[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Does FireWall-1 Pass SNA Traffic ?



Title:
I guess sometimes it really depends on your definition of routing, hence my inital reaction. In the IBM world, things are somewhat different,
because "classic" SNA was really meant for terminal-to-mainframe peer networks and not client-to-server hierarchical like IP. Routing in that
sense is what Daniel was referring to,  which is why I later agreed with his comments.
 
george 
-----Original Message-----
From: Robert C. Wessel [mailto:[email protected]]
Sent: Thursday, May 10, 2001 1:40 AM
To: Juppunov, George; 'Daniel Hitchcock'; Juppunov, George; 'Elliot Spiegel/Markham/IBM'; Lior Arbel/Israel/IBM
Cc: [email protected]
Subject: RE: [FW1] Does FireWall-1 Pass SNA Traffic ?

Not to be too pedantic, but while it's true that sessions between subarea nodes and peripheral nodes (PU 2s or "terminal controllers") in "classic" subarea SNA are not routable in any sense (eg. all a PU2 can do is directly connect to a PU 4/5 - using bridges if necessary), connections between subarea nodes (PU 4/5s) have always been routable, even though SNA only really supported static routes with a few embellishments.


The "modern" SNA protocols APPN and HPR are quite routable (with both dynamic and static routes).


Admittedly, much of the SNA traffic you see is terminal oriented, and much (most?) of that is still carried over "classic" PU 2 ("dependent") connections, instead of over APPN ("independent" or "DLUW/DLUS") connections.


-Robert



At 03:44 PM 5/9/01 -0700, Juppunov, George wrote:

>>>>

Fine. I guess I'm being frivolous in calling SRB "routing", since it's technically bridging, and I will not argue over it.

Although we could go into a lengthy conceptual discussion off-line. On the other hand, there is nothing that prohibits

upper layer protocols from one stack e.g., SNA to be transported using protocols from another stack e.g.. TCP/IP, hence IP

encapsulation (which is a misnomer since IP encapsulates anyway).

As far as IPX is concerned, CheckPoint does not support it and if you think it does, I would be interested to know

how you define an IPX network and how you would filter, let's say, SAP advertisements in the CheckPoint rulebase...

On the other hand, if you suggest that you can have IPX driver installed on it and route despite Checkpoint then... sure,

Checkpoint couldn't care less about it. And if that's really what you meant then I need to start reading more carefully. :-)

George

-----Original Message-----

From: Daniel Hitchcock [mailto:[email protected]]

Sent: Wednesday, May 09, 2001 2:32 PM

To: 'Juppunov, George'; 'Elliot Spiegel/Markham/IBM'; Lior Arbel/Israel/IBM

Cc: [email protected]

Subject: RE: [FW1] Does FireWall-1 Pass SNA Traffic ?


I'd be interested in the technical details of how you've implemented SNA routing (IP encapsulation obviously doesn't count, as that's IP routing, not SNA routing), and the environment in which IPX would not route on a device running Checkpoint Firewall and an IPX stack. Please reply directly if you prefer...

Thanks!


Dan Hitchcock

CCNA, CCSE, MCSE

Security Analyst

Breakwater Security Associates

dhitchcock (at) breakwatersecurity (dot) com

<http://www.breakwatersecurity.com/>http://www.breakwatersecurity.com

-----Original Message-----

From: Juppunov, George [mailto:[email protected]]

Sent: Tuesday, May 08, 2001 3:46 PM

To: Daniel Hitchcock; 'Elliot Spiegel/Markham/IBM'; Lior Arbel/Israel/IBM

Cc: [email protected]

Subject: RE: [FW1] Does FireWall-1 Pass SNA Traffic ?


Checkpoint will not pass IPX traffic and SNA is very much routable. You do need to encapsulate

as Elliot suggested, however bear in mind that your firewall will not be able to look higher up the stack.

