Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: AltaVista Tunnel

From: Linwood Ferguson <ferguson () uvii mag aramark com>
Date: Wed, 15 Oct 1997 09:51:59 EST
I'm getting ready to implement a VPN and one of the products being
evaluated is AltaVista Tunnel 97.  We need to pass traffic to both UNIX
boxes and PCs over the Tunnel.  I can't seem to do NetBEUI sessions over
the Tunnel product.  The vendor claims that it's because our fwtk-based
firewall won't pass UDP traffic, but the Tunnel documentation says that
every packet is encrypted and encapsulated in a TCP packet before
passing thru the firewall.  Therefore, I don't think I believe them.  I
suspect the cause might be that NetBEUI is unroutable and can't be
routed thru the Tunnel server.



Microsoft's PPTP _can_ do NetBEUI sessions over the tunnel, but I'd
really rather not use it for reasons that don't need to be argued here.
If my above stated suspicion is correct, then I don't know how M$ routes
NetBEUI traffic thru their tunnel (and probably don't want to know).
Does anybody have any ideas on AltaVista Tunnel?  Am I right or wrong?


NetBeui is not routable, but once encapsulated in a TCP (or GRE for PPTP) 
packet, it can go anywhere IP can.  The receiving system unpacks it and forwards
it on the wire as though it originated locally, in a sense like a bridge.

I don't know Altavista Tunnel, but if it is encapsulating it, I would not
expect the firewall's lack of UDP to be an issue.  In fact, I would not 
expect the firewally to even know what was packaged inside.

As a suggestion, I had good luck with MS's PPTP by first testing it locally
inside the firewall.  I could then put a sniffer and see exactly what
traffic types and ports were in use.  You might try that with Altavista, and
then could know if they are right or not.

It's worth noting that MS PPTP can't go through a firewall without being
able to pass GRE (protocol 47) packets; that's not UDP, but is closer to 
UDP than TCP, and if memory serves the TIS TK can't do that either (though
I haven't any way at the moment to check).  But in that case (with MS PPTP)
it would fail to pass any tunneled traffic, not just netbeui.

    - Linwood

-----------------------------------------------------------------------
Linwood Ferguson                  e-mail: ferguson () mag aramark com
Director, Software Engineering    Voice:  (US) 540/967-0087
ARAMARK Mag & Book Services
Previous By Date Next
Previous By Thread Next

Current thread: