Firewall Wizards mailing list archives
Re: Checkpoint for internet access
From: "Andrew J Bernoth/Boulder/IBM" <bernoth () us ibm com>
Date: Fri, 20 Oct 2000 15:40:58 -0600
Although I enjoyed the routing primer, (it was most entertaining), it appears you misunderstood my question, or you yourself do not understand proxy firewalls? With a proxy or socks server a secure network can have a default route to a bit bucket, which means if someone's application doesn't know how to use the proxy or socks services then it's not going anywhere. If the application is aware of proxy or socks services then it will direct the packet to the internet gateway to deal with, that would be why most internet aware applications have proxy options that you can configure. Sure, a default network route will work well in a small network, or a network that has one single access point, but once a company expands it will probably want a second internet connection, then I need to have two default routes on my network. Sure any dynamic routing protocol can tell me the best path, if the network staff know how to configure it properly, (yes I do, but in previous jobs I have had to explain routing and weights to the guys that manage the routers), if it's configured incorrectly I could be directed to the backup link. However, I thinnk it still comes back to any application can now direct itself to the nearest internet firewall has a good chance of getting out. A quick glance on google.com shows me just under 6000 articles on "port 80 hacks", sure some of these will probably be proxy/socks aware and can figure out what the best place to send my packet to from my browser config file, but then some might not be that smart. Surely if I don't have a default route to the network I am at least protecting myself from the "not so smart" hack? Regards, Andrew J Bernoth bernoth () us ibm com "The views expressed above are my own and do not necessarily reflect those of IBM" "Zarcone, Christopher" <Christopher.Zarcone () netigy com>@nfr.com on 10/20/2000 11:41:51 AM Sent by: firewall-wizards-admin () nfr com To: firewall-wizards () nfr net cc: Subject: Re: [fw-wiz] Checkpoint for internet access Andrew, If it weren't for your default route, your firewall configuration would be considerably uglier. Don't think firewalls, think IP routing... If you want to send a packet to a specific network, your routing devices (including your firewalls) need to know how to get to that network. That information, as you know, comes in the form of routes. A route tells a router where to send packets for a given destination. If you want to reach Network A, for example, your router needs a route specifically for Network A. Now let's expand this example to the entire Internet. There are literally millions of different networks on the Internet, the configuration of which is changing all the time. As an Internet firewall, your firewall potentially needs to reach ALL of these networks. As such, it needs to have a route for ALL of these networks. You have two choices here: - Use BGP to obtain the entire Internet routing table from your ISP. (Last time I checked, there are over 100,000 entries in the Internet routing table, and they consume many megabytes of memory). - Have a single default route to your ISP. Default route is where your firewall sends all packets in the absence of more specific routes. (This results in a single entry in your routing table). Which alternative looks better to you? I know which looks better to me. The main principle here is route aggregation. I think your issues with Check Point have less to do with default routes, and more to do with stateful packet filtering (versus the proxies with which you are more familiar). And that brings about a good point, how were your proxies and SOCKS-based servers configured to reach the Internet? What did their routing tables look like? I don't imagine that they were speaking BGP... Regards, Christopher Zarcone, CISSP Senior Consultant christopher.zarcone () netigy com Netigy Corporation www.netigy.com My opinions do not necessarily represent the opinions of my employer. Message: 15 To: firewall-wizards () nfr net From: "Andrew J Bernoth/Boulder/IBM" <bernoth () us ibm com> Date: Thu, 19 Oct 2000 14:58:44 -0600 Subject: [fw-wiz] Checkpoint for internet access G'day Wizards, Please bear with me if this is basic knowledge, I have not played with Checkpoint yet. I have a checkpoint administrator with his firewall providing access to the internet. I don't really like the idea of having a default route pointing out to the internet, but he assures me this is the only configuration the Checkpoint can do. Is this true? How do others deal with this? I am more used to either a socks or proxy configuration for an internet firewall. Thanks Regards, Andrew J Bernoth bernoth () us ibm com "The views expressed above are my own and do not necessarily reflect those of IBM" _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Checkpoint for internet access Andrew J Bernoth/Boulder/IBM (Oct 19)
- Re: Checkpoint for internet access Brad Van Orden (Oct 20)
- <Possible follow-ups>
- RE: Checkpoint for internet access Kalat, Andrew (ISS Atlanta) (Oct 20)
- Re: Checkpoint for internet access Zarcone, Christopher (Oct 20)
- Re: Checkpoint for internet access Andrew J Bernoth/Boulder/IBM (Oct 23)
- RE: Checkpoint for internet access Kalat, Andrew (ISS Atlanta) (Oct 23)
- Re: Checkpoint for internet access Andrew J Bernoth/Boulder/IBM (Oct 23)
- RE: Checkpoint for internet access Andrew J Bernoth/Boulder/IBM (Oct 24)
- RE: Checkpoint for internet access Zarcone, Christopher (Oct 24)
- RE: Checkpoint for internet access Bill Van Emburg (Oct 26)