Firewalls: Need firewall to support enterprose private addresses

Firewalls
(December 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Need firewall to support enterprose private addresses
From:	blu @ mc . com (Brian Utterback)
Date:	Fri, 1 Dec 1995 22:31:23 -0500
To:	firewalls @ GreatCircle . COM

My company has two problems. One, we need a firewall system.  We have been 
using the FWTK plus packet filtering on the router provided by our 
ISP, but we are about to change ISP's and we have never been comfortable
with having someone else responsible for our security.  Consequently, we are
in the market for a full commercial firewall system.

The second problem is that we are running out of IP addresses in our internal
networks.  We have several class C networks assigned to us, but our network
partitions into two logical networks.  Each of these are already at about 
250 or so hosts, with more on the way.  So, I see two possible solutions.

First possibility, combine our Class C addresses.  Our addresses are 
4 consecutive networks, with the third octets being 16, 17, 18 and 19.
We are maxed out on 16 and 17, with 18 unused and 19 nearly so and able to 
be folded into one of the other nets.  My thought is to specify a subnet
mask of 255.255.254.0 and logically combine the four networks of 255 addresses 
each into 2 networks of 510 addresses each.  The only problem I have is I 
don't know if that is even legal, or if so, then if it is supported by the 
vendors of our systems.  We are mixed Sun, SGI, Mac, PC.

The second possibility is ( I bet you can guess this one) is to get a
address translating firewall and use the enterprise private Class B
network.  There are two ways that this can work as near as I can tell.
One is like the Private Internet Exchange from Network Translation 
( now Cisco ) which uses dynamic packet filtering to transparently map the
addresses used.  The other is via a set of application gateways, so that all
connections appear to be from the Firewall system.  

The problem I have is that I do not know which firewalls can do which of
these types of translations.  Gauntlet used to be able to do this via the
application gateway route, but with the semi-transparent proxies they 
have developed, I do not know if this is still the case.

So how about it you firewall vendors and evaluators, which firewall systems
can help me out? Which firealls support use of enterprise private addresses?

Brian Utterback    blu @
 mc .
 com    Manager Technical Networks
Mercury Computer Systems, Inc.   (508) 256-1300x168
199 Riverneck Road               (508) 256-3599 FAX
Chelmsford, MA 01824             You can't grep dead trees.

Follow-Ups:

Re: Need firewall to support enterprose private addresses
From: fwml @ banditos . webo . dg . com (Firewall Mailing Lists Account)

Indexed By Date	Previous:	Security of Leased Lines From: Alex . Eveleigh @ kellogg . com (Alex Eveleigh)
Indexed By Date	Next:	selection criteria? From: "Marcus J. Ranum" <mjr @ iwi . com>
Indexed By Thread	Previous:	Re: Security of Leased Lines From: janken @ rust . net (Ken Stephens - Millennium Consulting)
Indexed By Thread	Next:	Re: Need firewall to support enterprose private addresses From: fwml @ banditos . webo . dg . com (Firewall Mailing Lists Account)