I actually built a prototype firewall based on bridging technology, so
it certainly can be done. The nice thing about building it into a bridge,
is ZERO network configuration is required. This is great for things like
the consumer market (aka cable modems, etc). Just plug the box in between
the cable modem and your PC - no additional addresses needed, no network
configuration needed, just go. Of course you still need to configure
firewall functions....
-Jon Allen
>Date: Fri, 26 Jan 2001 15:56:52 -0500 (EST)
>From: [EMAIL PROTECTED]
>Subject: RE: [FW1] why not a bridge?
>
>Andrew,
>
>I hate to say this, but... try thinking outside the box! Just because the
>bridge you bought ten years ago doesn't have the functionallity that I am
>suggesting doesn't mean that it shouldn't be done! Or tried atleast.
>
>I am not mistaking anything, I just think that it would be more secure if
>the firewall was transparent.
>
>Does checkpoint RELY on packets going form one subnet to anyother? I
>don't see why/ If I have a two port FW that is running as a bridge then
>I don't see why checkpoint couldn't handle it.
>
>On Fri, 26 Jan 2001 [EMAIL PROTECTED] wrote:
>
>> no no no no no
>>
>> the point of a bridge is that it works at the datlink layer not the
network
>> layer. ie a bridge knows NOTHING about IP. So any IP inspection can not
be
>> done by a true bridge.
>
> SO it can't inspect anything
>
> Also DO not get bridging confused with packet address translation (PIX)
>
> Checkpoint expects packets to move from one IP subnet to another so you
will
> not be able to bridge.
>
> Any way what's so hard about routing.
>
> Andrew Shore
> BTcd
> Information Systems Engineering
> Internet & Multimedia
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: 26 January 2001 16:06
> To: [EMAIL PROTECTED]
> Subject: RE: [FW1] why not a bridge?
>
>
>
> First, I had tonnes of people let me know that lucents fw always works(or
> can work?) as a bridge.
>
> Second, I don't imagine it would be too hard to write bridging software
> that actually does inspect the TCP/IP stack. I mean if you take a closer
> look at how checkpoint says they examine packets, they do it
> already. Checkpoint software itself does not route packets. I
> wonder... If I installed bridging software on my linux box, would
> checkpoint still work? I think I might try that...
>
> anyone think of a reason why it wouldn't work? anyone think of a reason
> why I wouldn't want to do this?
>
> What do you think?
> --Paul
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
