IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
- simplified rules for the packet filters
- additional security by a second packet filter (configuration 1 and 2)
- availability increases if several gateways are used
- extensive logging possible
Disadvantages:
- high price (as a powerful computer with one or two network
interfaces and at least one packet filter is required)
- if the packet filters are manipulated in a screened sub-net with an
application gateway with an interface (see configuration 2, 4 and 6),
a direct connection is possible bypassing the gateway. This can also
be a desired function (e.g. in case of new services)
As a result of the above advantages and disadvantages of the various
configurations, only a screened sub-net with a dual-homed gateway
(configuration 1) is recommended. In this case, the gateway is between the
network requiring protection and the external network and must be passed in
any case.
So-called proxy processes run on the application gateway. These set up the
connection with the target computer after authentication of the user and filter
the data in accordance with the information of the application layer.
Connections without proxy processes are not possible.
The more flexible but less secure option consisting of an application gateway
with just one interface (configuration 2) should only be used if higher
flexibility is absolutely necessary.
The computers involved must be set up in such a way that only the essential
programs run on them (minimal system), and that these programs are correctly
configured and all known weaknesses are eliminated.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000