[prev in list] [next in list] [prev in thread] [next in thread]
List: firewalls-gc
Subject: Re: Firewalls
From: Paul Ferguson <pferguso () cisco ! com>
Date: 1995-10-15 14:52:17
[Download RAW message or body]
>
> We are planning to have a public access web/ftp site on the outside of a
> firewall. This machine does not need to be 100% secure. Our internal office net
> will also be connected to the same leaseline and this net will need to be secure.
> We plan to use packet filters on the Ciscos and application proxys on the
> bastion machine:
>
>
> ISP +-----------+ +-----------+
> Lease | Cisco | | Bastion | Application proxys
> ----- | 2501 |----------------------| machine | primary DNS
> Line | | | | |
> +-----------+ | +-----------+
> |
> | +-----------+
> | | ftp/web | Insecure
> |-----------| machine | Public
> | | | Access machine
> | +-----------+
> |
> +-----------+
> | Cisco | Dual Homed
> | 2514 | Gateway
> | |
> +-----------+
> |
> |
> -------------------|------------------------ Secure Internal
> | | | TCP/IP Network
> +-----------+ +-----------+ +-----------+
> | Machine | | Machine | ..... | Machine |
> | 1 | | 2 | | n |
>
> The bastion will also be the primary DNS machine and have our main hostname
> (something like mntcmp.co.uk).
>
> My query is where can the ftp/web server be placed so that the traffic does
> not need to go via the bastion machine. Obviously we need to keep the web/ftp
> server as fast as possible, hence the requirement for it not to receive/TX
> traffic via the bastion.
>
> Is this possible?
>
> I believe the Cisco 2501 can only route to one designated machine (bastion).
> Is this correct? If so can we use a different Cisco to route ftp/www traffic
> directly to the ftp/www server and all other traffic to the bastion?
> Would this be a solution?
>
> There will be no requirement for http to/from the secure office net. So a
> routing solution maybe possible?
>
Routes, from an external perspective, can be defined to either singular
hosts or to entire networks. The latter is the most common.
As long as your DNS resolves requests to your WWW/FTP server, it should
work fine. I'm sure why you would think that you would need another
router to accomplish this. The only 'traffic' that would be going to
your DNS host is DNS lookups, which are necessary. :-)
- paul
>
--
Paul Ferguson || ||
cisco Systems || ||
Consulting Engineering |||| ||||
pferguso@cisco.com ..:||||||:..:||||||:..
c i s c o S y s t e m s
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic