Re: Checkpoint for internet access

["Andrew J Bernoth/Boulder/IBM" <bernoth () us ibm com>]

Although I enjoyed the routing primer, (it was most entertaining), it
appears you misunderstood my question, or you yourself do not understand
proxy firewalls?

With a proxy or socks server a secure network can have a default route to a
bit bucket, which means if someone's application doesn't know how to use
the proxy or socks services then it's not going anywhere.  If the
application is aware of proxy or socks services then it will direct the
packet to the internet gateway to deal with, that would be why most
internet aware applications have proxy options that you can configure.

Sure, a default network route will work well in a small network, or a
network that has one single access point, but once a company expands it
will probably want a second internet connection, then I need to have two
default routes on my network.  Sure any dynamic routing protocol can tell
me the best path, if the network staff know how to configure it properly,
(yes I do, but in previous jobs I have had to explain routing and weights
to the guys that manage the routers), if it's configured incorrectly I
could be directed to the backup link.

However, I thinnk it still comes back to any application can now direct
itself to the nearest internet firewall has a good chance of getting out.
A quick glance on google.com shows me just under 6000 articles on "port 80
hacks", sure some of these will probably be proxy/socks aware and can
figure out what the best place to send my packet to from my browser config
file, but then some might not be that smart.  Surely if I don't have a
default route to the network I am at least protecting myself from the "not
so smart" hack?

Regards,
Andrew J Bernoth
bernoth () us ibm com
"The views expressed above are my own and do not necessarily reflect those
of IBM"


"Zarcone, Christopher" <Christopher.Zarcone () netigy com>@nfr.com on
10/20/2000 11:41:51 AM

Sent by:  firewall-wizards-admin () nfr com


To:   firewall-wizards () nfr net
cc:
Subject:  Re: [fw-wiz] Checkpoint for internet access



Andrew,

If it weren't for your default route, your firewall configuration would be
considerably uglier. Don't think firewalls, think IP routing...

If you want to send a packet to a specific network, your routing devices
(including your firewalls) need to know how to get to that network. That
information, as you know, comes in the form of routes. A route tells a
router where to send packets for a given destination. If you want to reach
Network A, for example, your router needs a route specifically for Network
A.

Now let's expand this example to the entire Internet. There are literally
millions of different networks on the Internet, the configuration of which
is changing all the time. As an Internet firewall, your firewall
potentially
needs to reach ALL of these networks. As such, it needs to have a route for
ALL of these networks. You have two choices here:

- Use BGP to obtain the entire Internet routing table from your ISP. (Last
time I checked, there are over 100,000 entries in the Internet routing
table, and they consume many megabytes of memory).
- Have a single default route to your ISP. Default route is where your
firewall sends all packets in the absence of more specific routes. (This
results in a single entry in your routing table).

Which alternative looks better to you? I know which looks better to me. The
main principle here is route aggregation.

I think your issues with Check Point have less to do with default routes,
and more to do with stateful packet filtering (versus the proxies with
which
you are more familiar). And that brings about a good point, how were your
proxies and SOCKS-based servers configured to reach the Internet? What did
their routing tables look like? I don't imagine that they were speaking
BGP...

Regards,

Christopher Zarcone, CISSP
Senior Consultant
christopher.zarcone () netigy com

Netigy Corporation
www.netigy.com

My opinions do not necessarily represent the opinions of my employer.

Message: 15
To: firewall-wizards () nfr net
From: "Andrew J Bernoth/Boulder/IBM" <bernoth () us ibm com>
Date: Thu, 19 Oct 2000 14:58:44 -0600
Subject: [fw-wiz] Checkpoint for internet access

G'day Wizards,

Please bear with me if this is basic knowledge, I have not played with
Checkpoint yet.

I have a checkpoint administrator with his firewall providing access to the
internet.  I don't really like the idea of having a default route pointing
out to the internet, but he assures me this is the only configuration the
Checkpoint can do.  Is this true?  How do others deal with this?

I am more used to either a socks or proxy configuration for an internet
firewall.

Thanks

Regards,
Andrew J Bernoth
bernoth () us ibm com
"The views expressed above are my own and do not necessarily reflect those
of IBM"

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards



_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards