RE: Checkpoint for internet access

["Zarcone, Christopher" <Christopher.Zarcone () netigy com>]

Andrew,

My comments are in the text:

> -----Original Message-----
> From: Andrew J Bernoth/Boulder/IBM [mailto:bernoth () us ibm com]
> Sent: Friday, October 20, 2000 5:41 PM
> To: Zarcone, Christopher
> Cc: firewall-wizards () nfr net
> Subject: Re: [fw-wiz] Checkpoint for internet access

> Although I enjoyed the routing primer, (it was most entertaining), it
> appears you misunderstood my question, or you yourself do not understand
> proxy firewalls?

Well, the way your original e-mail was worded was pretty ambiguous. I
thought your issues were related to IP routing fundamentals and was trying
to answer as such. By the way, thanks for your veiled criticism of my proxy
firewall knowledge. If you're going to be soliciting free advice from
people, you're shouldn't be critical of replies that don't meet your
expectations.

> With a proxy or socks server a secure network can have a default route to a
> bit bucket, which means if someone's application doesn't know how to use
> the proxy or socks services then it's not going anywhere. If the
> application is aware of proxy or socks services then it will direct the
> packet to the internet gateway to deal with, that would be why most
> internet aware applications have proxy options that you can configure.

> Sure, a default network route will work well in a small network, or a
> network that has one single access point, but once a company expands it
> will probably want a second internet connection, then I need to have two
> default routes on my network.

Secondary (or multiple) ISP connections does not necessarily mean multiple
default routes on your network. OSPF and IS-IS, for example, support routing
hierarchies, so you could hide the "multi-ISP ugliness" in your backbone
area and advertise a single default route to your stub areas.

> Sure any dynamic routing protocol can tell
> me the best path, if the network staff know how to configure it properly,
> (yes I do, but in previous jobs I have had to explain routing and weights
> to the guys that manage the routers), if it's configured incorrectly I
> could be directed to the backup link.

> However, I thinnk it still comes back to any application can now direct
> itself to the nearest internet firewall has a good chance of getting out.

If the firewall is correctly configured (that is, default deny for all
inbound AND OUTBOUND traffic) I don't agree that any application has a "good
chance" of getting out. Maybe a "slightly better" chance, at best.

> A quick glance on google.com shows me just under 6000 articles on "port 80
> hacks", sure some of these will probably be proxy/socks aware and can
> figure out what the best place to send my packet to from my browser config
> file, but then some might not be that smart.  Surely if I don't have a
> default route to the network I am at least protecting myself from the "not
> so smart" hack?

Well here, I pretty much agree with you. (This paragraph really belonged in
your original e-mail, as it illustrates your real reservation with default
route). Applications that search for openings may ultimately find one. It
all really comes down to the convenience vs. security argument. What
protocols & applications do you need to support, and what degree of security
is required?

And to take it all the way back to your original question, as I understand
it, Check Point depends on the routing table of the underlying OS. If the OS
doesn't have a default route, Check Point won't have a default route.
Someone please correct me if I'm wrong, but I think your current FW1
administrator is mistaken...

Regards,

Christopher Zarcone, CISSP
Senior Consultant
christopher.zarcone () netigy com

Netigy Corporation
www.netigy.com

My opinions do not necessarily represent the opinions of my employer.




> Regards,
> Andrew J Bernoth
> bernoth () us ibm com
> "The views expressed above are my own and do not necessarily reflect those
> of IBM"



_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards