Don't talk about poor design unless you understand the full scope of the
problem and the politics involved. All of our inside routers DO share
their routing tables: does this mean that they should all know to
default route anything that is not in the routing tables to the same
router? Are you saying that for our international sites they should
have to use OUR firewall as their default route to the Internet? The
routing stuff was all done at a time when there was NO Internet access
and, up until this time, there have been no reasons to set the firewall
as the default router. We are discussing these issues at this time but
up until now the policy has been to NOT set the default route to the
firewall.
Kevin Martin
Bank of America - CRT
Firewall/Network Admin.
[EMAIL PROTECTED]
-----Original Message-----
From: Joe Ippolito [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, December 23, 1998 12:37 AM
To: Martin, Kevin
Cc: 'FW Digest'; 'fw-1-mailinglist'; 'Ming Lu'
Subject: RE: Something I'd like to see in FW1.
I beg to differ with your difference. All inside routers should be
allowed
to share their routing tables with each other using EIGRP, OSPF or some
other modern routing protocol with a default route to the inside of the
firewall. That is as far as any internal routing information should
travel.
With the hide translation no outside host should have access to anything
on
your internal network -routing information, DNS, etc, etc. All hosts
that
require outside hosts to initiate communication with them should be
placed
on a separate firewalled network commonly referred to as a "DMZ". The
internal hosts can have full access to DMZ hosts but DMZ hosts should
not be
allowed to initiate anything with internal hosts. After all, how much
does
one more network interface cost?
Just do it right and you won't have to worry about Check Point or any
other
firewall vendor compensating for your poor design.
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Martin, Kevin
> Sent: Monday, December 21, 1998 8:14 AM
> To: 'Ming Lu'
> Cc: 'FW Digest'; 'fw-1-mailinglist'
> Subject: RE: Something I'd like to see in FW1.
>
>
> Ming,
>
> I beg to differ. I see no reason that a company w/ 100's ( possibly
> 1000's ) of routers w/in a network should be REQUIRED to use the
> firewall as their default route and then have to maintain a bunch of
> static routes! It would be some much easier to correct the firewall
> s'ware than to maintain the routing tables on all of these routers.
I'm
> sure that any big customers ( and many smaller customers ) of
Checkpoint
> would agree.
>
> Kevin Martin
> Bank of America - CRT
> Firewall/Network Admin.
> [EMAIL PROTECTED]
>
>
> -----Original Message-----
> From: Ming Lu [mailto:[EMAIL PROTECTED]]
> Sent: Sunday, December 20, 1998 8:27 PM
> To: Martin, Kevin
> Cc: 'FW Digest'; 'fw-1-mailinglist'
> Subject: Re: Something I'd like to see in FW1.
>
>
>
> It has nothing to do wih FW1! It is routing problem. get your routing
> problem resolved (on the FW box) and you will be fine.
>
> _ming
>
> On Thu, 17 Dec 1998, Martin, Kevin stated:
>
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> > -
> > Don't know if anyone else has this issue, but here goes and here's a
> > very short wish list.
> >
> > Because of the way that we do out networking, we don't setup our
> > internal routers to default to the FW1 firewall. As such, we've run
> > into the problem where we've got http(s) servers inside the firewall
> > that need to be accessible from the Internet. This leads to a
pretty
> > serious problem involving routing and having to Address Translate
the
> > Internet coming in. We've setup a BUNCH of objects to represent the
> > Internet and are, thus far, having reasonable success with it. We
> have,
> > however, run into some problems where we neglected to split out the
> > Internet objects far enough and have run into some overlaps. This
is
> > our problem and now, here's what I would like to see Checkpoint do:
> >
> > Just as they've given us the ability in our rule set to NEGATE an
> object
> > ( thus allowing us to say : Source - NOT "Internal networks" Dest:
> any
> > blah blah blah ) they should give us the same ability to negate in
the
> > Address Translation rules ( thus allowing us to translate any NOT
> > INTERNAL NETWORKS coming in to the inside behind a HIDE translation
> ).
> > What are all of your thoughts on this?
> >
> > Oh, one other thing that I'd like to see: show not only the rule
> that
> > allows/drops/etc. a packet but, if there's ANY translation, show the
> > rule that did the translation as well in the logs.
> >
> > Kevin Martin
> > NationsBanc - CRT
> > SMTP Postmaster/DNS/FIREWALL/UNIX/NT System Admin.
> > [EMAIL PROTECTED]
> >
>
>
========================================================================
> ====
> Ming Lu Email:
> [EMAIL PROTECTED]
> Sr. Network Engineer Phone:
703-689-5290
> (w)
> IP Engineering
703-855-4194
> (m)
> Global One Telecommunications, LLT.
703-689-6575
> (f)
>
========================================================================
> ====
> "Do not pay attention to every word people say, or you may hear your
> servant cursing you ---- for you know in your heart that many times
you
> yourself have cursed others."
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
