Re: [FW-1] LAN address space on WAN help ?

Subject:	Re: [FW-1] LAN address space on WAN help ?
From:	Bill <wosterman1 AT COMCAST DOT NET>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Tue, 24 Jun 2003 18:05:47 -0400

Who would have thought that this subject would have drawn
such enthusiasms.  David, thanks for saving me the trouble of
explaining if anyone had asked.

Let's feed the fires and see what thoughts people have.  I
noticed in all the back and forth that people have some very
strict interpretations of what behavior different devices should
perform.  For the purposes of this discussion I contend that
any device

1.  which is capable of forwarding packets, regardless of how
2.  and is part of (and necessary) to the data path
3   and is intelligent enough (by this I mean layer "X" aware)

has the basic components to "firewall" and help secure a
networking environment.  Whether a device is a router, or a
bridge, or something else does not necessarily make it right
or wrong.  All environment presents their own risks and
challenges.

----- Original Message -----
From: "David Gillett" <gillettdavid AT FHDA DOT EDU>
To: <FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
Sent: Tuesday, June 24, 2003 11:58 AM
Subject: Re: [FW-1] LAN address space on WAN help ?


>   I don't think NAT provides the same function at all.
>   NAT makes a device, which is actually on a "trusted" side of
> the firewall, appear as if it was directly attached to the
> segment on the "untrusted" side.
>   Eric, though, is talking about assigning an address that
> "belongs" on the trusted side, to a device that is actually
> on the untrusted side.
>
>   Proxy ARP is an interesting suggestion.  If you give devices
> and interfaces on the untrusted segment addresses and masks as
> if they were on a supernet that includes both trusted and untrusted
> subnets, then proxy ARP can be used by the firewall to snag
> traffic that needs to get to the trusted side (and vice versa?).
>   This isn't quite as flexible as what Eric seems to be describing,
> and the path taken by packets may be different, but it does solve
> some of the same problems as the Sonicwall feature.
>
> David Gillett
>
> > -----Original Message-----
> > From: Mailing list for discussion of Firewall-1
> > [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM]On Behalf Of Bill
> > Sent: June 23, 2003 14:27
> > To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> > Subject: Re: [FW-1] LAN address space on WAN help ?
> >
> >
> > You could always use NAT to do the same thing on any box
> > running checkpoint
> > software.  Another option is proxy arp (a routing function,
> > not a firewall
> > fucntion) does something similar, but the underlying OS will
> > perform this
> > feature and may not be available on the OS you are using.
> > The configuration
> > and application of both will depend on your specific needs.
> > ----- Original Message -----
> > From: "David Gillett" <gillettdavid AT FHDA DOT EDU>
> > To: <FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
> > Sent: Monday, June 23, 2003 4:48 PM
> > Subject: Re: [FW-1] LAN address space on WAN help ?
> >
> >
> > >   Since FW-1 functions as a router, having some of a subnet on
> > > one side of it and some on the other is topologically illegal.
> > > So it would not make sense to offer this feature.
> > >
> > > David Gillett
> > >
> > > > -----Original Message-----
> > > > From: Mailing list for discussion of Firewall-1
> > > > [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM]On
> > Behalf Of Eric i
> > > > Sent: June 23, 2003 12:51
> > > > To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> > > > Subject: [FW-1] LAN address space on WAN help ?
> > > >
> > > >
> > > > I have a beautiful command/ feature available on my sonicwall
> > > >  firewall it
> > > > is on the the "advanced" menu on the intranet tab and it
> > is labled :
> > > > Specified address are attached to the wan link...
> > > > This allows me to communicate with computers with the same address
> > > > space/subnet behind the firewall(LAN) as the computers outside the
> > > > firewall(WAN).
> > > >
> > > > Does FW-1 have such a feature ??????
> > >
> > > =================================================
> > > To set vacation, Out-Of-Office, or away messages,
> > > send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> > > in the BODY of the email add:
> > > set fw-1-mailinglist nomail
> > > =================================================
> > > To unsubscribe from this mailing list,
> > > please see the instructions at
> > > http://www.checkpoint.com/services/mailing.html
> > > =================================================
> > > If you have any questions on how to change your
> > > subscription options, email
> > > fw-1-owner AT ts.checkpoint DOT com
> > > =================================================
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > fw-1-owner AT ts.checkpoint DOT com
> > =================================================
> >
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] LAN address space on WAN help ?, Eric i Re: [FW-1] LAN address space on WAN help ?, David Gillett Re: [FW-1] LAN address space on WAN help ?, Eric i Re: [FW-1] LAN address space on WAN help ?, David Gillett Re: [FW-1] LAN address space on WAN help ?, Bill Re: [FW-1] LAN address space on WAN help ?, David Gillett Re: [FW-1] LAN address space on WAN help ?, Eric i Re: [FW-1] LAN address space on WAN help ?, Bill <= Re: [FW-1] LAN address space on WAN help ?, Henry, Brad ERM Re: [FW-1] LAN address space on WAN help ?, Security Re: [FW-1] LAN address space on WAN help ?, Chris Gripp Re: [FW-1] LAN address space on WAN help ?, Goldoff, Erik Re: [FW-1] LAN address space on WAN help ?, Shelton, Raymond A. Re: [FW-1] LAN address space on WAN help ?, Eric i Re: [FW-1] LAN address space on WAN help ?, Shelton, Raymond A. Re: [FW-1] LAN address space on WAN help ?, v

Previous by Date:	Re: [FW-1] Importing objects manually into OBJECTS_5_0.C - Possible???, Lars Troen
Next by Date:	[FW-1] problems durning upgrade (cpprod50.dll), Richard Dornhart
Previous by Thread:	Re: [FW-1] LAN address space on WAN help ?, Eric i
Next by Thread:	Re: [FW-1] LAN address space on WAN help ?, Henry, Brad ERM
Indexes:	[Date] [Thread] [Top] [All Lists]