Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] [FW1] FW1 as a bridge

To: [email protected]
Subject: Re: [FW-1] [FW1] FW1 as a bridge
From: CryptoTech <[email protected]>
Date: Thu, 11 Oct 2001 17:02:21 -0400
Comments: To: Mailing list for discussion of Firewall-1 <[email protected]>
References: <00447476B925D51198E000508B6F0DDC032D6003@WMSI000272>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

True, to a degree, even the upper layer services must pass inspection before they
are allowed.  And also, if the administrator doesn't know beans about security, then
the antspoof,w.rules, and implied rules can give reason for concern.  This is also
the reason that there are documents which recommend removing unnecessary services
from firewall stations.

I think the summary for this bridging thread is that it is a moot point.  CP simply
doesn't do it.  I would guess that if there were sufficient RFE's to your reps that
you might see it in a year or two.

my last $.02 on this subject,
thanks for the patience,
CryptoTech

Lysel Christian Emre wrote:

> Security services, authentication, firewall modules, mangment module, runs
> on a higer level than you state.
>
> There is many ways to get access the OS IP stack, a small number is:
> antispoofing, wrong rules, impliced rules, rules using security services or
> authentication.
>
> -----Original Message-----
> From: Yves Belle-Isle [mailto:[email protected]]
> Sent: 9. oktober 2001 20:54
> To: [email protected]
> Subject: Re: [FW-1] [FW1] FW1 as a bridge
>
> First, even on NT you can use bridging, take a look at
> Computer Associate eTrust Firewall which run on Windows NT/2000 and
> can be configured in bridging mode. So the only reason why FW-1
> doesn't support bridging mode is because Check Point did not implement it.
>
> Next, i think on which O/S you run FW-1 doesn't matter, as far as security
> is concerned if you configure it right. I personnally use Windows NT 4.0 and
> don't see why W2K would be worst, as far as security is concerned, and i am
> not on crack.
>
> The inspection module of FW-1 sit right on top of the device driver for
> the particular network card and before the lowest level of the O/S code see
> it. So as long as you use the driver from the network card manufacturer,
> the O/S is not concerned in the operation of the inspection module of FW-1.
> So you just have to make in place FW-1 policies so no network trafic goes
> to the O/S on the firewall server. (I.E. you hide the firewall)
>
> So if i build a dedicated firewall by using the following steps:
>
> 1) Taking off the dedicated firewall from all the net so it can't be
>    compromised during it's configuration.
>
> 2) Fresh format it from a floppy i boot off, so it is secure to start with.
>
> 3) Install the O/S (Patch it or not doesn't matter as far as security is
>    concerned because as the O/S will be hidden from the network)
>
> 4) Install most current version of FW-1 and all it's patch, because it's
>    the only part which will be security related.
>
> 5) Configure FW-1 policies so the only packet the FW-1 inspect module
>    send/receive to/from the local host are those necessairy for FW-1
>    operation if necessaire like management, GUI interface and
> authentification.
>
> 6) Plug the dedicated firewall to all the net it should, as he is now as
> safe
>    as FW-1 can be safe.
>
> 7) Configure FW-1 policies so he relay the packets you want in and out
>    of the protected network(s) to/from the unprotected network(s) the
>    firewall is connected to.
>
> I can't see why O/S A would be better/worst than O/S B as far as
> security is concerned because no external packet can go to the O/S level
> except for FW-1 internal use. I.E. The only port accessible on the Firewall
> are all directly connected to one on the FW-1 process, none to the O/S or
> to third party software.
>
> At 23:54 2001-10-08 -0400, Gabriel Rocha wrote:
> >,----[ On Thu, Sep 27, at 02:40PM, Dan Hitchcock wrote: ]--------------
> >| FW1, unfortunately, does not work in bridge mode.  Some appliance-based
> >| firewalls support this functionality, but FW1 depends on an IP address
> being
> >| bound to each adapter used for traffic control.  This is more a
> limitation
> >| of the underlying operating system than a limitation of FW1.
> >`----[ End Quote ]---------------------------
> >
> >Not trying to be picky here, well, not too picky anyway. FW1, to my
> >knowledge runs on Linux and Solaris (yes other OS's too, but anyone who
> >runs it under Win2k is on crack anyhow and HPUX is simply not in style,
> >AIX doesnt count) both of which support bridging with other firewalls,
> >now, how does that leave room for a limitation of the OS? IPF runs on
> >Linux and on Solaris in bridging mode, Linux has iptables and ipchains,
> >both of which do bridging packet filtering. Oh just remembered IPSO,
> >FW-1 for Nokia (which is just an x86 with a proprietary board so they
> >can charge more) IPSO is nothing more than FreeBSD 2.x with some tweaks,
> >FreeBSD does bridging just fine. We could at least recognize the
> >shortcomings of the software we use, for it certainly is not a
> >shortcoming of the OS. (if you use Win2k, YMMV) --Gabe
> >
> >--
> >
> >"It's not brave if you're not scared."
> >
> >
> >===========================================================================
> =====
> >     To unsubscribe from this mailing list, please see the instructions at
> >               http://www.checkpoint.com/services/mailing.html
> >===========================================================================
> =====
> >
> >
>
> ------------------------------------------------------------
> Yves Belle-Isle V.P. VE2YBI YB17        Email: [email protected]
> Responsable des Systemes                Tel:> Sogi Informatique Ltee.                 Fax:> ------------------------------------------------------------
>
> ============================================================================
> ====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ============================================================================
> ====
>
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- Re: [FW-1] [FW1] FW1 as a bridge
  - From: Lysel Christian Emre <[email protected]>

Prev by Date: Re: [FW-1] Time Synchronization
Next by Date: Re: [FW-1] Firewall and RH 7.0
Previous by thread: Re: [FW-1] [FW1] FW1 as a bridge
Next by thread: [FW-1]
Index(es):
- Date
- Thread