Andrew,
I hate to say this, but... try thinking outside the box! Just because the
bridge you bought ten years ago doesn't have the functionallity that I am
suggesting doesn't mean that it shouldn't be done! Or tried atleast.
I am not mistaking anything, I just think that it would be more secure if
the firewall was transparent.
Does checkpoint RELY on packets going form one subnet to anyother? I
don't see why/ If I have a two port FW that is running as a bridge then
I don't see why checkpoint couldn't handle it.
On Fri, 26 Jan 2001 [EMAIL PROTECTED] wrote:
> no no no no no
>
> the point of a bridge is that it works at the datlink layer not the network
> layer. ie a bridge knows NOTHING about IP. So any IP inspection can not be
> done by a true bridge.
>
> SO it can't inspect anything
>
> Also DO not get bridging confused with packet address translation (PIX)
>
> Checkpoint expects packets to move from one IP subnet to another so you will
> not be able to bridge.
>
> Any way what's so hard about routing.
>
> Andrew Shore
> BTcd
> Information Systems Engineering
> Internet & Multimedia
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: 26 January 2001 16:06
> To: [EMAIL PROTECTED]
> Subject: RE: [FW1] why not a bridge?
>
>
>
> First, I had tonnes of people let me know that lucents fw always works(or
> can work?) as a bridge.
>
> Second, I don't imagine it would be too hard to write bridging software
> that actually does inspect the TCP/IP stack. I mean if you take a closer
> look at how checkpoint says they examine packets, they do it
> already. Checkpoint software itself does not route packets. I
> wonder... If I installed bridging software on my linux box, would
> checkpoint still work? I think I might try that...
>
> anyone think of a reason why it wouldn't work? anyone think of a reason
> why I wouldn't want to do this?
>
> What do you think?
> --Paul
>
>
> On Fri, 26 Jan 2001, Dean Cunningham wrote:
>
> > Soem thoughts.... have never seen the sun firewall.... a bridge in its
> > purest sense,works at the ethernet address level, just a glorified
> repeater
> > with some knowledge as to what segment a MAC address is on.
> >
> > This makes the segements and the bridge vulnerable to broadcast storms for
> > one thing. This reduces usable bandwidth. One would also assume DOS
> > potential.
> >
> > Now a firewall that acts as a bridge could probably handle that...
> dunno...
> >
> > I think it is more that as the focus on TCP/IP over the past 10 years has
> > increased, the use of other protocols and more importantly, non routable
> > protocols such as dlc and netbios/netbeui usage has decreased to the
> extent
> > there is not a big market.
> > Sorta VHS vs Beta, the market and the marketers chose the winner.
> >
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> > Sent: Friday, 26 January 2001 10:49 AM
> > To: [EMAIL PROTECTED]
> > Subject: [FW1] why not a bridge?
> >
> >
> >
> > Can anyone explain why Sun is the only company that seems to produce a
> > firewall that runs as a bridge? I can't see why this isn't a more common
> > practise.
> >
> >
>
>
--
--Paul
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
