Firewall Wizards mailing list archives

Re: FW-1: Questions about DHCP and IPX

From: Chris Brenton <cbrenton () sover net>
Date: Tue, 15 Sep 1998 23:43:08 -0400

Jim Hebert wrote:

  I have a customer who is considering Check Point Firewall-1 for a
project.  They have a LAN that they wish to segment from the rest of
the internal network.  Two requirements are that clients on the
segmented LAN must be able to receive their IP addresses via DHCP and
the second is that the clients on the segmented LAN must also be able
to reach a server on the internal LAN via IPX.  Will FW-1 allow DHCP
through it and can IPX be tunneled through the firewall?  I know that
there are several other vendors that implement FW-1 in their products
- would any of these be viable?  If so,  what other components would I
need to purchase - i.e., Management Console since this is the first
instance of Check Point in their network.  Thanks in advance!




First, lose the HTML as it makes it far tougher to read for those of us
who may be able to help you out. ;)

First the DHCP issue. Did you want to use the firewall as a DHCP server
or simply a helper? You can configure FW-1 to deal with this (assuming
the OS supports it). You just have to configure your filter rules to
accept traffic from 255.255.255.255 to the firewall.

As for the IPX issue, FW-1 is IP only, so the firewall will not even
look at IPX. If you go with a platform that is capable of routing IPX
and you do not need to do any IPX filtering, then this would be the best
way to go. You can create an IP tunnel to get over the firewall, but
these are highly inefficient as you are packaging two extra headers per
packet. This will reduce your throughput.

What are your security requirements? It sounds like (IMO) what you
really need is a Cisco router. This takes care of your DHCP issue (if
you need to pass through) as well as your IPX issue. In fact, you can
even filter IPX with the device. If you go with the feature pack, you
can even do dynamic IP packet filtering which puts you in the same
security range as FW-1 at about 1/4 the price.

Hope this helps,
Chris
--
**************************************
cbrenton () sover net

* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ISBN=0782120822/0740-8883012-887529
* Mastering Network Security
http://www.amazon.com/exec/obidos/ISBN%3D0782123430/002-0346046-8151850

Current thread:

FW-1: Questions about DHCP and IPX Jim Hebert (Sep 15)
- Re: FW-1: Questions about DHCP and IPX Chris Brenton (Sep 17)
- Re: FW-1: Questions about DHCP and IPX Calvin Ng (Sep 17)
- <Possible follow-ups>
- Re: FW-1: Questions about DHCP and IPX Jason L. Snowden (Sep 22)
  - Re: FW-1: Questions about DHCP and IPX Marcus J. Ranum (Sep 23)
    - Re: FW-1: Questions about DHCP and IPX Henry Hertz Hobbit (Sep 24)
    - Re: FW-1: Questions about DHCP and IPX Darren Reed (Sep 24)
    - Re: FW-1: Questions about DHCP and IPX Joseph S. D. Yao (Sep 24)
    - Re: FW-1: Questions about DHCP and IPX Adam Shostack (Sep 25)
    - Re: FW-1: Questions about DHCP and IPX Kevin Steves (Sep 29)
    - Re: FW-1: Questions about DHCP and IPX Adam Shostack (Sep 29)
    - Re: FW-1: Questions about DHCP and IPX Marcus J. Ranum (Sep 29)

(Thread continues...)