Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] [FW1] FW1 as a bridge

To: [email protected]
Subject: Re: [FW-1] [FW1] FW1 as a bridge
From: Yves Belle-Isle <[email protected]>
Date: Tue, 9 Oct 2001 14:54:09 -0400
Comments: To: Mailing list for discussion of Firewall-1 <[email protected]>
Comments: cc: Gabriel Rocha <[email protected]>
In-reply-to: <[email protected]>
References: <[email protected]> <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

First, even on NT you can use bridging, take a look at
Computer Associate eTrust Firewall which run on Windows NT/2000 and
can be configured in bridging mode. So the only reason why FW-1
doesn't support bridging mode is because Check Point did not implement it.

Next, i think on which O/S you run FW-1 doesn't matter, as far as security
is concerned if you configure it right. I personnally use Windows NT 4.0 and
don't see why W2K would be worst, as far as security is concerned, and i am
not on crack.

The inspection module of FW-1 sit right on top of the device driver for
the particular network card and before the lowest level of the O/S code see
it. So as long as you use the driver from the network card manufacturer,
the O/S is not concerned in the operation of the inspection module of FW-1.
So you just have to make in place FW-1 policies so no network trafic goes
to the O/S on the firewall server. (I.E. you hide the firewall)

So if i build a dedicated firewall by using the following steps:

1) Taking off the dedicated firewall from all the net so it can't be
   compromised during it's configuration.

2) Fresh format it from a floppy i boot off, so it is secure to start with.

3) Install the O/S (Patch it or not doesn't matter as far as security is
   concerned because as the O/S will be hidden from the network)

4) Install most current version of FW-1 and all it's patch, because it's
   the only part which will be security related.

5) Configure FW-1 policies so the only packet the FW-1 inspect module
   send/receive to/from the local host are those necessairy for FW-1
   operation if necessaire like management, GUI interface and authentification.

6) Plug the dedicated firewall to all the net it should, as he is now as safe
   as FW-1 can be safe.

7) Configure FW-1 policies so he relay the packets you want in and out
   of the protected network(s) to/from the unprotected network(s) the
   firewall is connected to.

I can't see why O/S A would be better/worst than O/S B as far as
security is concerned because no external packet can go to the O/S level
except for FW-1 internal use. I.E. The only port accessible on the Firewall
are all directly connected to one on the FW-1 process, none to the O/S or
to third party software.

At 23:54 2001-10-08 -0400, Gabriel Rocha wrote:
>,----[ On Thu, Sep 27, at 02:40PM, Dan Hitchcock wrote: ]--------------
>| FW1, unfortunately, does not work in bridge mode.  Some appliance-based
>| firewalls support this functionality, but FW1 depends on an IP address being
>| bound to each adapter used for traffic control.  This is more a limitation
>| of the underlying operating system than a limitation of FW1.
>`----[ End Quote ]---------------------------
>
>Not trying to be picky here, well, not too picky anyway. FW1, to my
>knowledge runs on Linux and Solaris (yes other OS's too, but anyone who
>runs it under Win2k is on crack anyhow and HPUX is simply not in style,
>AIX doesnt count) both of which support bridging with other firewalls,
>now, how does that leave room for a limitation of the OS? IPF runs on
>Linux and on Solaris in bridging mode, Linux has iptables and ipchains,
>both of which do bridging packet filtering. Oh just remembered IPSO,
>FW-1 for Nokia (which is just an x86 with a proprietary board so they
>can charge more) IPSO is nothing more than FreeBSD 2.x with some tweaks,
>FreeBSD does bridging just fine. We could at least recognize the
>shortcomings of the software we use, for it certainly is not a
>shortcoming of the OS. (if you use Win2k, YMMV) --Gabe
>
>--
>
>"It's not brave if you're not scared."
>
>
>================================================================================
>     To unsubscribe from this mailing list, please see the instructions at
>               http://www.checkpoint.com/services/mailing.html
>================================================================================
>
>

------------------------------------------------------------
Yves Belle-Isle V.P. VE2YBI YB17        Email: [email protected]
Responsable des Systemes                Tel:Sogi Informatique Ltee.                 Fax:------------------------------------------------------------

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- Re: [FW-1] [FW1] FW1 as a bridge
  - From: Gabriel Rocha <[email protected]>

Prev by Date: Re: [FW-1] AW: [FW-1] License issue?
Next by Date: Re: [FW-1] Question about open connections when closing firewall
Previous by thread: Re: [FW-1] [FW1] FW1 as a bridge
Next by thread: Re: [FW-1] [FW1] FW1 as a bridge
Index(es):
- Date
- Thread