Re: routing by interface on Solaris

["Neil Buckley" <nwbuckley () mediaone net>]

By we I assume you mean me, since I didn't see any other posts to this
message 8)

I guess I view the ability to stop packets destined for my management
network a function of an upstream device closer to my hostile connections.
Performing it at the interface of the firewall may be a nice added defense,
but suggests that you have a single device performing many functions.

Sorry if I missed the hidden wisdom in Lance's first message, maybe he could
elaborate.

--Neil
----- Original Message -----
From: "Baumann, Sean C." <Sean.Baumann () celera com>
To: "'Neil Buckley'" <nwbuckley () mediaone net>; "Lance Spitzner"
<lance () spitzner net>; <firewall-wizards () nfr com>
Sent: Thursday, December 28, 2000 10:09 AM
Subject: RE: [fw-wiz] routing by interface on Solaris


> I think we missed the point of Lance's post.  Correct me if I am wrong
> Lance, but I believe he was talking about disabling the ip_forwarding on
the
> actual firewall interface connected to the management machine/network.
This
> would prevent the firewall from forwarding packets to this network, so an
> attack (directly) against this network would have to come from the
firewall
> itself.  This is a wonderful application of this feature, but I don't see
it
> becoming wide-spread.  Larger organizations with multiple firewalls would
> probably use the management host/network to manage multiple firewalls on
> multiple networks and multiple sites.  I've also observed that most
> organizations that have single firewalls manage them from the firewall
> itself (management module on the firewall for checkpoint, RCU/Hawk from
the
> firewall for Raptor, a tape drive attached, etc).
>
> I suppose if you wanted to use this method for a single site you could
> always configure an interface on every firewall to be on the management
> network, and then disable ip_forwarding for those interfaces.  That might
be
> interesting to try.  Now we just have to get the vendors to support
Solaris
> 8 (read Axent/Symantec).
>
> Regards,
> Sean Baumann
>
> ******************************************
> Sean C. Baumann    sean.baumann () celera com
>             Celera Genomics
>          http://www.celera.com
> ******************************************
>
> Disclaimer: These opinions are my own and do not necessarily represent
those
> of Celera.
>
>
> > -----Original Message-----
> > From: Neil Buckley [mailto:nwbuckley () mediaone net]
> > Sent: Tuesday, December 26, 2000 10:20 AM
> > To: Lance Spitzner; firewall-wizards () nfr com
> > Subject: Re: [fw-wiz] routing by interface on Solaris
> >
> >
> > Although this is an option for creating limited access
> > networks I would
> > wagre its not an option or shouldn't be an option for
> > everyone.  In general
> > routers should route and hosts should do host processes.  The
> > main reason
> > for this is support.  The caliber of people that support such
> > environments
> > do not have the capabilty and depth in all the cross
> > disciplines necessary
> > to support the care and feeding of such an environment (It
> > defaults to the
> > security people for ongoing support as they tend to be the
> > only ones who
> > understand all the components).
> >
> > In the interest of firewall management I would try and keep
> > it simple, all
> > hosts have a default route pointing to their upstream traffic
> > manager(router). That router makes all decisions for them.
> > Firewalls are
> > placed between the hosts and routers to insure proper policy
> > enforcement.
> >
> > This IMHO is a best  practice.  Each individual component has
> > a single role
> > and responsibility, its easy to find support for my routers,
> > my  firewalls,
> > and my systems.  OTOH its not easy to find personnel that
> > can support them
> > all rolled into one box.
> >
> > I'm also not lost on cost restrictions of purchasing all the equipment
> > needed to support what I mentioned above, so I guess it will
> > come down to
> > what your budget is and how much of a support nightmare you
> > can handle.
> >
> > --Neil
> > ----- Original Message -----
> > From: "Lance Spitzner" <lance () spitzner net>
> > To: <firewall-wizards () nfr com>
> > Sent: Thursday, December 21, 2000 1:05 PM
> > Subject: [fw-wiz] routing by interface on Solaris
> >
> >
> > > Solaris 8 has a new capability of enabling ip_forwarding
> > > per interface.
> > >
> > > According to the Sun Blueprint "Network Settings":
> http://www.sun.com/software/solutions/blueprints/1200/network-updt1.pdf
> > Once can set ip_forwarding per interfaces, example below
> >
> > ndd -set /dev/ip hme0:ip_forwarding 0
> > ndd -set /dev/ip hme1:ip_forwarding 1
> > ndd -set /dev/ip hme2:ip_forwarding 1
> >
> > This could be advantageous for Firewall management.  For example, in
> > the above settings, one could use hme0 as the management network,
> > as ip_forwarding has been disabled.  This helps protect and isolate
> > the firewall management network from the other connected networks,
> > as routing has been disabled on that interface.
> >
> > I have not had a chance to test this capability yet.  Thought
> > I would toss this idea out to the peanut gallery first :)
> >
> > Thoughts?
> >
> > --
> > Lance Spitzner
> > http://project.honeynet.org
> >
> >
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards () nfr com
> > http://www.nfr.com/mailman/listinfo/firewall-wizards
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://www.nfr.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards