Firewall Wizards mailing list archives
RE: Checkpoint for internet access
From: "Andrew J Bernoth/Boulder/IBM" <bernoth () us ibm com>
Date: Mon, 23 Oct 2000 09:16:38 -0600
Thanks for responding anyway. After I re-read my original post I realised it was rather ambiguous and I was surprised that I didn't receive one email requesting clarification, most people just jumped straight to the "he's a newbie" assumption. Thanks again, Regards, Andrew J Bernoth bernoth () us ibm com "The views expressed above are my own and do not necessarily reflect those of IBM" "Zarcone, Christopher" <Christopher.Zarcone () netigy com> on 10/22/2000 10:13:33 AM To: Andrew J Bernoth/Boulder/IBM@IBMUS, "Zarcone, Christopher" <Christopher.Zarcone () netigy com> cc: firewall-wizards () nfr net Subject: RE: [fw-wiz] Checkpoint for internet access Andrew, My comments are in the text:
-----Original Message----- From: Andrew J Bernoth/Boulder/IBM [mailto:bernoth () us ibm com] Sent: Friday, October 20, 2000 5:41 PM To: Zarcone, Christopher Cc: firewall-wizards () nfr net Subject: Re: [fw-wiz] Checkpoint for internet access
Although I enjoyed the routing primer, (it was most entertaining), it appears you misunderstood my question, or you yourself do not understand proxy firewalls?
Well, the way your original e-mail was worded was pretty ambiguous. I thought your issues were related to IP routing fundamentals and was trying to answer as such. By the way, thanks for your veiled criticism of my proxy firewall knowledge. If you're going to be soliciting free advice from people, you're shouldn't be critical of replies that don't meet your expectations.
With a proxy or socks server a secure network can have a default route to
a
bit bucket, which means if someone's application doesn't know how to use the proxy or socks services then it's not going anywhere. If the application is aware of proxy or socks services then it will direct the packet to the internet gateway to deal with, that would be why most internet aware applications have proxy options that you can configure.
Sure, a default network route will work well in a small network, or a network that has one single access point, but once a company expands it will probably want a second internet connection, then I need to have two default routes on my network.
Secondary (or multiple) ISP connections does not necessarily mean multiple default routes on your network. OSPF and IS-IS, for example, support routing hierarchies, so you could hide the "multi-ISP ugliness" in your backbone area and advertise a single default route to your stub areas.
Sure any dynamic routing protocol can tell me the best path, if the network staff know how to configure it properly, (yes I do, but in previous jobs I have had to explain routing and weights to the guys that manage the routers), if it's configured incorrectly I could be directed to the backup link.
However, I thinnk it still comes back to any application can now direct itself to the nearest internet firewall has a good chance of getting out.
If the firewall is correctly configured (that is, default deny for all inbound AND OUTBOUND traffic) I don't agree that any application has a "good chance" of getting out. Maybe a "slightly better" chance, at best.
A quick glance on google.com shows me just under 6000 articles on "port 80 hacks", sure some of these will probably be proxy/socks aware and can figure out what the best place to send my packet to from my browser config file, but then some might not be that smart. Surely if I don't have a default route to the network I am at least protecting myself from the "not so smart" hack?
Well here, I pretty much agree with you. (This paragraph really belonged in your original e-mail, as it illustrates your real reservation with default route). Applications that search for openings may ultimately find one. It all really comes down to the convenience vs. security argument. What protocols & applications do you need to support, and what degree of security is required? And to take it all the way back to your original question, as I understand it, Check Point depends on the routing table of the underlying OS. If the OS doesn't have a default route, Check Point won't have a default route. Someone please correct me if I'm wrong, but I think your current FW1 administrator is mistaken... Regards, Christopher Zarcone, CISSP Senior Consultant christopher.zarcone () netigy com Netigy Corporation www.netigy.com My opinions do not necessarily represent the opinions of my employer.
Regards, Andrew J Bernoth bernoth () us ibm com "The views expressed above are my own and do not necessarily reflect those of IBM"
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Checkpoint for internet access Andrew J Bernoth/Boulder/IBM (Oct 19)
- Re: Checkpoint for internet access Brad Van Orden (Oct 20)
- <Possible follow-ups>
- RE: Checkpoint for internet access Kalat, Andrew (ISS Atlanta) (Oct 20)
- Re: Checkpoint for internet access Zarcone, Christopher (Oct 20)
- Re: Checkpoint for internet access Andrew J Bernoth/Boulder/IBM (Oct 23)
- RE: Checkpoint for internet access Kalat, Andrew (ISS Atlanta) (Oct 23)
- Re: Checkpoint for internet access Andrew J Bernoth/Boulder/IBM (Oct 23)
- RE: Checkpoint for internet access Andrew J Bernoth/Boulder/IBM (Oct 24)
- RE: Checkpoint for internet access Zarcone, Christopher (Oct 24)
- RE: Checkpoint for internet access Bill Van Emburg (Oct 26)