Firewall Wizards: SingleHomedHost

["Al.G. Protosimaki" <aprotosimaki () hotmail com>]

I am hoping someone can help with this problem.

I am reading Building Internet Firewalls (Oreilly)

In their design section, they discuss a Screened Host deployment, which 
consists of:
1. A packet-filtering router
2. A single homed host running a Proxy Server
3. A LAN


INTERNET  -------  PFR  ------------- LAN
                              |
                              |
                             PS

I understand why the Packet-Filtering Router needs to be configured so
that it will only allow incoming connections that are destined for the Proxy 
Server.
I also understand why the Packet-Filtering Router should drop outgoing 
packets, unless they originate from the Proxy Server.
However, since the Proxy Server only has one NIC, and since it appears to be 
on the same segment as the internal LAN, how does the Proxy Server intercept 
outgoing traffic?
Building Internet Firewalls seems to suggest that the NIC needs to be put 
into promiscuous mode, so that it can intercept all outbound traffic. This 
seems to me to be a strange solution.
For example, if the LAN uses a switch, how can the PS intercept
the traffic?

I guess my problem is that I do not understand, from a network design 
perspective, how one can design a network system that forces all outgoing 
traffic to be diverted to the single-homed box.

Any ideas?

Thanks

/SB




_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards