Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] External interfaces

To: [email protected]
Subject: Re: [FW-1] External interfaces
From: Volker Tanger <[email protected]>
Date: Tue, 18 Feb 2003 18:27:55 +0100
In-reply-to: <[email protected]>
Organization: DiSCON GmbH
References: <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>
User-agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.2.1) Gecko/20021130

Greetings!

Riccardo Baldanzi (Hawk) wrote:

i have configured for test purpose a checkpoint ng with only 1 physical NIC

[...]

but i cannot set anti-spoofing details on interfaces because all are
external ony (all the other flags are greyed out)


"External" = all IPs not defined in antispoofing
             for other (physical) interfaces

As you did not define any IP ranges/nets for other (physical) networks -
calculation left as practice for the student.
;-)


CheckPoint is using a different definition for internal/external than
the usual dictus in security community. Usually there is only one
internal "haven" with all the others behind the firewall being external
"hostile" hosts and networks. CKP has a different opinion on this.

Some examples in table form:

location        sec. comm.      checkpoint
-----------------------------------------------
LAN             internal        internal
WWW/Internet    EXternal        EXternal
DMZ             EXternal        internal
Dial-In DMZ     EXternal        internal
partner net     EXternal        internal

Licensing implications are more clear with CKPs diction. Even if a
partner's network is protected by the partner's CKP, you'll have to
license your machine to cover those networks, too. Before it was a
matter of interpretation (CKP or Sec.Comm.) which license you need.

From a cautious (i.e. paranoid) view the CKP interpretation puts too
much trust into probably unsafe segments by even calling them internal.

Bye

Volker Tanger
IT-Security Consulting

--

discon gmbh
Wrangelstraße 100
D-10997 Berlin

Telefon  (030) 6104-3307
Telefax  (030) 6104-3461

[email protected]
http://www.discon.de/

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

References:
- [FW-1] External interfaces
  - From: "Riccardo Baldanzi (Hawk)" <[email protected]>

Prev by Date: Re: [FW-1] Problem in setup NG FP3 on Solaris
Next by Date: Re: [FW-1] Problem in setup NG FP3 on Solaris
Previous by thread: [FW-1] External interfaces
Next by thread: [FW-1] can't send SMTP mail
Index(es):
- Date
- Thread