Not to be too pedantic, but while it's true that sessions between subarea
nodes and peripheral nodes (PU 2s or "terminal controllers") in "classic"
subarea SNA are not routable in any sense (eg. all a PU2 can do is directly
connect to a PU 4/5 - using bridges if necessary), connections between
subarea nodes (PU 4/5s) have always been routable, even though SNA only
really supported static routes with a few embellishments.
The "modern" SNA protocols APPN and HPR are quite routable (with both
dynamic and static routes).
Admittedly, much of the SNA traffic you see is terminal oriented, and
much (most?) of that is still carried over "classic" PU 2 ("dependent")
connections, instead of over APPN ("independent" or "DLUW/DLUS")
connections.
-Robert
At 03:44 PM 5/9/01 -0700, Juppunov, George wrote:
>>>>
Fine. I guess I'm being frivolous
in calling SRB "routing", since it's technically bridging, and I will not
argue over it.
Although we could go into a lengthy
conceptual discussion off-line. On the other hand, there is nothing that
prohibits
upper layer protocols from one
stack e.g., SNA to be transported using protocols from another stack e.g..
TCP/IP, hence IP
encapsulation (which is a misnomer
since IP encapsulates anyway).
As far as IPX is concerned,
CheckPoint does not support it and if you think it does, I would be
interested to know
how you define an IPX network and
how you would filter, let's say, SAP advertisements in the CheckPoint
rulebase...
On the other hand, if you suggest
that you can have IPX driver installed on it and route despite Checkpoint
then... sure,
Checkpoint couldn't care less about
it. And if that's really what you meant then I need to start reading more
carefully. :-)
George
-----Original Message-----
From:
Daniel Hitchcock [mailto:[email protected]]
Sent:
Wednesday, May 09, 2001 2:32 PM
To:
'Juppunov, George'; 'Elliot Spiegel/Markham/IBM'; Lior Arbel/Israel/IBM
Cc:
[email protected]
Subject:
RE: [FW1] Does FireWall-1 Pass SNA Traffic ?
I'd be interested in the technical
details of how you've implemented SNA routing (IP encapsulation obviously
doesn't count, as that's IP routing, not SNA routing), and the environment
in which IPX would not route on a device running Checkpoint Firewall and an
IPX stack. Please reply directly if you prefer...
Thanks!
Dan
Hitchcock
CCNA, CCSE,
MCSE
Security Analyst
Breakwater Security
Associates
dhitchcock (at)
breakwatersecurity (dot) com
<http://www.breakwatersecurity.com/>http://www.breakwatersecurity.com
-----Original Message-----
From:
Juppunov, George [mailto:[email protected]]
Sent:
Tuesday, May 08, 2001 3:46 PM
To:
Daniel Hitchcock; 'Elliot Spiegel/Markham/IBM'; Lior Arbel/Israel/IBM
Cc:
[email protected]
Subject:
RE: [FW1] Does FireWall-1 Pass SNA Traffic ?
Checkpoint will not pass IPX
traffic and SNA is very much routable. You do need to encapsulate
as Elliot suggested, however bear
in mind that your firewall will not be able to look higher up the stack.
George
-----Original Message-----
From:
Daniel Hitchcock [mailto:[email protected]]
Sent:
Tuesday, May 08, 2001 8:23 AM
To:
'Elliot Spiegel/Markham/IBM'; Lior Arbel/Israel/IBM
Cc:
[email protected]
Subject:
RE: [FW1] Does FireWall-1 Pass SNA Traffic ?
Clarification:
Checkpoint doesn't care at all about SNA (or any other
non-IP) traffic. For example, a Checkpoint firewall will happily route IPX
traffic as long as your OS is configured to do so. Since SNA is
non-routable, your firewall will only pass it if you can get your OS to
bridge SNA. So, Elliot's suggestion about encapsulating SNA is excellent (as
long as you can get someone on both ends to configure the routers
correctly).
$0.01 :)
Dan Hitchcock
CCNA, CCSE, MCSE
Security Analyst
Breakwater Security Associates
dhitchcock (at) breakwatersecurity (dot) com
<http://www.breakwatersecurity.com>http://www.breakwatersecurity.com
-----Original Message-----
From: Elliot Spiegel/Markham/IBM
[<mailto:[email protected]>mailto:[email protected]]
Sent: Monday, May 07, 2001 1:25 PM
To: Lior Arbel/Israel/IBM
Cc: [email protected]
Subject: Re: [FW1] Does FireWall-1 Pass SNA Traffic ?
Lior...Checkpoint can only pass IP traffic. If you want to
get SNA to flow
through the firewall, you will have to encapsulate the SNA
traffic within
IP.
One of the ways you can do this is to use DLSW on a router.
SNA traffic
hits the router and is encapsulated within IP, flows through
the firewall
to another router that will de-encapsulate the
traffic.
Regards.............Elliot
Lior Arbel <[email protected]>@lists.us.checkpoint.com
on 05/05/2001
09:36:37 AM
Please respond to Lior Arbel/Israel/IBM@IBMIL
Sent by:
[email protected]
To: [email protected]
cc:
Subject: [FW1] Does FireWall-1 Pass SNA Traffic ?
Sorry for the last massage - was sent by mistake
I need help - checkpoint claims that fw-1 pass sna
traffic but i didnt found any document about it
does anyone tried it before??
Lior Arbel
__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great
prices
<http://auctions.yahoo.com/>http://auctions.yahoo.com/
================================================================================
To unsubscribe from this mailing list, please see the
instructions at
<http://www.checkpoint.com/services/mailing.html>http://www.checkpoint.com/services/mailing.html
================================================================================
================================================================================
To unsubscribe from this mailing list, please see the
instructions at
<http://www.checkpoint.com/services/mailing.html>http://www.checkpoint.com/services/mailing.html
================================================================================
_____________________________________________________________________
IMPORTANT NOTICES:
This message is intended only for the
addressee. Please notify the sender by e-mail if you are not the intended
recipient. If you are not the intended recipient, you may not copy,
disclose, or distribute this message or its contents to any other person and
any such actions may be unlawful.
Banc of America Securities LLC("BAS") does not
accept time sensitive, action-oriented messages or transaction orders,
including orders to purchase or sell securities, via e-mail.
BAS reserves the right to monitor and review the
content of all messages sent to or from this e-mail address. Messages sent
to or from this e-mail address may be stored on the BAS e-mail system.
_____________________________________________________________________
IMPORTANT NOTICES:
This message is intended only for the
addressee. Please notify the sender by e-mail if you are not the intended
recipient. If you are not the intended recipient, you may not copy,
disclose, or distribute this message or its contents to any other person and
any such actions may be unlawful.
Banc of America Securities LLC("BAS") does not
accept time sensitive, action-oriented messages or transaction orders,
including orders to purchase or sell securities, via e-mail.
BAS reserves the right to monitor and review the
content of all messages sent to or from this e-mail address. Messages sent
to or from this e-mail address may be stored on the BAS e-mail system.
<<<<