Firewalls: RE: Cisco Internet Junction -Reply -Reply

Firewalls
(May 1996)

Indexed By Thread: [Previous] [Next]

Subject:	RE: Cisco Internet Junction -Reply -Reply
From:	Russ <Russ . Cooper @ RC . Toronto . on . ca>
Date:	Sat, 25 May 1996 08:53:44 -0400
To:	"'mdr @ vodka . sse . att . com'" <mdr @ vodka . sse . att . com>
Cc:	"'Firewalls'" <firewalls @ GreatCircle . COM>

Mark,

The magic would have to be supported by the IPX/IP device, of course. I 
presumed that their would be a mechanism to define listening ports on the 
gateway proxied to internal IPX servers. How that translation is handled 
would be by maintaining an IP address/port to SPX session table, for 
example. I have no idea if any of the current devices support this today, 
but one would presume its somehow possible.

NT, for example, supports multiple IP addresses on the same interface and 
can distinguish between requests for service on the same port if supplied 
with either a different IP address or a different DNS name, so the concept 
of multiple listens to the same port is not new.

So, for example, through a SAP you could advertise that you are willing to 
accept Telnet connections from the IPX/IP device, or the device could check 
SAPs and match service name to inbound IP address/Port number, whatever...

Unless the devices support outbound requests only, which they do not as 
they support Web Servers also, then you are allowing a mapping to occur 
between and exposed IP/Port combination and an internal IPX/SPX server. 
Since more services are generally desired beyond HTTP, the makers of these 
devices are going to have to find a way to support as many services as 
possible. Would you buy a firewall that only supported outbound 
connections?

These vendors are out to sell to customers who do not want to implement IP 
on the desktop, not company who only want to have a web server and outbound 
connections. And if the idea of a global IPX-based Internet is to come 
about, then support of services is going to have to widen, which in turn 
will bring my point more to the fore.

Besides, if I hijack the session outside of this firewall, then the 
datastream is mine to determine, so I can send back whatever data I want 
and the translation device will take care of getting to the internal host. 
So even on an outbound only device, it would still be possible for me to  
 put data back into the IPX network. An outbound-only TCP/IP-based firewall 
presents the same benefits as an IPX-based one.

Cheers,
Russ

Follow-Ups:

Are IPX/IP gateways firewalls? (was Cisco Internet Junction)
From: mdr @ vodka . sse . att . com

Indexed By Date	Previous:	802.3 packets through Firewall-1 From: stevelee @ accessone . com
Indexed By Date	Next:	Re: pitfalls when writing in C From: peter @ baileynm . com (Peter da Silva)
Indexed By Thread	Previous:	Re: Cisco Internet Junction -Reply From: Mike . Baxter @ ashridge . org . uk (Mike Baxter)
Indexed By Thread	Next:	Are IPX/IP gateways firewalls? (was Cisco Internet Junction) From: mdr @ vodka . sse . att . com