NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] why not a bridge?



Paul--

I agree that making your FW as transparent as possible is a good thing.
Consider though:

Linux can act as a bridge.  Supposedly Solaris with SunScreen can
(http://www.boran.com/security/it12-firewall.html#Heading55) but I've never
tried it.  From poking around on Nokias I'd be willing to say that they
can't bridge.  No clue about NT/2000.  Given this diversity and CP trying to
create a product that runs as close to identicaly on any platform as
possible I'd say that that bridging is out.  

If I had a situation where I was considering bridging I would ask why I was
in fact thinking about it.  Do I have network with a small subnet mask (say,
less than 23 bits) and have to bridge across a bunch of switches/hubs?
That's poor network design and should be more of an issue than getting a FW
to bridge.  Do I have remote networks that are a subset of my internal IP
address space?  That's a call for a VPN after you shift the remote addresses
out of your current defined space.  Am I looking to solve some specific
problem like arping across IP subnets or broadcasting netbios info?  Most of
this can be handled by your FW rules and your network gear.

Just thoughts.

Chris

-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Friday, January 26, 2001 3:57 PM
To: [email protected]
Subject: RE: [FW1] why not a bridge?



Andrew,

I hate to say this, but... try thinking outside the box!  Just because the
bridge you bought ten years ago doesn't have the functionallity that I am
suggesting doesn't mean that it shouldn't be done!  Or tried atleast.

I am not mistaking anything, I just think that it would be more secure if
the firewall was transparent.

Does checkpoint RELY on packets going form one subnet to anyother?  I
don't see why/  If I have a two port FW that is running as a bridge then
I don't see why checkpoint couldn't handle it.

On Fri, 26 Jan 2001 [email protected] wrote:

> no no no no no 
> 
> the point of a bridge is that it works at the datlink layer not the
network
> layer. ie a bridge knows NOTHING about IP. So any IP inspection can not be
> done by a true bridge.
> 
> SO it can't inspect anything
> 
> Also DO not get bridging confused with packet address translation (PIX)
> 
> Checkpoint expects packets to move from one IP subnet to another so you
will
> not be able to bridge.
> 
> Any way what's so hard about routing.
> 
> Andrew Shore
> BTcd 
> Information Systems Engineering
> Internet & Multimedia 
> 
> 
> -----Original Message-----
> From: [email protected] [mailto:[email protected]]
> Sent: 26 January 2001 16:06
> To: [email protected]
> Subject: RE: [FW1] why not a bridge?
> 
> 
> 
> First, I had tonnes of people let me know that lucents fw always works(or
> can work?) as a bridge.
> 
> Second,  I don't imagine it would be too hard to write bridging software
> that actually does inspect the TCP/IP stack.  I mean if you take a closer
> look at how checkpoint says they examine packets, they do it
> already.  Checkpoint software itself does not route packets.  I
> wonder... If I installed bridging software on my linux box, would
> checkpoint still work?  I think I might try that... 
> 
> anyone think of a reason why it wouldn't work?  anyone think of a reason
> why I wouldn't want to do this?
> 
> What do you think?
> --Paul
> 
> 
> On Fri, 26 Jan 2001, Dean Cunningham wrote:
> 
> > Soem thoughts.... have never seen the sun firewall.... a bridge in its
> > purest sense,works at the ethernet address level, just a glorified
> repeater
> > with some knowledge as to what segment a MAC address is on.
> > 
> > This makes the segements and the bridge vulnerable to broadcast storms
for
> > one thing. This reduces usable bandwidth. One would also assume DOS
> > potential.
> > 
> > Now a firewall that acts as a bridge could probably handle that...
> dunno...
> > 
> > I think it is more that as the focus on TCP/IP over the past 10 years
has
> > increased, the use of other protocols and more importantly, non routable
> > protocols such as dlc and netbios/netbeui usage has decreased to the
> extent
> > there is not a big market.
> > Sorta VHS vs Beta, the market and the marketers chose the winner.
> > 
> > 
> > 
> > 
> > 
> > 
> > -----Original Message-----
> > From: [email protected] [mailto:[email protected]]
> > Sent: Friday, 26 January 2001 10:49 AM
> > To: [email protected]
> > Subject: [FW1] why not a bridge?
> > 
> > 
> > 
> > Can anyone explain why Sun is the only company that seems to produce a
> > firewall that runs as a bridge?  I can't see why this isn't a more
common
> > practise.
> > 
> > 
> 
> 

-- 
--Paul



============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.