RE: Checkpoint for internet access

["Kalat, Andrew (ISS Atlanta)" <akalat () iss net>]

Heh. Okay then. Let me paint a little picture. 

You have a proxy based firewall. You have full dynamic routing internally.
You configure all boxes to use the perimeter proxy server. <web and whatnot>
You only allow through services that the proxy server knows how to proxy.
You have no need for default routes on your network because all hosts only
talk to your own address space. I've seen plenty of networks like this.  Of
course your proxy has to have a default router to your perimeter router, but
the question that Andrew Bernoth was asking had more to do with having to
establish defaulting routing within his network. At least, that's how I read
it.

Further, careful who you flame and how you judge them. There are all sorts
of issues that come up when you start challenging credibility in a public
forum such as this. Not that I really need to justify my abilities to you,
but I would hate the other respected folks on this list to decide my
thoughts are less worthy based on your flame. I've been working with routing
and firewalls for many years. I feel quite qualified to comment on all
manner of items relating to TCP/IP and checkpoint. With all due respect, I
think I'll continue my job running all the networks and firewalls for my
company, contrary to what you may feel is appropriate. 

---------------------------------------------------------
Andrew J. Kalat,                | Voice: (678)443-6000  
IT Infrastructure Manager       | Fax:   (678)443-6484
Internet Security Systems, Inc. | E-Mail: akalat () iss net
6600 Peachtree-Dunwoody Road    | http://www.iss.net/
300 Embassy Row, Suite 500      | PGP key available.
Atlanta, GA 30328               | 
Notes: Comments are my own, yadda... yadda....

-----Original Message-----
From: Brad Van Orden [mailto:Brad.VanOrden () navius com]
Sent: Friday, October 20, 2000 7:13 AM
To: firewall-wizards () nfr net
Subject: Re: [fw-wiz] Checkpoint for internet access


Andrew,

WIth all due respect, you obviously know nothing about routing and should
stay totally away from the firewall.  I hate to dissapoint you, but even
your
proxy server had a default route pointing to something - most likely a
router
that is connected to the Internet.  If you don't use a default route, you 
would either have to run some sort of dynamic routing protocol with your
router or add static routes for every conceivable address on the Internet
that
your users would be likely to need.

Sorry,

Brad Van Orden
Navius Technologies

Andrew J Bernoth/Boulder/IBM wrote:
> G'day Wizards,
>
> Please bear with me if this is basic knowledge, I have not played with
> Checkpoint yet.
>
> I have a checkpoint administrator with his firewall providing access to
the
> internet.  I don't really like the idea of having a default route pointing
> out to the internet, but he assures me this is the only configuration the
> Checkpoint can do.  Is this true?  How do others deal with this?
>
> I am more used to either a socks or proxy configuration for an internet
> firewall.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards