Re: [FW-1] External interfaces

Tue, 18 Feb 2003 10:19:03 -0800 

Greetings!

Riccardo Baldanzi (Hawk) wrote:

i have configured for test purpose a checkpoint ng with only 1 physical NIC

[...]

but i cannot set anti-spoofing details on interfaces because all are
external ony (all the other flags are greyed out)

"External" = all IPs not defined in antispoofing
             for other (physical) interfaces

As you did not define any IP ranges/nets for other (physical) networks -
calculation left as practice for the student.
;-)


CheckPoint is using a different definition for internal/external than
the usual dictus in security community. Usually there is only one
internal "haven" with all the others behind the firewall being external
"hostile" hosts and networks. CKP has a different opinion on this.

Some examples in table form:

location        sec. comm.      checkpoint
-----------------------------------------------
LAN             internal        internal
WWW/Internet    EXternal        EXternal
DMZ             EXternal        internal
Dial-In DMZ     EXternal        internal
partner net     EXternal        internal

Licensing implications are more clear with CKPs diction. Even if a
partner's network is protected by the partner's CKP, you'll have to
license your machine to cover those networks, too. Before it was a
matter of interpretation (CKP or Sec.Comm.) which license you need.

From a cautious (i.e. paranoid) view the CKP interpretation puts too
much trust into probably unsafe segments by even calling them internal.

Bye

Volker Tanger
IT-Security Consulting

--

discon gmbh
Wrangelstra�e 100
D-10997 Berlin

Telefon  (030) 6104-3307
Telefax  (030) 6104-3461

[EMAIL PROTECTED]
http://www.discon.de/

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

Reply via email to