At 11:13 AM 1/10/2002 +0200, [EMAIL PROTECTED] wrote: >Lets not confuse these things over here.
Too late. Things are already confused, namely about the technical distinction between bridge and router. A bridge has a promiscuous LAN tap and captures ALL traffic on the LAN, selectively passing some of it on, based on the bridge's learning about what LAN (not IP) addresses are local to the LAN and what addresses are not. (The selective filtering feature is what distinguishes a bridge from simple repeater. The learning is accomplished by recording what MAC addresses do sending on the LAN and, therefore, are local to that LAN.) The hosts that send and receive the packet do not "know" that a relay is present. That is, their software believes that they are engaged in a direct exchange, with no intermediaries. A router is addressed explicitly and receives only the traffic that is sent to it directly. Further it relays based on IP-address information, rather than LAN addresses. That is, a host sending an IP datagram looks at the IP address of the destination host. If the address is on the local LAN -- that is, its address differs from the address of the sender only in the "host" field of the address -- the sender sends directly to the receiver. If the address is not local, the host sends to the router, which in turn relays it on. A simple test to distinguish the two is to compare IP address with MAC address. In a bridged environment, the destination MAC address will belong to the destination IP address. (The sender obtains this via ARP.) In a routed address, the host sending the datagram (to the router) will use the MAC address of the router. (It uses the configured gateway IP address to do an ARP to obtain the MAC address of the router. >1. Sonicwall is a bridge. (at least dmz and wan interfaces are in same >subnet, in non NAT configuration also lan) see above. Sonicwall has none of the essential features of a bridge. >2. Sonicwall is filtering traffic based on layer 3 information. What it does is not "filtering". It gets a packet that is sent to it. It relays it on. Yes, it uses IP address information rather than MAC address information. Bridges mostly use MAC addresses, though later generation bridges were enhanced to have selectively filter according to protocol type (but as I recall, not address details.) >3. Sonicwall has ip address for management functionality. (so it's >present also on layer 3) It also has it for regular data relaying. That is why you must have your LAN hosts specify the Sonicwall as the default gateway. When you do DHCP via the Sonicwall, it configures your host for that automatically. One possible source of confusion is that the device does not use routing protocols. That, of course, is because it only has one path on either side, so the only "routing" decision is whether it belongs on the LAN or whether it belongs somewhere else. That is, it is a router with a very, very simple routing table. >4. Sonicwall has limited capability acting as a router in NAT >configuration but it is not a router The function of IP address translation (NAT) is independent of router functions, though it usually is part of a router. The same independence applies to firewall filtering functions, whether based on addresses or anything else. Bridges filter to reduce traffic. Firewalls filter to increase security. (and I hope that no one is claiming that NAT functions are part of firewall functionality.) >The difference between routing firewall and bridging firewall is that >routing firewall is configured as a gateway to all network segments >connected to it. Bridging firewall is relaying traffic on Layer 2. > >So from layer 3 perspective clients are sending traffic to routing >firewall but in the case of bridge it is just flowing through (or not, >depending on the installed policy). Although I understand the above words, I do not understand what is being said. At 11:01 AM 1/10/2002 +0100, Frederic Lemoine wrote: > [...]It is different from most 'conventional' firewalls, in that >it does not perform 'routing' (unless you turn on the NAT features). It >is actually more of a 'switch'... > >It is an extract from http://www.sans.org/y2k/firewall.htm Yes, finding someone, somewhere that agrees with you does feel comfortable. Unfortunately, they are quite simply wrong, and doubly so because they seem to think that NAT has something to do with routing. It doesn't. d/ ps. For what it's worth, the fact that SonicWall calls their device an "appliance" rather than a router does indeed help the confusion. And I suppose the fact that the device does not do "fancy" routing but, rather, is tailored for the firewall protection function, does make things a bit more peculiar. ---------- Dave Crocker <mailto:[EMAIL PROTECTED]> Brandenburg InternetWorking <http://www.brandenburg.com> tel +1.408.246.8253; fax +1.408.273.6464 _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
