Now I've watched this descussion bounce around on various lists and I just
thought I would throw in my two cents worth.
1) One firewall is a single point of falure so lets assume we have two.
2) Now that we have two we can't do a default route
3) Enter GateD
4) OSPF (or some other modern routing protocal)
5) Problem solved.
Now with translation outbound and inbound everyone can talk to each other.
If you seriously want to get down to business you can of course use Cisco's
and do policy based routing.
Hurm I hope that answered a question perhaps I am just ranting.
Thanks,
Will
At 10:36 PM 12/22/98 -0800, Joe Ippolito wrote:
>I beg to differ with your difference. All inside routers should be allowed
>to share their routing tables with each other using EIGRP, OSPF or some
>other modern routing protocol with a default route to the inside of the
>firewall. That is as far as any internal routing information should travel.
>With the hide translation no outside host should have access to anything on
>your internal network -routing information, DNS, etc, etc. All hosts that
>require outside hosts to initiate communication with them should be placed
>on a separate firewalled network commonly referred to as a "DMZ". The
>internal hosts can have full access to DMZ hosts but DMZ hosts should not be
>allowed to initiate anything with internal hosts. After all, how much does
>one more network interface cost?
>
>Just do it right and you won't have to worry about Check Point or any other
>firewall vendor compensating for your poor design.
>
>> -----Original Message-----
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED]]On Behalf Of Martin, Kevin
>> Sent: Monday, December 21, 1998 8:14 AM
>> To: 'Ming Lu'
>> Cc: 'FW Digest'; 'fw-1-mailinglist'
>> Subject: RE: Something I'd like to see in FW1.
>>
>>
>> Ming,
>>
>> I beg to differ. I see no reason that a company w/ 100's ( possibly
>> 1000's ) of routers w/in a network should be REQUIRED to use the
>> firewall as their default route and then have to maintain a bunch of
>> static routes! It would be some much easier to correct the firewall
>> s'ware than to maintain the routing tables on all of these routers. I'm
>> sure that any big customers ( and many smaller customers ) of Checkpoint
>> would agree.
>>
>> Kevin Martin
>> Bank of America - CRT
>> Firewall/Network Admin.
>> [EMAIL PROTECTED]
>>
>>
>> -----Original Message-----
>> From: Ming Lu [mailto:[EMAIL PROTECTED]]
>> Sent: Sunday, December 20, 1998 8:27 PM
>> To: Martin, Kevin
>> Cc: 'FW Digest'; 'fw-1-mailinglist'
>> Subject: Re: Something I'd like to see in FW1.
>>
>>
>>
>> It has nothing to do wih FW1! It is routing problem. get your routing
>> problem resolved (on the FW box) and you will be fine.
>>
>> _ming
>>
>> On Thu, 17 Dec 1998, Martin, Kevin stated:
>>
>> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
>> > "unsubscribe firewalls" in the body of the message.]
>> > -
>> > Don't know if anyone else has this issue, but here goes and here's a
>> > very short wish list.
>> >
>> > Because of the way that we do out networking, we don't setup our
>> > internal routers to default to the FW1 firewall. As such, we've run
>> > into the problem where we've got http(s) servers inside the firewall
>> > that need to be accessible from the Internet. This leads to a pretty
>> > serious problem involving routing and having to Address Translate the
>> > Internet coming in. We've setup a BUNCH of objects to represent the
>> > Internet and are, thus far, having reasonable success with it. We
>> have,
>> > however, run into some problems where we neglected to split out the
>> > Internet objects far enough and have run into some overlaps. This is
>> > our problem and now, here's what I would like to see Checkpoint do:
>> >
>> > Just as they've given us the ability in our rule set to NEGATE an
>> object
>> > ( thus allowing us to say : Source - NOT "Internal networks" Dest:
>> any
>> > blah blah blah ) they should give us the same ability to negate in the
>> > Address Translation rules ( thus allowing us to translate any NOT
>> > INTERNAL NETWORKS coming in to the inside behind a HIDE translation
>> ).
>> > What are all of your thoughts on this?
>> >
>> > Oh, one other thing that I'd like to see: show not only the rule
>> that
>> > allows/drops/etc. a packet but, if there's ANY translation, show the
>> > rule that did the translation as well in the logs.
>> >
>> > Kevin Martin
>> > NationsBanc - CRT
>> > SMTP Postmaster/DNS/FIREWALL/UNIX/NT System Admin.
>> > [EMAIL PROTECTED]
>> >
>>
>> ========================================================================
>> ====
>> Ming Lu Email:
>> [EMAIL PROTECTED]
>> Sr. Network Engineer Phone: 703-689-5290
>> (w)
>> IP Engineering 703-855-4194
>> (m)
>> Global One Telecommunications, LLT. 703-689-6575
>> (f)
>> ========================================================================
>> ====
>> "Do not pay attention to every word people say, or you may hear your
>> servant cursing you ---- for you know in your heart that many times you
>> yourself have cursed others."
>> -
>> [To unsubscribe, send mail to [EMAIL PROTECTED] with
>> "unsubscribe firewalls" in the body of the message.]
>>
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
>
>
William Tarkington
Daimler Chrysler
810-758-9563
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
