Firewall Wizards mailing list archives
Re: Checkpoint for internet access
From: "Zarcone, Christopher" <Christopher.Zarcone () netigy com>
Date: Fri, 20 Oct 2000 10:41:51 -0700
Andrew, If it weren't for your default route, your firewall configuration would be considerably uglier. Don't think firewalls, think IP routing... If you want to send a packet to a specific network, your routing devices (including your firewalls) need to know how to get to that network. That information, as you know, comes in the form of routes. A route tells a router where to send packets for a given destination. If you want to reach Network A, for example, your router needs a route specifically for Network A. Now let's expand this example to the entire Internet. There are literally millions of different networks on the Internet, the configuration of which is changing all the time. As an Internet firewall, your firewall potentially needs to reach ALL of these networks. As such, it needs to have a route for ALL of these networks. You have two choices here: - Use BGP to obtain the entire Internet routing table from your ISP. (Last time I checked, there are over 100,000 entries in the Internet routing table, and they consume many megabytes of memory). - Have a single default route to your ISP. Default route is where your firewall sends all packets in the absence of more specific routes. (This results in a single entry in your routing table). Which alternative looks better to you? I know which looks better to me. The main principle here is route aggregation. I think your issues with Check Point have less to do with default routes, and more to do with stateful packet filtering (versus the proxies with which you are more familiar). And that brings about a good point, how were your proxies and SOCKS-based servers configured to reach the Internet? What did their routing tables look like? I don't imagine that they were speaking BGP... Regards, Christopher Zarcone, CISSP Senior Consultant christopher.zarcone () netigy com Netigy Corporation www.netigy.com My opinions do not necessarily represent the opinions of my employer. Message: 15 To: firewall-wizards () nfr net From: "Andrew J Bernoth/Boulder/IBM" <bernoth () us ibm com> Date: Thu, 19 Oct 2000 14:58:44 -0600 Subject: [fw-wiz] Checkpoint for internet access G'day Wizards, Please bear with me if this is basic knowledge, I have not played with Checkpoint yet. I have a checkpoint administrator with his firewall providing access to the internet. I don't really like the idea of having a default route pointing out to the internet, but he assures me this is the only configuration the Checkpoint can do. Is this true? How do others deal with this? I am more used to either a socks or proxy configuration for an internet firewall. Thanks Regards, Andrew J Bernoth bernoth () us ibm com "The views expressed above are my own and do not necessarily reflect those of IBM" _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Checkpoint for internet access Andrew J Bernoth/Boulder/IBM (Oct 19)
- Re: Checkpoint for internet access Brad Van Orden (Oct 20)
- <Possible follow-ups>
- RE: Checkpoint for internet access Kalat, Andrew (ISS Atlanta) (Oct 20)
- Re: Checkpoint for internet access Zarcone, Christopher (Oct 20)
- Re: Checkpoint for internet access Andrew J Bernoth/Boulder/IBM (Oct 23)
- RE: Checkpoint for internet access Kalat, Andrew (ISS Atlanta) (Oct 23)
- Re: Checkpoint for internet access Andrew J Bernoth/Boulder/IBM (Oct 23)
- RE: Checkpoint for internet access Andrew J Bernoth/Boulder/IBM (Oct 24)
- RE: Checkpoint for internet access Zarcone, Christopher (Oct 24)
- RE: Checkpoint for internet access Bill Van Emburg (Oct 26)