[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] why not a bridge?
I actually built a prototype firewall based on bridging technology, so it certainly can be done. The nice thing about building it into a bridge, is ZERO network configuration is required. This is great for things like the consumer market (aka cable modems, etc). Just plug the box in between the cable modem and your PC - no additional addresses needed, no network configuration needed, just go. Of course you still need to configure firewall functions.... -Jon Allen >Date: Fri, 26 Jan 2001 15:56:52 -0500 (EST) >From: [email protected] >Subject: RE: [FW1] why not a bridge? > >Andrew, > >I hate to say this, but... try thinking outside the box! Just because the >bridge you bought ten years ago doesn't have the functionallity that I am >suggesting doesn't mean that it shouldn't be done! Or tried atleast. > >I am not mistaking anything, I just think that it would be more secure if >the firewall was transparent. > >Does checkpoint RELY on packets going form one subnet to anyother? I >don't see why/ If I have a two port FW that is running as a bridge then >I don't see why checkpoint couldn't handle it. > >On Fri, 26 Jan 2001 [email protected] wrote: > >> no no no no no >> >> the point of a bridge is that it works at the datlink layer not the network >> layer. ie a bridge knows NOTHING about IP. So any IP inspection can not be >> done by a true bridge. > > SO it can't inspect anything > > Also DO not get bridging confused with packet address translation (PIX) > > Checkpoint expects packets to move from one IP subnet to another so you will > not be able to bridge. > > Any way what's so hard about routing. > > Andrew Shore > BTcd > Information Systems Engineering > Internet & Multimedia > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > Sent: 26 January 2001 16:06 > To: [email protected] > Subject: RE: [FW1] why not a bridge? > > > > First, I had tonnes of people let me know that lucents fw always works(or > can work?) as a bridge. > > Second, I don't imagine it would be too hard to write bridging software > that actually does inspect the TCP/IP stack. I mean if you take a closer > look at how checkpoint says they examine packets, they do it > already. Checkpoint software itself does not route packets. I > wonder... If I installed bridging software on my linux box, would > checkpoint still work? I think I might try that... > > anyone think of a reason why it wouldn't work? anyone think of a reason > why I wouldn't want to do this? > > What do you think? > --Paul ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|