Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] My reason to turn off IP Spoofing

To: "Fw-1-Mailinglist" <[email protected]>
Subject: Re: [FW1] My reason to turn off IP Spoofing
From: "Mike Thomi" <[email protected]>
Date: Tue, 3 Apr 2001 23:06:24 +0200
References: <[email protected]>
Sender: [email protected]

Hi

Tell me, are you using 5 single port pci nics?
Try using 4port cards like perhaps ZX346Q (www.znyx.com)

But what do you think about the following situation you produce, if you make
your clients multi homed?
Client in 10.0.0.x has n-nics which connect to 172.32.0.x / 172.33.0.x /
172.34.0.x / 172.35.0.x / 172.36.0.x
=> The idea of firewalling will be lost, because your client in 10.0.0.x
opens the doors to all secured lans.....right,  the firewall will still drop
traffic from internet, but if an attacker comes from internal
networks....you are lost... you can't control the multi homed client...

hmm another thingy: why not setting up a citrix server in the 172.36.0.x and
let your clients from 10.0.0.x connect to the citrix server...from there you
are in the right lan. (you can control citrix connections/authentication)
you should think about your actual concept/running env......that's not the
correct way to solve your problem, switching lan cable...and why a client
needs 5 nics?

hope these hints help you to solve your problem.... and only disable ip
spoofing if you trust your internal lans, I wouldn't...

regards,

mike


----- Original Message -----
From: felix
To: Fw-1-Mailinglist
Sent: Tuesday, April 03, 2001 5:51 PM
Subject: [FW1] My reason to turn off IP Spoofing

[schnipp]
Because the same host has been bound with two different IPs. You may ask me,
hey! are you stupid, why don't you add another NIC card?! Believe me they
already have 5 NIC cards installed on their system, I don't want to add one
more, they
may not have more IRQ available!
So that's why I ask you guys if possible to turn off IP spoofing, then
Firewall will not send me the alarms for detecting invalid IPs.




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- [FW1] My reason to turn off IP Spoofing
  - From: "felix" <[email protected]>

Prev by Date: RE: [FW1] Daylight Saving Time
Next by Date: [FW1] encryption for FW-1 management
Previous by thread: [FW1] My reason to turn off IP Spoofing
Next by thread: [FW1] Route????
Index(es):
- Date
- Thread