Dear Sir,
I have not much experience with Firwall-1 specifically, but this
is down to a dislike for software firewalls, I preffer the Blackbox
approach. However,
1. I am surprised that your vendor says that what you intend to do is
impossible. You should be able to have your internal and external
networks on the same network.
1.a.You could try using NAT(Network address translation) such that you
have all of your bought IP addresses on your external network and then
still have the range for your internal network just on a different
range.
ie. extern.... 194.35.135.0
intern..... 194.45.135.0
1.b using NAT you have various possiblities avalable to you.
1.b.1. Host Static. In this senario your 194.45.135.1 host would be
represented as 194.35.135.1 on your external network.
1.b.2. Host Dynamic. In this senario your 194.45.135.2 host can be any
IP in the range 194.45.135.0 etc.. on the external network.
1.b.3. Service Static. Used to create static routes between the internet
and specific hosts.
1.b.4. Service Dynamic. Allows you to specify an entire network by one
IP.
1.c. Proxy Arp is another possiblity where by the internal and external
interfaces of your firewall have the same IP address. However, I do not
know how secure this is on firewall 1.
To answer you questions.
1. Not neccessarily. I think you may have been thinking of the screening
router type of firewall. This is only one train of thought, another
would be the proxy type. Of course as subsets of each you also have
packet filters etc.....
2.You should be able to....
3.Not really a replacement. Your firewall should be able to restrict
routing so that for example you can specify that SMTP only travels
between the internet and your SMTP host, this might additionally be a
content filter like MAILsweeper. You might want to specify that http can
only come from a specific proxy on your network to the internet...
etc.......
Hope this helps.
Cheers,Liam.
Thomas Liam Romanis
Technical Manager
Portcullis Computer Security Ltd
BAFT, Biodata Accredited Firewall Trainer.
MIMEsweeper accredited Administrator Trainer.
F-Secure Product support,
Guardian Angel, PENS support.
AV, Defuse Malicious Macro protection.
> ----------
> From: List_Mail @
vsebav .
com[SMTP:List_Mail @
vsebav .
com]
> Sent: Friday, January 23, 1998 3:28PM
> To: firewalls @
GreatCircle .
com
> Subject: Firewall setup
>
> My company is installing firewall on our small network. I have the
> following questions regarding firewall installation. Any help would
> be
> appreciated.
>
> Current setup: Network mask 255.255.255.0
>
> IP Network --------> [Livingston Router] --------> Internet
> AAA.BBB.CCC.005 AAA.BBB.CCC.001 (Class C)
> AAA.BBB.CCC.006
> AAA.BBB.CCC.007 etc.
>
> We would like to put in the Checkpoint firewall before IP migration.
> Can I set IP as follow ?
>
> IP Network ---> [Checkpoint Firewall] ---> [Livingston] ---> Internet
> AAA.BBB.CCC.005 <-- AAA.BBB.CCC.002 AAA.BBB.CCC.001
> AAA.BBB.CCC.006 AAA.BBB.CCC.003 -->
> AAA.BBB.CCC.007
>
>
> A vendor said that we can not do the above. We have to create two
> subnets.
> and renumber the network as follow:
>
> Subnet mask: 255.255.255.128
>
> IP Network ---> [Checkpoint Firewall] ---> [Livingston] ---> Internet
> AAA.BBB.CCC.130 <-- AAA.BBB.CCC.129 AAA.BBB.CCC.001
> AAA.BBB.CCC.131 AAA.BBB.CCC.003 -->
> AAA.BBB.CCC.132
>
> Basically, we will loose half of our addresses to the untrusted side
> of the
> network. My questions are:
>
> 1. Shouldn't the firewall acts as a router?
> When packages pass through it, it would do its things and then
> passes
> the packages on or reject them.
>
> 2. Why I cannot setup the firewall without loosing half of my
> addressed.
>
> 3. Should I be looking at the firewall as replacement of the router in
>
> order to keep the network number scheme in tack.
>
> Thanks in advance for your input.
>
|
|
