RE: Sonicwall Soho2
From: ext Dave Crocker [mailto:[EMAIL PROTECTED]] Too late. Things are already confused, namely about the technical distinction between bridge and router. Not really, You think that Sonicwall is a router and I know that it's not. However I made a mistake by stating that it is bridge, I should have said that it's bridging firewall. One should use always precise terms in this environment. snip A simple test to distinguish the two is to compare IP address with MAC address. In a bridged environment, the destination MAC address will belong to the destination IP address. (The sender obtains this via ARP.) In a routed address, the host sending the datagram (to the router) will use the MAC address of the router. (It uses the configured gateway IP address to do an ARP to obtain the MAC address of the router. So we do agree on this matter :-) As I said earlier. In configuration where NAT is not used Sonicwall is not defined as a gateway but rather just connected between router and other devices. There is no configuration change to clients. Subnet is divided by Sonicwall. I left out most of your mail because understanding preceding sentence makes it irrelevant. You probably got it, but just for common good. To explain how it works: A=Host A B=Host B Bmac=MAC address of Host B S=Sonicwall Sa=Sonicwall's network interface on Host A segment Sb=Soniwalls's network interface on Host B segment Subnet is same for both clients. Let's say it's 192.168.1.0/24 A---Sa|S|SbB So when A wants to connect B, what happens: 1. A will send ARP request to get host B MAC address 2. Sonicwall will see the request in interface Sa and respond (it probably sends ARP to host B and then uses that MAC) 3. A will send syn to Bmac (which will actually go to Sonicwall interface Sa) 4. Sonicwall will check the syn against it's Security policy and in this case it's allowed 5. Sonicwall will send packet to host B (Bmac) using interface Sb 6. Host B will send ARP request to get host A MAC address 7. Sonicwall will see the request in interface Sb and respond ... I love to get into philosophical debate, but I think that other members of this list don't enjoy it. So if you want to continue we can do it off-list. rgds, Harri ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
RE: Sonicwall Soho2
There are some additional benefits of Transparent Bridge comparing to routing firewall: 1. Firewall can be completely transparent. Only way to know that device even exists is to have devices on both sides of the firewall and port scanning through firewall (or by physically checking this fact) 2. Firewall doesn't have to have ip-address. This means that the network security cannot be compromised by attacking firewall using IP. (this can still be done on Layer 2 but usually attacker doesn't have access to network segment) However because of 1. bridging firewall also somewhat breaks the idea of subnet/broadcast domain and can make troubleshooting problems difficult. Also they have usually somewhat limited protocol suite / ip-level functionality compared to routing firewalls. rgds, Harri -Original Message- From: ext Jason Yuan [mailto:[EMAIL PROTECTED]] Sent: 10 January, 2002 21:58 To: Kotakoski Harri (EXT-Novosys/Copenhagen); [EMAIL PROTECTED] Subject: RE: Sonicwall Soho2 I have a soho(1) and I noticed the same thing. I can use the box either as a bridge type of configuration, or rely on the built-in NAT if I want to use a different network address on the inside. The question I have is that what is the security implication of a bridge type of device vs. a router type of FW? Jason [EMAIL PROTECTED] wrote: From: ext Dave Crocker [mailto:[EMAIL PROTECTED]] At 10:56 AM 1/9/2002 +0200, [EMAIL PROTECTED] wrote: Well, first thing to understand is that Sonicwall is transparent bridge not a router. The Sonicwall Soho (not 2) that I have had for a couple of years is a router. It also does NAT and a set of firewall filtering functions. The device is definitely not a bridge. That is, it very clearly works at the IP level, rather than at layer 2. Lets not confuse these things over here. 1. Sonicwall is a bridge. (at least dmz and wan interfaces are in same subnet, in non NAT configuration also lan) 2. Sonicwall is filtering traffic based on layer 3 information. 3. Sonicwall has ip address for management functionality. (so it's present also on layer 3) 4. Sonicwall ! has limited capability acting as a router in NAT configuration but it is not a router (it is probably just doing source and destination NAT to connections). 5. Sonicwall can emulate router functionality by sending ICMP redirects The difference between routing firewall and bridging firewall is that routing firewall is configured as a gateway to all network segments connected to it. Bridging firewall is relaying traffic on Layer 2. So from layer 3 perspective clients are sending traffic to routing firewall but in the case of bridge it is just flowing through (or not, depending on the installed policy). rgds, Harri (And Sonicwall doesn't mention this on their website, which could be quite confusing) ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls Jason Yuan Security Consultant Niles Associa! tes Do You Yahoo!? Send FREE video emails in Yahoo! Mail. ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
RE: Sonicwall Soho2
