Michael,
Thanks for the input. I just had a discussion yesterday w/ some folks
here about this very thing and came up w/ many of the same conclusions
that you bring up. W/ routers AND clients being able to learn routes
dynamically, it's really not such an issue as I thought it was. Thanks
for the response.
Kevin Martin
Bank of America - CRT
Firewall/Network Admin.
[EMAIL PROTECTED]
-----Original Message-----
From: Michael P. Lyle [mailto:[EMAIL PROTECTED]]
Sent: Monday, December 21, 1998 4:59 PM
To: Martin, Kevin; [EMAIL PROTECTED]
Subject: Re: Something I'd like to see in FW1.
On Mon, Dec 21, 1998 at 10:14:02AM -0600, Martin, Kevin wrote:
> Ming,
>
> I beg to differ. I see no reason that a company w/ 100's ( possibly
> 1000's ) of routers w/in a network should be REQUIRED to use the
> firewall as their default route and then have to maintain a bunch of
> static routes! It would be some much easier to correct the firewall
> s'ware than to maintain the routing tables on all of these routers.
I'm
> sure that any big customers ( and many smaller customers ) of
Checkpoint
> would agree.
The problem is of equal difficulty-- are you telling me it is an
infinitely
more complex problem to maintain a route to a network and a static
default
route heading the same way as to maintain a single route to the network?
Even if you translate the outside world to a address on the subnet
directly
inside your firewall, your routers all have to have valid routes towards
there.
And routing protocols take all the administrative legwork out of this.
It
seems to me by translating all external addresses to a single internal
IP
you are making it much more difficult to account for usage (requiring
data from two different machines to reconstruct usage), and also,
depending
on your topology, making the outside world look like an inside machine
to possibly nieve internal applications. I don't see the benefit.
In that way, your network is, umm, unique. I maintain systems for
hundreds
of customers, many having large networks, and none have seen the
necessity
to lay out their network in this way (Unless you count customers using a
proxy-based model. And even in that case, 95% of my customers still put
a default route into place in order to allow certain traffic to be
routed
instead of proxied).
Mike
> Kevin Martin
> Bank of America - CRT
> Firewall/Network Admin.
> [EMAIL PROTECTED]
--
Michael P. Lyle
Security Architect
Exodus Communications, Inc.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
