First. I am not trying to start a flame war with this post.
I have been tasked with designing a "firewall" to protect an e-
business site as well as the internal network. The design that I
proposed was a three legged bastion host on a screened sub-net
architecture.
One NIC on the bastion would connect to the access router with
connects to the Internet.
The second NIC would connect to a web server and split DNS via a
stub network.
The third NIC would connect to the choke router and on to the
internal network.
My idea is to run an application gateway such as Sidewinder or
CyberGuard with a dedicated OS (UNIX) on the bastion host with
all routing on turned off. This would in effect isolate the segments
connected to the bastion host.
The powers that be wish to use a PIX as the bastion host.
Because the PIX is a stateful inspection device, in my opinion, it is
a router on steroids, as is any stateful inspection device. If my
assumption is correct, using the PIX defeats the security measures
of my design.
Questions:
Am I correct in my assumptions on stateful inspection firewalls?
If not could someone put me in the proper frame of mind regarding
the differences between the two types of firewalls?
Any other comments, corrections, and advice is very much
welcome.
Thanks in advance.
Frank
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
