Great Circle Associates Firewalls
(December 1994) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: "router IP filter compiler" ?
From: "Alastair Young" <alastair @ cadence . com>
Date: Thu, 29 Dec 1994 11:37:50 -0800
To: z056716 @ uprc . com (LaCoursiere J. D. (Jeff)), tli @ cisco . com, mckenney @ smiley . mitre . org
Cc: firewalls @ GreatCircle . COM
In-reply-to: z056716 @ uprc . com (LaCoursiere J. D. (Jeff)) "Re: "router IP filter compiler" ?" (Dec 29, 9:00am)
References: <9412291500 . AA10106 @ cygnus . uprc . com> 
On Dec 29,  9:00am, LaCoursiere J. D. (Jeff) wrote:
> Subject: Re: "router IP filter compiler" ?
> >
> > You may also want to consider using Firewall-1 for defining, editing, and
> > viewing Cisco access lists (support for Wellfleet may now be included).
> > Firewall-1 converts the rule base to an access list and loads the access
> > list on the Cisco router.
> >
> > This would be useful for Enterprises that have a lot of Cisco routers.
> >
>
> I have been considering this.  How does the Firewall-1 remotely update the
> routers lists?  I would imagine this would require the enable password to
exist
> somewhere in the Firewall-1 setup.  Does this then get sent in cleartext over
> your net to the router?  That would make me extremely nervous.  We edit the
> lists (when necessary, which isn't very often really) on the console to avoid
> this type of problem.
>
>

It uses a dedicated TCP connection with some level of encryption or
authentication (I sniffed the packets and there was some cleartext in there but
there are also encryption keys around) to update the Firewall-1 hosts. I would
assume it uses SNMP for routers, though there is no reason you could not
manually update the compiled access lists.

Nice product, but you can never reduce your paranoia level without source code
:-)

The GUI interface for building the access lists is very nice. You can define
hosts and networks and protocols (a large library of protocols comes with it)
and you can build up the ruleset with the mouse. It also does some sanity
checking. Unfortunately we don't have any Ciscos....

Al



-- 
----------------------------------------------------------------------------
Alastair Young                                     _  This vehicle incapable
Cadence Design Systems, Information Services     )/___     _  
555 River Oaks Parkway, 4B1                    __/(___)_*##/c of evading low 
San Jose CA 95134         Fax: (408)894-3487  / /\\|| \ /  \ 
alastair @
 cadence .
 com           (408)428-5278  \__/ ----'\__/  speed pursuit!
----------------------------------------------------------------------------
These statements and opinions are mine, not those of Cadence Design Systems
Follow-Ups:
References:
Indexed By Date Previous: Re: TIS FWTK, DNS, forwarders et al.
From: "Alastair Young" <alastair @ cadence . com>
Next: Re: Encapsulation & Security
From: Bernhard . Schneck @ Physik . TU-Muenchen . DE
Indexed By Thread Previous: Re: "router IP filter compiler" ?
From: z056716 @ uprc . com (LaCoursiere J. D. (Jeff))
Next: Re: "router IP filter compiler" ?
From: David Kovar <kovar @ NDA . COM>
Google
 
Search Internet Search www.greatcircle.com