From: ext Dave Crocker [mailto:[EMAIL PROTECTED]] At 10:56 AM 1/9/2002 +0200, [EMAIL PROTECTED] wrote: Well, first thing to understand is that Sonicwall is transparent bridge not a router. The Sonicwall Soho (not 2) that I have had for a couple of years is a router. It also does NAT and a set of firewall filtering functions. The device is definitely not a bridge. That is, it very clearly works at the IP level, rather than at layer 2. Lets not confuse these things over here. 1. Sonicwall is a bridge. (at least dmz and wan interfaces are in same subnet, in non NAT configuration also lan) 2. Sonicwall is filtering traffic based on layer 3 information. 3. Sonicwall has ip address for management functionality. (so it's present also on layer 3) 4. Sonicwall has limited capability acting as a router in NAT configuration but it is not a router (it is probably just doing source and destination NAT to connections). 5. Sonicwall can emulate router functionality by sending ICMP redirects The difference between routing firewall and bridging firewall is that routing firewall is configured as a gateway to all network segments connected to it. Bridging firewall is relaying traffic on Layer 2. So from layer 3 perspective clients are sending traffic to routing firewall but in the case of bridge it is just flowing through (or not, depending on the installed policy). rgds, Harri (And Sonicwall doesn't mention this on their website, which could be quite confusing) ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
RE: Sonicwall Soho2
I feel this goes along with what you say [...]It is different from most 'conventional' firewalls, in that it does not perform 'routing' (unless you turn on the NAT features). It is actually more of a 'switch' type of device, which uses a form of stateful packet inspection and a rules engine to determine whether to forward packets from one port (a LAN port) to the other port (a WAN port).[...] It is an extract from http://www.sans.org/y2k/firewall.htm F. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: jeudi 10 janvier 2002 10:14 To: [EMAIL PROTECTED] Subject: RE: Sonicwall Soho2 From: ext Dave Crocker [mailto:[EMAIL PROTECTED]] At 10:56 AM 1/9/2002 +0200, [EMAIL PROTECTED] wrote: Well, first thing to understand is that Sonicwall is transparent bridge not a router. The Sonicwall Soho (not 2) that I have had for a couple of years is a router. It also does NAT and a set of firewall filtering functions. The device is definitely not a bridge. That is, it very clearly works at the IP level, rather than at layer 2. Lets not confuse these things over here. 1. Sonicwall is a bridge. (at least dmz and wan interfaces are in same subnet, in non NAT configuration also lan) 2. Sonicwall is filtering traffic based on layer 3 information. 3. Sonicwall has ip address for management functionality. (so it's present also on layer 3) 4. Sonicwall has limited capability acting as a router in NAT configuration but it is not a router (it is probably just doing source and destination NAT to connections). 5. Sonicwall can emulate router functionality by sending ICMP redirects The difference between routing firewall and bridging firewall is that routing firewall is configured as a gateway to all network segments connected to it. Bridging firewall is relaying traffic on Layer 2. So from layer 3 perspective clients are sending traffic to routing firewall but in the case of bridge it is just flowing through (or not, depending on the installed policy). rgds, Harri (And Sonicwall doesn't mention this on their website, which could be quite confusing) ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
RE: Sonicwall Soho2
I have a soho(1) and I noticed the same thing. I can use the box either as a bridge type of configuration, or rely on the built-in NAT if I want to use a different network address on the inside. The question I have is that what is the security implication of a bridge type of device vs. a router type of FW? Jason [EMAIL PROTECTED] wrote: From: ext Dave Crocker [mailto:[EMAIL PROTECTED]] At 10:56 AM 1/9/2002 +0200, [EMAIL PROTECTED] wrote: Well, first thing to understand is that Sonicwall is transparent bridge not a router. The Sonicwall Soho (not 2) that I have had for a couple of years is a router. It also does NAT and a set of firewall filtering functions. The device is definitely not a bridge. That is, it very clearly works at the IP level, rather than at layer 2.Lets not confuse these things over here.1. Sonicwall is a bridge. (at least dmz and wan interfaces are in samesubnet, in non NAT configuration also lan)2. Sonicwall is filtering traffic based on layer 3 information.3. Sonicwall has ip address for management functionality. (so it'spresent also on layer 3)4. Sonicwall has limited capability acting as a router in NATconfiguration but it is not a router (it is probably just doing sourceand destination NAT to connections).5. Sonicwall can emulate router functionality by sending ICMP redirectsThe difference between routing firewall and bridging firewall is thatrouting firewall is configured as a gateway to all network segmentsconnected to it. Bridging firewall is relaying traffic on Layer 2.So from layer 3 perspective clients are sending traffic to routingfirewall but in the case of bridge it is just flowing through (or not,depending on the installed policy).rgds,Harri(And Sonicwall doesn't mention this on their website, which could bequite confusing)___Firewalls mailing list[EMAIL PROTECTED]http://lists.gnac.net/mailman/listinfo/firewallsJason YuanSecurity ConsultantNiles AssociatesDo You Yahoo!? Send FREE video emails in Yahoo! Mail.
