NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] GRE Decoding



This is precisely why enabling encapsulation to plow through a firewall is
generally a bad idea.  You'll need to determine how this type of traffic
violates your intentions when you designed the policy and look toward
another solution.

If simple accounting and tracking of traffic across the tunnel is what
you're interested, throw together a cheap IDS.  If you're interested in
firewalling off in/outbound traffic over the tunnel, toss a cheap firewall
on the end you control.

I suppose it would be possible if CP was capable of inspecting the
encapsulated payload, but the overhead on such a task would render the
firewall even more useless for other types of security policy enforcement.

-peter

On Tue, 6 Feb 2001 [email protected] wrote:

> 
> Here's an odd question that I'm not sure there's an answer to, but I'll ask
> anyways.....
> 
> We are looking to implemenet Cisco-Cisco Tunnels between sites that are
> connected via Frame Relay AND a FW-1 VPN tunnel. The reason being is that we
> can control routing decisions at each cisco by having the remote LAN
> available via a Frame Relay (128Mbs) and a T-1 to the internet on each side
> with a VPN tunnel. It's hard to describe in brief in an email, but that's
> not the point....
> 
> The point is: with the Cisco to Cisco tunnel, it will encapsulate everything
> in GRE. So, in the FW logs, I will see GRE traffic from router to router,
> and not HTTP/FTP/Netbios/etc traffic from host to host. Does anybody know a
> way for the FW to decode that encapsulated packet when it writes into the
> logs. If everything is in GRE, it will minimize the ability of the FW logs
> for troubleshooting and management. It's not a show stopper, but I would
> like to know if it's possible.
> 
> Any information would be greatly appreciated.
> 
> TIA,
> 
> Dave O.
> 
> 
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================
> 



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.