On May 22, 4:13pm, JOHNSON @
> Any good firewall is a system not a single box.
That's a pretty broad statement. What is your opinion of TIS's Gauntlet
firewall? It is a stand alone, turnkey, firewall, is it not? Is it not
a good firewall?
> Suppose I needed to let an external site have access to a critical
> system inside. I can easily enough put an access list on the router
> interface to allow these packes through. If I have a firewall running a
> transparent proxy for the application in question it will let these
> packets through as well.
So you are authenticating based on originating IP address, no?
> What's to prevent some outside site from sending a packet stream
> with the allowed source IP address in to my system and possibly doing
> harm to my iside machines? Is there a combination of router filter,
> firewall proxy, anything else, that will put a damper on this potential
Nothing. If you authenticate by source IP address, then that's what you are
authenticating by. If you can't trust originating address (and I can see why
you cant) then you need some means of authentication, other than IP address.
IP Spoofing filters allow you "safely" trust your internal network numbers
as origin IP Addresses, since they couldn't be forged (they'd be block at the
router). If the originating sites are on the other side of the router, then
I know of no modifications to this short of authenticating them by other
Alan Hannan Email: alan @
Network Systems Administrator Voice: (402) 472-0241
MIDnet, Lincoln NOC Office Fax: (402) 472-0240
"In the land of the blind, the one eyed man is king."