[fw-wiz] Content Switch as security device?

From: Ludolph, Michel (Michel.Ludolph@atosorigin.com)
Date: 01/29/03 

From: "Ludolph, Michel" <Michel.Ludolph@atosorigin.com>
To: "'firewall-wizards@honor.icsalabs.com'" <firewall-wizards@honor.icsalabs.com>
Date: Wed Jan 29 14:59:01 2003

This afternoon I had a discussion with a collegue. He told me about a
proposed Corporate Internet connection. In stead of using a Firewall between
the DMZ and the external network, the idea was to use a Cisco Content
Switch. This would result in the following architecture: Internet -->
screening router --> Content Switch --> router --> web servers.

This would mean that the Content Switch also acts as a sort of
proxy-firewall, justified by the fact that only defined ports are permitted.

I do not feel very comfortable with this solution. What about syn-floods and
fragmentation attacks? Furhter, a Content Switch is not designed to act as a
security device (it may listen to ports you are not aware of).

Has anyone come across such a solution, or have any thougths on this?

Thanks,

Michel Ludolph
michel.ludolph@atosorigin.com