RE: Sonicwall Soho2
At 11:13 AM 1/10/2002 +0200, [EMAIL PROTECTED] wrote: Lets not confuse these things over here. Too late. Things are already confused, namely about the technical distinction between bridge and router. A bridge has a promiscuous LAN tap and captures ALL traffic on the LAN, selectively passing some of it on, based on the bridge's learning about what LAN (not IP) addresses are local to the LAN and what addresses are not. (The selective filtering feature is what distinguishes a bridge from simple repeater. The learning is accomplished by recording what MAC addresses do sending on the LAN and, therefore, are local to that LAN.) The hosts that send and receive the packet do not know that a relay is present. That is, their software believes that they are engaged in a direct exchange, with no intermediaries. A router is addressed explicitly and receives only the traffic that is sent to it directly. Further it relays based on IP-address information, rather than LAN addresses. That is, a host sending an IP datagram looks at the IP address of the destination host. If the address is on the local LAN -- that is, its address differs from the address of the sender only in the host field of the address -- the sender sends directly to the receiver. If the address is not local, the host sends to the router, which in turn relays it on. A simple test to distinguish the two is to compare IP address with MAC address. In a bridged environment, the destination MAC address will belong to the destination IP address. (The sender obtains this via ARP.) In a routed address, the host sending the datagram (to the router) will use the MAC address of the router. (It uses the configured gateway IP address to do an ARP to obtain the MAC address of the router. 1. Sonicwall is a bridge. (at least dmz and wan interfaces are in same subnet, in non NAT configuration also lan) see above. Sonicwall has none of the essential features of a bridge. 2. Sonicwall is filtering traffic based on layer 3 information. What it does is not filtering. It gets a packet that is sent to it. It relays it on. Yes, it uses IP address information rather than MAC address information. Bridges mostly use MAC addresses, though later generation bridges were enhanced to have selectively filter according to protocol type (but as I recall, not address details.) 3. Sonicwall has ip address for management functionality. (so it's present also on layer 3) It also has it for regular data relaying. That is why you must have your LAN hosts specify the Sonicwall as the default gateway. When you do DHCP via the Sonicwall, it configures your host for that automatically. One possible source of confusion is that the device does not use routing protocols. That, of course, is because it only has one path on either side, so the only routing decision is whether it belongs on the LAN or whether it belongs somewhere else. That is, it is a router with a very, very simple routing table. 4. Sonicwall has limited capability acting as a router in NAT configuration but it is not a router The function of IP address translation (NAT) is independent of router functions, though it usually is part of a router. The same independence applies to firewall filtering functions, whether based on addresses or anything else. Bridges filter to reduce traffic. Firewalls filter to increase security. (and I hope that no one is claiming that NAT functions are part of firewall functionality.) The difference between routing firewall and bridging firewall is that routing firewall is configured as a gateway to all network segments connected to it. Bridging firewall is relaying traffic on Layer 2. So from layer 3 perspective clients are sending traffic to routing firewall but in the case of bridge it is just flowing through (or not, depending on the installed policy). Although I understand the above words, I do not understand what is being said. At 11:01 AM 1/10/2002 +0100, Frederic Lemoine wrote: [...]It is different from most 'conventional' firewalls, in that it does not perform 'routing' (unless you turn on the NAT features). It is actually more of a 'switch'... It is an extract from http://www.sans.org/y2k/firewall.htm Yes, finding someone, somewhere that agrees with you does feel comfortable. Unfortunately, they are quite simply wrong, and doubly so because they seem to think that NAT has something to do with routing. It doesn't. d/ ps. For what it's worth, the fact that SonicWall calls their device an appliance rather than a router does indeed help the confusion. And I suppose the fact that the device does not do fancy routing but, rather, is tailored for the firewall protection function, does make things a bit more peculiar. -- Dave Crocker mailto:[EMAIL PROTECTED] Brandenburg InternetWorking http://www.brandenburg.com tel +1.408.246.8253; fax +1.408.273.6464
