Firewall Wizards mailing list archives
Re: routing by interface on Solaris
From: "Neil Buckley" <nwbuckley () mediaone net>
Date: Thu, 28 Dec 2000 18:47:00 -0500
By we I assume you mean me, since I didn't see any other posts to this message 8) I guess I view the ability to stop packets destined for my management network a function of an upstream device closer to my hostile connections. Performing it at the interface of the firewall may be a nice added defense, but suggests that you have a single device performing many functions. Sorry if I missed the hidden wisdom in Lance's first message, maybe he could elaborate. --Neil ----- Original Message ----- From: "Baumann, Sean C." <Sean.Baumann () celera com> To: "'Neil Buckley'" <nwbuckley () mediaone net>; "Lance Spitzner" <lance () spitzner net>; <firewall-wizards () nfr com> Sent: Thursday, December 28, 2000 10:09 AM Subject: RE: [fw-wiz] routing by interface on Solaris
I think we missed the point of Lance's post. Correct me if I am wrong Lance, but I believe he was talking about disabling the ip_forwarding on
the
actual firewall interface connected to the management machine/network.
This
would prevent the firewall from forwarding packets to this network, so an attack (directly) against this network would have to come from the
firewall
itself. This is a wonderful application of this feature, but I don't see
it
becoming wide-spread. Larger organizations with multiple firewalls would probably use the management host/network to manage multiple firewalls on multiple networks and multiple sites. I've also observed that most organizations that have single firewalls manage them from the firewall itself (management module on the firewall for checkpoint, RCU/Hawk from
the
firewall for Raptor, a tape drive attached, etc). I suppose if you wanted to use this method for a single site you could always configure an interface on every firewall to be on the management network, and then disable ip_forwarding for those interfaces. That might
be
interesting to try. Now we just have to get the vendors to support
Solaris
8 (read Axent/Symantec). Regards, Sean Baumann ****************************************** Sean C. Baumann sean.baumann () celera com Celera Genomics http://www.celera.com ****************************************** Disclaimer: These opinions are my own and do not necessarily represent
those
of Celera.-----Original Message----- From: Neil Buckley [mailto:nwbuckley () mediaone net] Sent: Tuesday, December 26, 2000 10:20 AM To: Lance Spitzner; firewall-wizards () nfr com Subject: Re: [fw-wiz] routing by interface on Solaris Although this is an option for creating limited access networks I would wagre its not an option or shouldn't be an option for everyone. In general routers should route and hosts should do host processes. The main reason for this is support. The caliber of people that support such environments do not have the capabilty and depth in all the cross disciplines necessary to support the care and feeding of such an environment (It defaults to the security people for ongoing support as they tend to be the only ones who understand all the components). In the interest of firewall management I would try and keep it simple, all hosts have a default route pointing to their upstream traffic manager(router). That router makes all decisions for them. Firewalls are placed between the hosts and routers to insure proper policy enforcement. This IMHO is a best practice. Each individual component has a single role and responsibility, its easy to find support for my routers, my firewalls, and my systems. OTOH its not easy to find personnel that can support them all rolled into one box. I'm also not lost on cost restrictions of purchasing all the equipment needed to support what I mentioned above, so I guess it will come down to what your budget is and how much of a support nightmare you can handle. --Neil ----- Original Message ----- From: "Lance Spitzner" <lance () spitzner net> To: <firewall-wizards () nfr com> Sent: Thursday, December 21, 2000 1:05 PM Subject: [fw-wiz] routing by interface on SolarisSolaris 8 has a new capability of enabling ip_forwarding per interface. According to the Sun Blueprint "Network Settings":http://www.sun.com/software/solutions/blueprints/1200/network-updt1.pdfOnce can set ip_forwarding per interfaces, example below ndd -set /dev/ip hme0:ip_forwarding 0 ndd -set /dev/ip hme1:ip_forwarding 1 ndd -set /dev/ip hme2:ip_forwarding 1 This could be advantageous for Firewall management. For example, in the above settings, one could use hme0 as the management network, as ip_forwarding has been disabled. This helps protect and isolate the firewall management network from the other connected networks, as routing has been disabled on that interface. I have not had a chance to test this capability yet. Thought I would toss this idea out to the peanut gallery first :) Thoughts? -- Lance Spitzner http://project.honeynet.org _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: routing by interface on Solaris Baumann, Sean C. (Jan 02)
- Re: routing by interface on Solaris Neil Buckley (Jan 02)
- Re: routing by interface on Solaris Lance Spitzner (Jan 02)
- Re: routing by interface on Solaris Neil Buckley (Jan 02)