George

-----Original Message-----

From: Daniel Hitchcock [mailto:[email protected]]

Sent: Tuesday, May 08, 2001 8:23 AM

To: 'Elliot Spiegel/Markham/IBM'; Lior Arbel/Israel/IBM

Cc: [email protected]

Subject: RE: [FW1] Does FireWall-1 Pass SNA Traffic ?


Clarification:

Checkpoint doesn't care at all about SNA (or any other non-IP) traffic. For example, a Checkpoint firewall will happily route IPX traffic as long as your OS is configured to do so. Since SNA is non-routable, your firewall will only pass it if you can get your OS to bridge SNA. So, Elliot's suggestion about encapsulating SNA is excellent (as long as you can get someone on both ends to configure the routers correctly).

$0.01 :)

Dan Hitchcock

CCNA, CCSE, MCSE

Security Analyst

Breakwater Security Associates

dhitchcock (at) breakwatersecurity (dot) com

<http://www.breakwatersecurity.com>http://www.breakwatersecurity.com




-----Original Message-----

From: Elliot Spiegel/Markham/IBM [<mailto:[email protected]>mailto:[email protected]]

Sent: Monday, May 07, 2001 1:25 PM

To: Lior Arbel/Israel/IBM

Cc: [email protected]

Subject: Re: [FW1] Does FireWall-1 Pass SNA Traffic ?



Lior...Checkpoint can only pass IP traffic. If you want to get SNA to flow

through the firewall, you will have to encapsulate the SNA traffic within

IP.

One of the ways you can do this is to use DLSW on a router. SNA traffic

hits the router and is encapsulated within IP, flows through the firewall

to another router that will de-encapsulate the traffic.

Regards.............Elliot

Lior Arbel <[email protected]>@lists.us.checkpoint.com on 05/05/2001

09:36:37 AM

Please respond to Lior Arbel/Israel/IBM@IBMIL

Sent by: [email protected]


To: [email protected]

cc:

Subject: [FW1] Does FireWall-1 Pass SNA Traffic ?




Sorry for the last massage - was sent by mistake

I need help - checkpoint claims that fw-1 pass sna

traffic but i didnt found any document about it

does anyone tried it before??


Lior Arbel

__________________________________________________

Do You Yahoo!?

Yahoo! Auctions - buy the things you want at great prices

<http://auctions.yahoo.com/>http://auctions.yahoo.com/


================================================================================

To unsubscribe from this mailing list, please see the instructions at

<http://www.checkpoint.com/services/mailing.html>http://www.checkpoint.com/services/mailing.html

================================================================================






================================================================================

To unsubscribe from this mailing list, please see the instructions at

<http://www.checkpoint.com/services/mailing.html>http://www.checkpoint.com/services/mailing.html

================================================================================



_____________________________________________________________________

IMPORTANT NOTICES:

This message is intended only for the addressee. Please notify the sender by e-mail if you are not the intended recipient. If you are not the intended recipient, you may not copy, disclose, or distribute this message or its contents to any other person and any such actions may be unlawful.


Banc of America Securities LLC("BAS") does not accept time sensitive, action-oriented messages or transaction orders, including orders to purchase or sell securities, via e-mail.


BAS reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the BAS e-mail system.






_____________________________________________________________________


IMPORTANT NOTICES:


This message is intended only for the addressee. Please notify the sender by e-mail if you are not the intended recipient. If you are not the intended recipient, you may not copy, disclose, or distribute this message or its contents to any other person and any such actions may be unlawful.



Banc of America Securities LLC("BAS") does not accept time sensitive, action-oriented messages or transaction orders, including orders to purchase or sell securities, via e-mail.



BAS reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the BAS e-mail system.




<<<<




_____________________________________________________________________

IMPORTANT NOTICES:

This message is intended only for the addressee. Please notify the sender by e-mail if you are not the intended recipient. If you are not the intended recipient, you may not copy, disclose, or distribute this message or its contents to any other person and any such actions may be unlawful.


Banc of America Securities LLC("BAS") does not accept time sensitive, action-oriented messages or transaction orders, including orders to purchase or sell securities, via e-mail.


BAS reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the BAS e-mail system.