You could look at Network Systems Borderguard or Security Router. Both
platforms provide multi-protocol firewalling.
IPX, IP and all bridged traffic as well.
www.network.com
RGRDS.....clm
----------
From: firewalls-owner
To: firewalls @
GreatCircle .
COM; 'Lehrer, Neil'
Subject: RE: ipx routing
Date: February 7, 1996 18:42
----------
From: Lehrer, Neil[SMTP:nlehrer @
usia .
gov]
Sent: Wednesday, February 07, 1996 8:19 AM
To: firewalls @
GreatCircle .
COM
Subject: ipx routing
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Subject: Re IPX routing
paul .
carrol @
medaphis .
com offered up:
>I am about to setup a firewall for our Internet link.
>
>I have recently learned that we are bringing in an X.25 line from=20
Compuserve.
>The line runs into a Compuserve box that resides here that we do NOT=20
control.
>
>From the Compuserve box, a line runs into one of our router interfaces.
>
>Obviously, I want to firewall this link as well...
>It passes IPX and TCP/IP, and needs to do both.
>
>The problem I have is with IPX. We have decided on Raptor Eagle as our=20
firewall.
>It will run on a SUN Sparc 20, and it will NOT pass IPX.
>
>Any suggestions?
Well .. not sure whether this works or not, but I'd be interested in=20
comments myself. Is IPX critical for you ?
I ask because we're running IP and IPX on our LAN here, and I'm being=20
pushed to allow both across our firewalling mechanism. Our Netware guy =
said to me the other day that we needed IPX as some products actually =
require IPX in order to work. This sounds like snake oil to me - I'd =
have thought that the underlying protocol - whether IP or IPX should =
make no difference whatsoever. Any comments on this ? It's also been =
suggested to me that Novell/IP works by simply encapsulating IPX within =
an IP packet - this doesn't quite sound like full IP to me. Can anyone =
comment upon this ? If we can move everything to IP, then our problems =
potentially disappear here, and I needn't route IPX at all. Sound easy =
to me from there (ish!).
I wonder Paul, whether you could do something along these lines ? I=20
wonder everyone whether you all think I'm pouring snake oil around the =
place too=20
? :)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
it is true that some netware products use ipx/spx directly. whether =
they=20
would work properly, or at all, with netware/ip is something you would=20
have to test (unfortunately).
-------------------------------------------------------------------------=
-----------------
Native IP has been available for NetWare servers for sometime; the =
problem is that the NetWare Core Protocols have'nt been supported from =
IP until recently.
Since most user apllications are using workstation or server services =
(NCP), installing IP wouldn't help advance these services over non-IPX =
links. It simply supplied ftp, lpd and other such unix-like services. =
Some IPX to IP encapsulation is available but I have'nt had much =
experience with it.
NetWare 4.1, however, ships with a module called NetWare/IP. It allows =
a 4.1 server to act as an IP to IPX gateway, forward IPX RIP/SAP over IP =
and so forth. Additionally, NetWare IP provides IP workstation shells =
that use IP for NCP (about time!) .
The easiest solution to force the IPX traffic through a firewall would =
be to provide an IPX to IP NetWare gateway on the unsecure side of the =
firewall. It would be configured to forward RIP/SAP and translated IPX =
packets via the firewall to an IP to IPX NetWare gateway on the secure =
side of the firewall.
Of course, the NetWare server on the unsecure side of the firewall is =
attackable. =20
The only other solution is to have the service provider create a gateway =
on their secure network and forward IPX packets and RIP/SAP.
|
|