Sonicwall Soho2
Hello, One of our small subsidiary needs to install a firewall. We use to work with Checkpoint products but this subsidiary has been contacted by a local Sonicwall distributor. They try to sell them a Sonicwall Soho2. We have no knowledge of this product, and I am wondering how it compares to FW-1 or other products. I would be please to receive your comments about Sonicwall. Thanks. F. ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
RE: Sonicwall Soho2
Well, first thing to understand is that Sonicwall is transparent bridge not a router. This means that you will have to think differently with Sonicwall when you are making your routing considerations. Sonicwall is capable of generating ICMP redirect messages which is somehow called routing but this was (is?) limited to c-class networks which might be a pain in some situations. If you are using VPN's you should reconsider of using Sonicwall (it is compatible with FW-1 but configuration/troubleshooting is a lot easier when you have identical software in both ends) And of course you will lose capability of centralized management of all your firewalls. Sonicwall uses web-based interface for configuration/log browsing. Sonicwall is a simple device which is more capable to do things that it is supposed to do than FW-1 but sometimes this is not enough. So consider your requirements for firewall and then see if Sonicwall will fullfill those. I think that Sonicwall has SOHO3 models allready out which pack little bit more punch than earlier models and might have something else interesting too (I don't know), so if you end up choosing Sonicwall why not take the newest model. rgds, Harri Firewall-1 is a software which is capable of doing almost anything but sometimes you will have to create incredible kludges to make things work. (personal opinion) -Original Message- From: ext Frederic Lemoine [mailto:[EMAIL PROTECTED]] Sent: 09 January, 2002 09:31 To: [EMAIL PROTECTED] Subject: Sonicwall Soho2 Hello, One of our small subsidiary needs to install a firewall. We use to work with Checkpoint products but this subsidiary has been contacted by a local Sonicwall distributor. They try to sell them a Sonicwall Soho2. We have no knowledge of this product, and I am wondering how it compares to FW-1 or other products. I would be please to receive your comments about Sonicwall. Thanks. F. ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
RE: Sonicwall Soho2
At 10:56 AM 1/9/2002 +0200, [EMAIL PROTECTED] wrote: Well, first thing to understand is that Sonicwall is transparent bridge not a router. The Sonicwall Soho (not 2) that I have had for a couple of years is a router. It also does NAT and a set of firewall filtering functions. The device is definitely not a bridge. That is, it very clearly works at the IP level, rather than at layer 2. d/ -- Dave Crocker mailto:[EMAIL PROTECTED] Brandenburg InternetWorking http://www.brandenburg.com tel +1.408.246.8253; fax +1.408.273.6464 ___ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
SonicWALL SOHO2 vs Netopia 910 vs NetScreen 5
I'm looking at equipment to put in branch offices and home offices. All these three products meet my basic specs, which are MRSP $500US, support for 5 users/computers, and for future use ipsec/pptp to connect to the head office. Does anyone have any real world experience with these products? I've been told the NetScreen 5 is the preferred choice, but the Netopia has the same code base and seems to retail for less. /Vince - [To unsubscribe, send mail to [EMAIL PROTECTED] with unsubscribe firewalls in the body of the message.]
Re: SonicWALL SOHO2 vs Netopia 910 vs NetScreen 5
I have not messed with the netopia but I would be surprised if the netopia and netscreen have the same code. The netscreen is better than the sonicwall in many ways. acs --- Vincent Power [EMAIL PROTECTED] wrote: I'm looking at equipment to put in branch offices and home offices. All these three products meet my basic specs, which are MRSP $500US, support for 5 users/computers, and for future use ipsec/pptp to connect to the head office. Does anyone have any real world experience with these products? I've been told the NetScreen 5 is the preferred choice, but the Netopia has the same code base and seems to retail for less. /Vince - [To unsubscribe, send mail to [EMAIL PROTECTED] with unsubscribe firewalls in the body of the message.] __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ - [To unsubscribe, send mail to [EMAIL PROTECTED] with unsubscribe firewalls in the body of the message.]
