Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] why not a bridge? (and hot air)

To: [email protected], [email protected]
Subject: RE: [FW1] why not a bridge? (and hot air)
From: [email protected]
Date: Wed, 7 Feb 2001 22:08:06 -0500
In-reply-to: <[email protected]>
Sender: [email protected]

> You are talking about their Brick Firewall? LMF is a service provided by
> Lucent, not a firewall appliance/technology.

That is incorrect.  The correct product name of what is sometimes informally
called the "Brick" is LMF or Lucent Managed Firewall -- LMF model 201 is the
"full" or "regular" brick, and LMF model 80 is the "mini brick".  Both require
the Lucent Security Management Server, or LSMS.

> I believe Firewall-1's feature set is better.

They quite different, as they are geared to different spaces.  Within its space
(essentially carrier/telco/ASP), the LMF/LSMS combo is an outstanding product.

> How exactly does it operate as a bridge? Can you be specific? They claim
> stateful packet inspection (that implies the network layer). Are you
> refering to their proxy stuff? 

No.  The LMF/LSMS combo can provide stateful inspection (i.e. inspection at all
layers 3 - 7) while forwarding traffic at layer 2 (i.e. while operating as a
bridge).  There is absolutely no requirement with the LMF/LSMS that the
interfaces of the device (there are 4 on the model 201) be numbered into
disjoint IP subnets, or even for the interfaces to have their own IP addresses
at all! (One IP is needed on the brick for management, but it can be shared by
all interfaces).

So it is perfectly valid to place the brick anywhere at all in an IP network ...
you could have hosts 10.1.1.1 and 10.1.1.5 off one interface, hosts 10.1.1.2 and
10.1.1.6 off another, hosts 10.1.1.3 and 10.1.1.7 off the third, hosts 10.1.1.4
and 10.1.1.8 off the fourth, use 10.1.1.254 as the brick's management address,
and be able to provide full stateful-inspection filtering of any and all IP
traffic between the hosts, or between any other systems located locally or
remotely off those interfaces.

Incidentally, this design also allows you to place controls on layer 2, e.g. to
prevent ARP spoofing attacks -- something you cannot do with a pure layer-3
system like most other stateful-inspection firewalls.

Another excellent design feature is that every brick is essentially hot-swapable
-- if you have a failed device, you can power up a brand new brick, allow it to
read a certificate and some basic data from a diskette, and it then 1/
immediately contacts the LSMS management server and downloads the correct policy
rules, and 2/ gets to work.  You can recover from a totally failed brick and
have a new one up and running in its place in about 200 seconds.

Also, all this happens at 125 Mb/s, at a per-device cost about that of an
Ultra-10 (the cost of an Ultra-10 *before* paying for a firewall software
license).

Richard



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- RE: [FW1] why not a bridge? (and hot air)
  - From: Craig Skelton <[email protected]>

Prev by Date: RE: [FW1] Failed to connect to WWW Server
Next by Date: RE: [FW1] Authentication to NDS via LDAP
Previous by thread: RE: [FW1] why not a bridge? (and hot air)
Next by thread: Re: [FW1] why not a bridge? (and hot air)
Index(es):
- Date
- Thread