[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] why not a bridge?
Paul-- I agree that making your FW as transparent as possible is a good thing. Consider though: Linux can act as a bridge. Supposedly Solaris with SunScreen can (http://www.boran.com/security/it12-firewall.html#Heading55) but I've never tried it. From poking around on Nokias I'd be willing to say that they can't bridge. No clue about NT/2000. Given this diversity and CP trying to create a product that runs as close to identicaly on any platform as possible I'd say that that bridging is out. If I had a situation where I was considering bridging I would ask why I was in fact thinking about it. Do I have network with a small subnet mask (less than 23 bits) and have to bridge across a bunch of switches/hubs? That's poor network design and should be more of an issue than getting a FW to bridge. Do I have remote networks that are a subset of my internal IP address space? That's a call for a VPN -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Friday, January 26, 2001 3:57 PM To: [email protected] Subject: RE: [FW1] why not a bridge? Andrew, I hate to say this, but... try thinking outside the box! Just because the bridge you bought ten years ago doesn't have the functionallity that I am suggesting doesn't mean that it shouldn't be done! Or tried atleast. I am not mistaking anything, I just think that it would be more secure if the firewall was transparent. Does checkpoint RELY on packets going form one subnet to anyother? I don't see why/ If I have a two port FW that is running as a bridge then I don't see why checkpoint couldn't handle it. On Fri, 26 Jan 2001 [email protected] wrote: > no no no no no > > the point of a bridge is that it works at the datlink layer not the network > layer. ie a bridge knows NOTHING about IP. So any IP inspection can not be > done by a true bridge. > > SO it can't inspect anything > > Also DO not get bridging confused with packet address translation (PIX) > > Checkpoint expects packets to move from one IP subnet to another so you will > not be able to bridge. > > Any way what's so hard about routing. > > Andrew Shore > BTcd > Information Systems Engineering > Internet & Multimedia > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > Sent: 26 January 2001 16:06 > To: [email protected] > Subject: RE: [FW1] why not a bridge? > > > > First, I had tonnes of people let me know that lucents fw always works(or > can work?) as a bridge. > > Second, I don't imagine it would be too hard to write bridging software > that actually does inspect the TCP/IP stack. I mean if you take a closer > look at how checkpoint says they examine packets, they do it > already. Checkpoint software itself does not route packets. I > wonder... If I installed bridging software on my linux box, would > checkpoint still work? I think I might try that... > > anyone think of a reason why it wouldn't work? anyone think of a reason > why I wouldn't want to do this? > > What do you think? > --Paul > > > On Fri, 26 Jan 2001, Dean Cunningham wrote: > > > Soem thoughts.... have never seen the sun firewall.... a bridge in its > > purest sense,works at the ethernet address level, just a glorified > repeater > > with some knowledge as to what segment a MAC address is on. > > > > This makes the segements and the bridge vulnerable to broadcast storms for > > one thing. This reduces usable bandwidth. One would also assume DOS > > potential. > > > > Now a firewall that acts as a bridge could probably handle that... > dunno... > > > > I think it is more that as the focus on TCP/IP over the past 10 years has > > increased, the use of other protocols and more importantly, non routable > > protocols such as dlc and netbios/netbeui usage has decreased to the > extent > > there is not a big market. > > Sorta VHS vs Beta, the market and the marketers chose the winner. > > > > > > > > > > > > > > -----Original Message----- > > From: [email protected] [mailto:[email protected]] > > Sent: Friday, 26 January 2001 10:49 AM > > To: [email protected] > > Subject: [FW1] why not a bridge? > > > > > > > > Can anyone explain why Sun is the only company that seems to produce a > > firewall that runs as a bridge? I can't see why this isn't a more common > > practise. > > > > > > -- --Paul ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|