Firewall Wizards mailing list archives

RE: routing by interface on Solaris

From: "Baumann, Sean C." <Sean.Baumann () celera com>
Date: Thu, 28 Dec 2000 10:09:50 -0500


I think we missed the point of Lance's post.  Correct me if I am wrong
Lance, but I believe he was talking about disabling the ip_forwarding on the
actual firewall interface connected to the management machine/network.  This
would prevent the firewall from forwarding packets to this network, so an
attack (directly) against this network would have to come from the firewall
itself.  This is a wonderful application of this feature, but I don't see it
becoming wide-spread.  Larger organizations with multiple firewalls would
probably use the management host/network to manage multiple firewalls on
multiple networks and multiple sites.  I've also observed that most
organizations that have single firewalls manage them from the firewall
itself (management module on the firewall for checkpoint, RCU/Hawk from the
firewall for Raptor, a tape drive attached, etc).

I suppose if you wanted to use this method for a single site you could
always configure an interface on every firewall to be on the management
network, and then disable ip_forwarding for those interfaces.  That might be
interesting to try.  Now we just have to get the vendors to support Solaris
8 (read Axent/Symantec).

Regards,
Sean Baumann

******************************************
Sean C. Baumann    sean.baumann () celera com           
            Celera Genomics    
         http://www.celera.com
******************************************

Disclaimer: These opinions are my own and do not necessarily represent those
of Celera.

-----Original Message-----
From: Neil Buckley [mailto:nwbuckley () mediaone net]
Sent: Tuesday, December 26, 2000 10:20 AM
To: Lance Spitzner; firewall-wizards () nfr com
Subject: Re: [fw-wiz] routing by interface on Solaris

Although this is an option for creating limited access 
networks I would
wagre its not an option or shouldn't be an option for 
everyone.  In general
routers should route and hosts should do host processes.  The 
main reason
for this is support.  The caliber of people that support such 
environments
do not have the capabilty and depth in all the cross 
disciplines necessary
to support the care and feeding of such an environment (It 
defaults to the
security people for ongoing support as they tend to be the 
only ones who
understand all the components).

In the interest of firewall management I would try and keep 
it simple, all
hosts have a default route pointing to their upstream traffic
manager(router). That router makes all decisions for them.  
Firewalls are
placed between the hosts and routers to insure proper policy 
enforcement.

This IMHO is a best  practice.  Each individual component has 
a single role
and responsibility, its easy to find support for my routers, 
my  firewalls,
and my systems.  OTOH its not easy to find personnel that  
can support them
all rolled into one box.

I'm also not lost on cost restrictions of purchasing all the equipment
needed to support what I mentioned above, so I guess it will 
come down to
what your budget is and how much of a support nightmare you 
can handle.

--Neil
----- Original Message -----
From: "Lance Spitzner" <lance () spitzner net>
To: <firewall-wizards () nfr com>
Sent: Thursday, December 21, 2000 1:05 PM
Subject: [fw-wiz] routing by interface on Solaris

Solaris 8 has a new capability of enabling ip_forwarding
per interface.

According to the Sun Blueprint "Network Settings":

http://www.sun.com/software/solutions/blueprints/1200/network-updt1.pdf


Once can set ip_forwarding per interfaces, example below

ndd -set /dev/ip hme0:ip_forwarding 0
ndd -set /dev/ip hme1:ip_forwarding 1
ndd -set /dev/ip hme2:ip_forwarding 1

This could be advantageous for Firewall management.  For example, in
the above settings, one could use hme0 as the management network,
as ip_forwarding has been disabled.  This helps protect and isolate
the firewall management network from the other connected networks,
as routing has been disabled on that interface.

I have not had a chance to test this capability yet.  Thought
I would toss this idea out to the peanut gallery first :)

Thoughts?

--
Lance Spitzner
http://project.honeynet.org


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards



_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

RE: routing by interface on Solaris Baumann, Sean C. (Jan 02)
- Re: routing by interface on Solaris Neil Buckley (Jan 02)
  - Re: routing by interface on Solaris Lance Spitzner (Jan 02)