previous |
start |
next
Real World Firewall Systems
Most installations combine both circuit level and application
gateways, using the DMZ model of the previous slides. As mentioned,
this implies the use of routers which can be configured to do
packet filtering on IP addresses and/or TCP connections.
The bastion host normally runs, for example, the organisation's
WWW server, its FTP server (if applicable) and any other public
information services. It also usually acts as an email gateway. The
WWW server usually is configured as a proxy for
the hosts connected to the internal LANs (the Intranet). It may
also perform a similar function for other services such as FTP.
This type of structure can be very effective, combining many of
the best characteristics of all of the other types. However, the
gateway system must usually be a general-purpose timeshared (and
therefore Unix) system, which raises doubts about the safety and
reliability of the proxy software processes. This is not a solved
problem, for obvious reasons.
Although... Highly secure versions of Unix for just such
applications are now said to be available.
previous |
start |
next