makes a good case for installing IDS outside your firewall, does it not?
=)
----- Original Message -----
From: "Frank Knobbe" <[EMAIL PROTECTED]>
To: "'Carric Dooley'" <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Wednesday, August 16, 2000 3:26 PM
Subject: RE: [FW1] Inbound, outbound, or eitherbound?
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hmmm... I just read again in the FW-1 manual following on Accept
> Outgoing Packets:
>
> Accept Outgoing Packets - Accept all outgoing packets (from the
> Firewall, not from the internal network).
>
> On gateways, rules are usually enforced in the inbound direction
> only. When a packet passing through the gateway leaves the gateway,
> it will be allowed to pass only if one of the following conditions is
> true:
>
> * The Accept Outgoing Packets property is checked.
> * Rules are enforced both directions (eitherbound), and there is a
> rule which allowed the packet to leave the gateway.
>
> Then it references the drawing and addtl information in the
> Architecture manual, which basically states what you have written.
>
> Given that, am I the only one feeling uncomfortable with Inbound only
> since packets originating from the firewall to the outside would go
> unchecked? Assuming that usually (!) nothing is running on the
> firewall and no user is working on it, there are still packets that
> the FW itself creates and sends out, as in authentication and VPN
> traffic. Wouldn't it be possible for exploits to go unnoticed if no
> rules has been set to monitor/filter outgoing data? In order to
> enforce those rules, Eitherbound would need to be selected.
>
> Am I just too paranoid, or does anyone else think it might be a good
> idea to keep an eye on traffic leaving the firewall, and hence use
> Eitherbound?
>
> Regards,
> Frank
>
>
> > -----Original Message-----
> > From: Carric Dooley [mailto:[EMAIL PROTECTED]]
> > Sent: Monday, August 14, 2000 12:46 PM
> > To: Frank Knobbe; 'Padden, Greg';
> > [EMAIL PROTECTED]
> > Subject: Re: [FW1] Inbound, outbound, or eitherbound?
> >
> >
> > My understanding of eitherbound is on which interface the
> > policy is applied
> > to the traffic.... example:
> >
> > If you have IF_A as your internal interface, and IF_B as
> > your external, if
> > you set your policy for "Inbound", packets coming from the
> > public network
> > would be filtered at IF_B (the inbound interface for that
> > direction). An
> > outbound policy would evaluate the traffic from the outside
> > at IF_A as the
> > traffic leaves the firewall. "Eitherbound" means the packets
> > have to pass
> > through the policy at BOTH interfaces doubling the amount of
> > work for the
> > firewall (at least from policy perspective) for each packet.
> > This is the
> > most secure, but if you are pushing a lot of traffic, not
> > ideal. I would
> > typically set that property for "inbound" myself. If you set it
> > for "outbound" a DoS (from the outside) would affect the firewall
> > itself because the traffic is not analyzed until it hits the
> > internal interface (IF_A). Eitherbound is overkill in a lot of
> > situations, but inbound means if someone attacks the firewall, it
> > has to make it through the policy, and the same would apply for
> > traffic from the internal network out (evaluated before it passes
> > through the firewall).
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Personal Privacy 6.5.1
> Comment: PGP or S/MIME (X.509) encrypted email preferred.
>
> iQA/AwUBOZrqzkRKym0LjhFcEQIakACg2WyHMepBcqrB4Nz5+m0tXSrli1UAoMap
> H4SH0xOKQTKmXy3b/5uNcx/Q
> =WHGk
> -----END PGP SIGNATURE-----
>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
