NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] why not a bridge?



Paul--

I agree that making your FW as transparent as possible is a good thing.
Consider though:

Linux can act as a bridge.  Supposedly Solaris with SunScreen can
(http://www.boran.com/security/it12-firewall.html#Heading55) but I've never
tried it.  From poking around on Nokias I'd be willing to say that they
can't bridge.  No clue about NT/2000.  Given this diversity and CP trying to
create a product that runs as close to identicaly on any platform as
possible I'd say that that bridging is out.

If I had a situation where I was considering bridging I would ask why I was
in fact thinking about it.  Do I have network with a small subnet mask (less
than 23 bits) and have to bridge across a bunch of switches/hubs?  That's
poor network design and should be more of an issue than getting a FW to
bridge.  Do I have remote networks that are a subset of my internal IP
address space?  That's a call for a VPN

-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Friday, January 26, 2001 3:57 PM
To: [email protected]
Subject: RE: [FW1] why not a bridge?



Andrew,

I hate to say this, but... try thinking outside the box!  Just because the
bridge you bought ten years ago doesn't have the functionallity that I am
suggesting doesn't mean that it shouldn't be done!  Or tried atleast.

I am not mistaking anything, I just think that it would be more secure if
the firewall was transparent.

Does checkpoint RELY on packets going form one subnet to anyother?  I
don't see why/  If I have a two port FW that is running as a bridge then
I don't see why checkpoint couldn't handle it.

On Fri, 26 Jan 2001 [email protected] wrote:

> no no no no no 
> 
> the point of a bridge is that it works at the datlink layer not the
network
> layer. ie a bridge knows NOTHING about IP. So any IP inspection can not be
> done by a true bridge.
> 
> SO it can't inspect anything
> 
> Also DO not get bridging confused with packet address translation (PIX)
> 
> Checkpoint expects packets to move from one IP subnet to another so you
will
> not be able to bridge.
> 
> Any way what's so hard about routing.
> 
> Andrew Shore
> BTcd 
> Information Systems Engineering
> Internet & Multimedia 
> 
> 
> -----Original Message-----
> From: [email protected] [mailto:[email protected]]
> Sent: 26 January 2001 16:06
> To: [email protected]
> Subject: RE: [FW1] why not a bridge?
> 
> 
> 
> First, I had tonnes of people let me know that lucents fw always works(or
> can work?) as a bridge.
> 
> Second,  I don't imagine it would be too hard to write bridging software
> that actually does inspect the TCP/IP stack.  I mean if you take a closer
> look at how checkpoint says they examine packets, they do it
> already.  Checkpoint software itself does not route packets.  I
> wonder... If I installed bridging software on my linux box, would
> checkpoint still work?  I think I might try that... 
> 
> anyone think of a reason why it wouldn't work?  anyone think of a reason
> why I wouldn't want to do this?
> 
> What do you think?
> --Paul
> 
> 
> On Fri, 26 Jan 2001, Dean Cunningham wrote:
> 
> > Soem thoughts.... have never seen the sun firewall.... a bridge in its
> > purest sense,works at the ethernet address level, just a glorified
> repeater
> > with some knowledge as to what segment a MAC address is on.
> > 
> > This makes the segements and the bridge vulnerable to broadcast storms
for
> > one thing. This reduces usable bandwidth. One would also assume DOS
> > potential.
> > 
> > Now a firewall that acts as a bridge could probably handle that...
> dunno...
> > 
> > I think it is more that as the focus on TCP/IP over the past 10 years
has
> > increased, the use of other protocols and more importantly, non routable
> > protocols such as dlc and netbios/netbeui usage has decreased to the
> extent
> > there is not a big market.
> > Sorta VHS vs Beta, the market and the marketers chose the winner.
> > 
> > 
> > 
> > 
> > 
> > 
> > -----Original Message-----
> > From: [email protected] [mailto:[email protected]]
> > Sent: Friday, 26 January 2001 10:49 AM
> > To: [email protected]
> > Subject: [FW1] why not a bridge?
> > 
> > 
> > 
> > Can anyone explain why Sun is the only company that seems to produce a
> > firewall that runs as a bridge?  I can't see why this isn't a more
common
> > practise.
> > 
> > 
> 
> 

-- 
--Paul



============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.