Re: Web Server off Bastion Host ?

Sun, 21 Nov 1999 20:50:38 -0800 

On Mon, 22 Nov 1999, Greg Bastian wrote:

> I am planning to put my web servers in a DMZ between our external packet
> filtering router and the Bastion Host, but I may not have control over the
> Router, in which case I would use a third NIC off the Bastion Host.  My
> problem is that I wanted to turn off packet forwarding in the kernel of the
> Bastion Host as it will be an application proxying firewall, but this will
> stop packet forwarding from the external interface of the Bastion Host to
> the Web Server segment.
> 
> What can I do, short of adding a router that I can control ?

I'd recommend adding the router.  If you can't do that, add a second 
interface off the outside screening router.  Adding a router means that you 
don't have to worry about layer 2 access to a network the bastion sits on, 
and that makes things just that little bit more secure.  Also, you'll be in 
position to add additional providers, dial backup, or external private 
connections to business partners if you own a fairly modular router.  
Lastly, you'll be in control of what hits the bastion, and that's 
always a good thing.  We generally make our sites put two routers 
back-to-back when the provider insists on owning the outside router.  The 
only issue tends to be having someone think hard enough to subnet or to 
get the provider to configure their router to have an IP-less interface.

Depending on the bastion's OS, you could probably use IPFilter or 
IPChains to pass the HTTP-destined packets on to the Web server if you're 
on any reasonable *nix system.  This probably won't scale well, even with 
virtual interfaces on the outside NIC of the bastion.  If performance is 
an issue, the router is relatively cheap, adds security and gives you 
forward flexibility.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
[EMAIL PROTECTED]      which may have no basis whatsoever in fact."
                                                                     PSB#9280

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to