Firewall Wizards mailing list archives
RE: Checkpoint for internet access
From: "Kalat, Andrew (ISS Atlanta)" <akalat () iss net>
Date: Fri, 20 Oct 2000 16:50:02 -0400
Heh. Okay then. Let me paint a little picture. You have a proxy based firewall. You have full dynamic routing internally. You configure all boxes to use the perimeter proxy server. <web and whatnot> You only allow through services that the proxy server knows how to proxy. You have no need for default routes on your network because all hosts only talk to your own address space. I've seen plenty of networks like this. Of course your proxy has to have a default router to your perimeter router, but the question that Andrew Bernoth was asking had more to do with having to establish defaulting routing within his network. At least, that's how I read it. Further, careful who you flame and how you judge them. There are all sorts of issues that come up when you start challenging credibility in a public forum such as this. Not that I really need to justify my abilities to you, but I would hate the other respected folks on this list to decide my thoughts are less worthy based on your flame. I've been working with routing and firewalls for many years. I feel quite qualified to comment on all manner of items relating to TCP/IP and checkpoint. With all due respect, I think I'll continue my job running all the networks and firewalls for my company, contrary to what you may feel is appropriate. --------------------------------------------------------- Andrew J. Kalat, | Voice: (678)443-6000 IT Infrastructure Manager | Fax: (678)443-6484 Internet Security Systems, Inc. | E-Mail: akalat () iss net 6600 Peachtree-Dunwoody Road | http://www.iss.net/ 300 Embassy Row, Suite 500 | PGP key available. Atlanta, GA 30328 | Notes: Comments are my own, yadda... yadda.... -----Original Message----- From: Brad Van Orden [mailto:Brad.VanOrden () navius com] Sent: Friday, October 20, 2000 7:13 AM To: firewall-wizards () nfr net Subject: Re: [fw-wiz] Checkpoint for internet access Andrew, WIth all due respect, you obviously know nothing about routing and should stay totally away from the firewall. I hate to dissapoint you, but even your proxy server had a default route pointing to something - most likely a router that is connected to the Internet. If you don't use a default route, you would either have to run some sort of dynamic routing protocol with your router or add static routes for every conceivable address on the Internet that your users would be likely to need. Sorry, Brad Van Orden Navius Technologies Andrew J Bernoth/Boulder/IBM wrote:
G'day Wizards, Please bear with me if this is basic knowledge, I have not played with Checkpoint yet. I have a checkpoint administrator with his firewall providing access to
the
internet. I don't really like the idea of having a default route pointing out to the internet, but he assures me this is the only configuration the Checkpoint can do. Is this true? How do others deal with this? I am more used to either a socks or proxy configuration for an internet firewall.
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Checkpoint for internet access Andrew J Bernoth/Boulder/IBM (Oct 19)
- Re: Checkpoint for internet access Brad Van Orden (Oct 20)
- <Possible follow-ups>
- RE: Checkpoint for internet access Kalat, Andrew (ISS Atlanta) (Oct 20)
- Re: Checkpoint for internet access Zarcone, Christopher (Oct 20)
- Re: Checkpoint for internet access Andrew J Bernoth/Boulder/IBM (Oct 23)
- RE: Checkpoint for internet access Kalat, Andrew (ISS Atlanta) (Oct 23)
- Re: Checkpoint for internet access Andrew J Bernoth/Boulder/IBM (Oct 23)
- RE: Checkpoint for internet access Andrew J Bernoth/Boulder/IBM (Oct 24)
- RE: Checkpoint for internet access Zarcone, Christopher (Oct 24)
- RE: Checkpoint for internet access Bill Van Emburg (Oct 26)