[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] [FW1] FW1 as a bridge
Security services, authentication, firewall modules, mangment module, runs on a higer level than you state. There is many ways to get access the OS IP stack, a small number is: antispoofing, wrong rules, impliced rules, rules using security services or authentication. -----Original Message----- From: Yves Belle-Isle [mailto:[email protected]] Sent: 9. oktober 2001 20:54 To: [email protected] Subject: Re: [FW-1] [FW1] FW1 as a bridge First, even on NT you can use bridging, take a look at Computer Associate eTrust Firewall which run on Windows NT/2000 and can be configured in bridging mode. So the only reason why FW-1 doesn't support bridging mode is because Check Point did not implement it. Next, i think on which O/S you run FW-1 doesn't matter, as far as security is concerned if you configure it right. I personnally use Windows NT 4.0 and don't see why W2K would be worst, as far as security is concerned, and i am not on crack. The inspection module of FW-1 sit right on top of the device driver for the particular network card and before the lowest level of the O/S code see it. So as long as you use the driver from the network card manufacturer, the O/S is not concerned in the operation of the inspection module of FW-1. So you just have to make in place FW-1 policies so no network trafic goes to the O/S on the firewall server. (I.E. you hide the firewall) So if i build a dedicated firewall by using the following steps: 1) Taking off the dedicated firewall from all the net so it can't be compromised during it's configuration. 2) Fresh format it from a floppy i boot off, so it is secure to start with. 3) Install the O/S (Patch it or not doesn't matter as far as security is concerned because as the O/S will be hidden from the network) 4) Install most current version of FW-1 and all it's patch, because it's the only part which will be security related. 5) Configure FW-1 policies so the only packet the FW-1 inspect module send/receive to/from the local host are those necessairy for FW-1 operation if necessaire like management, GUI interface and authentification. 6) Plug the dedicated firewall to all the net it should, as he is now as safe as FW-1 can be safe. 7) Configure FW-1 policies so he relay the packets you want in and out of the protected network(s) to/from the unprotected network(s) the firewall is connected to. I can't see why O/S A would be better/worst than O/S B as far as security is concerned because no external packet can go to the O/S level except for FW-1 internal use. I.E. The only port accessible on the Firewall are all directly connected to one on the FW-1 process, none to the O/S or to third party software. At 23:54 2001-10-08 -0400, Gabriel Rocha wrote: >,----[ On Thu, Sep 27, at 02:40PM, Dan Hitchcock wrote: ]-------------- >| FW1, unfortunately, does not work in bridge mode. Some appliance-based >| firewalls support this functionality, but FW1 depends on an IP address being >| bound to each adapter used for traffic control. This is more a limitation >| of the underlying operating system than a limitation of FW1. >`----[ End Quote ]--------------------------- > >Not trying to be picky here, well, not too picky anyway. FW1, to my >knowledge runs on Linux and Solaris (yes other OS's too, but anyone who >runs it under Win2k is on crack anyhow and HPUX is simply not in style, >AIX doesnt count) both of which support bridging with other firewalls, >now, how does that leave room for a limitation of the OS? IPF runs on >Linux and on Solaris in bridging mode, Linux has iptables and ipchains, >both of which do bridging packet filtering. Oh just remembered IPSO, >FW-1 for Nokia (which is just an x86 with a proprietary board so they >can charge more) IPSO is nothing more than FreeBSD 2.x with some tweaks, >FreeBSD does bridging just fine. We could at least recognize the >shortcomings of the software we use, for it certainly is not a >shortcoming of the OS. (if you use Win2k, YMMV) --Gabe > >-- > >"It's not brave if you're not scared." > > >=========================================================================== ===== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html >=========================================================================== ===== > > ------------------------------------------------------------ Yves Belle-Isle V.P. VE2YBI YB17 Email: [email protected] Responsable des Systemes Tel:Sogi Informatique Ltee. Fax:------------------------------------------------------------ ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|