we gain
(or loose) by putting inspection on the external router ?
   Tia,

-- Pierre-Yves

___________________________________________________________
Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français !
Yahoo! Mail : http://fr.mail.yahoo.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Inspecting routers Pierre-Yves (Nov 25)
- Re: Inspecting routers Lorens Kockum (Nov 25)
  - Re: Inspecting routers Mikael Olsson (Nov 25)
  - Re: Inspecting routers Kyle R. Hofmann (Nov 25)
    - Re: Inspecting routers Lorens Kockum (Nov 26)
    - Re: Inspecting routers Ng Pheng Siong (Nov 26)
- RE: Inspecting routers Ben Nagy (Nov 26)