RE: SonicWALL SOHO2 vs Netopia 910 vs NetScreen 5
ACS, How is the NetScreen better than the SonicWALL??? Sincerely, Adam P. Zimmerer Director of Internetworking EcoNet.Com, Inc. - Since 1995 -Original Message- From: acs [mailto:[EMAIL PROTECTED]] Sent: Friday, April 27, 2001 4:48 PM To: Vincent Power; [EMAIL PROTECTED] Subject: Re: SonicWALL SOHO2 vs Netopia 910 vs NetScreen 5 I have not messed with the netopia but I would be surprised if the netopia and netscreen have the same code. The netscreen is better than the sonicwall in many ways. acs --- Vincent Power [EMAIL PROTECTED] wrote: I'm looking at equipment to put in branch offices and home offices. All these three products meet my basic specs, which are MRSP $500US, support for 5 users/computers, and for future use ipsec/pptp to connect to the head office. Does anyone have any real world experience with these products? I've been told the NetScreen 5 is the preferred choice, but the Netopia has the same code base and seems to retail for less. /Vince - [To unsubscribe, send mail to [EMAIL PROTECTED] with unsubscribe firewalls in the body of the message.] __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ - [To unsubscribe, send mail to [EMAIL PROTECTED] with unsubscribe firewalls in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with unsubscribe firewalls in the body of the message.]
Re: SonicWALL SOHO2 vs Netopia 910 vs NetScreen 5
There are other appliances out there ... some people like WatchGuard's Firebox. Here are my impressions of the three you mentioned: NetScreen: NetScreen's claim to fame is speed. Their ASIC technology allows them near-wire speed service (firewall and VPN). Another great thing they hve is their Global Security Mangement software. Netopia: They licensed some of NetScreen's technology -- I'm not sure about the specifics. I believe that the main issue here is that they're missing the central management facilities that NetScreen provides. So it'd probably be a good choice for a standalone office, but if you have to manage many branch offices, it's probably better to use something with central management. SonicWall: Not as fast as NetScreen, but has anti-virus and content filtering features. The anti-virus software is provided by McAfee SonicWall also has global management features. I've recommended both NetScreen and SonicWall for different reasons (and budgets). A non-profit I consult for wanted an inexpensive, easy-to-manage security system, for which SonicWall was a good fit. NetScreen was a good fit at another company that needed the speed for its VPN. We ran Trend as the anti-virus solution there, so a firewall-based scheme was unnecessary. One thing you'll want to look at are their rulesets and other features. I've found that some appliances lack features you're used to having on software firewalls. For example (I'm sure this has changed by now) when WatchGuard's FireBox II first came out it didn't support static NAT (it supported IP masq and port-forwarding). This really blew our minds when we were doing the eval. -- we kept going over the documentation and software thinking it had to be our mistake. But a phone call to them revealed that their product could do this (at the time, it was based on a modified Linux kernel). By the way, don't take this as WatchGuard bashing -- they've recently won some awards for their product. I'm just using them as an example. Jen - Original Message - From: Adam Zimmerer [EMAIL PROTECTED] To: 'acs' [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, April 27, 2001 2:59 PM Subject: RE: SonicWALL SOHO2 vs Netopia 910 vs NetScreen 5 ACS, How is the NetScreen better than the SonicWALL??? Sincerely, Adam P. Zimmerer Director of Internetworking EcoNet.Com, Inc. - Since 1995 -Original Message- From: acs [mailto:[EMAIL PROTECTED]] Sent: Friday, April 27, 2001 4:48 PM To: Vincent Power; [EMAIL PROTECTED] Subject: Re: SonicWALL SOHO2 vs Netopia 910 vs NetScreen 5 I have not messed with the netopia but I would be surprised if the netopia and netscreen have the same code. The netscreen is better than the sonicwall in many ways. acs --- Vincent Power [EMAIL PROTECTED] wrote: I'm looking at equipment to put in branch offices and home offices. All these three products meet my basic specs, which are MRSP $500US, support for 5 users/computers, and for future use ipsec/pptp to connect to the head office. Does anyone have any real world experience with these products? I've been told the NetScreen 5 is the preferred choice, but the Netopia has the same code base and seems to retail for less. /Vince - [To unsubscribe, send mail to [EMAIL PROTECTED] with unsubscribe firewalls in the body of the message.] __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ - [To unsubscribe, send mail to [EMAIL PROTECTED] with unsubscribe firewalls in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with unsubscribe firewalls in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with unsubscribe firewalls in the body of the message.]
Re: SonicWALL SOHO2 vs Netopia 910 vs NetScreen 5
Not too much experience with the other firewalls but I would like to add a couple things about the Netscreen5. The NS-5's processor is built on Netscreens first ASIC technology unless that changed in the last month or so. Their NS-100 and 1000 are the only devices that use their second generation ASIC. I dont think many people can afford the NS-1000 considering you will need to get a second mortgage just to buy the darn thing!!! Also DONT BE FOOLED I repeat, DO NOT BE FOOLED with their 10 user and unlimited user license. 10 is the limit and with only 1024 sessions I dont see any reason why you would buy unlimited user as you wont even be able to get on it. Its meant for your personal use or SOHO...a small SOHO at that Indy
