With all of the recent attacks against ISP services, has anybody considered implementing Checkpoint Firewalls into the CISCO 7513s to front end all traffic from the Internet? Although in theory this sounds feasible from a security standpoint I'm not sure I am comfortable with the processing power that would be required and having anything looking at every packet. It seems that this would introduce a significant latency into the routing of the traffic (which is the function of a router or at least it used to be). I prefer to let my routers route. Interested in any and all ideas on the subject. -- Tim Crowell - GTE Intelligent Network Services tcrowell@gte.net Voice: 214.751.3881
Hmm, yes. At least one router vendor (with sufficient processing power) is doing this... Here is a pointer to some basic info on Bay Networks' implementation, dating from last September. http://www.baynetworks.com/Products/Briefs/baysecrs.html Tim Crowell wrote:
With all of the recent attacks against ISP services, has anybody considered implementing Checkpoint Firewalls into the CISCO 7513s to front end all traffic from the Internet?
Although in theory this sounds feasible from a security standpoint I'm not sure I am comfortable with the processing power that would be required and having anything looking at every packet. It seems that this would introduce a significant latency into the routing of the traffic (which is the function of a router or at least it used to be). I prefer to let my routers route.
Interested in any and all ideas on the subject.
-- Tim Crowell - GTE Intelligent Network Services tcrowell@gte.net Voice: 214.751.3881
-- Paul Knight mailto:pknight@BayNetworks.com IP Engineering, Systems Test Office: (508) 916-7087 Bay Networks, Inc. M/S BL2-02 Lab: (508) 670-8888, x-65404 2 Federal St., Billerica, MA 01821 Fax: (508) 670-4004
With all of the recent attacks against ISP services, has anybody considered implementing Checkpoint Firewalls into the CISCO 7513s to front end all traffic from the Internet?
-- Tim Crowell - GTE Intelligent Network Services tcrowell@gte.net Voice: 214.751.3881
I know that Bay is doing this with Checkpoint when (or soon after) FW-1 3.0 is released. I assume this would make a deal with cisco rather difficult, especially considering the way cisco has been pushing the PIX box against FW-1. --------------------------------------------------------------------------- Andrew Smith ** awsmith@neosoft.com ** Network Engineer ** 1-888-NEOSOFT ** "Opportunities multiply as they are seized" - Sun Tzu ** ** http://www.neosoft.com/neosoft/staff/andrew ** ---------------------------------------------------------------------------
I know that Bay is doing this with Checkpoint when (or soon after) FW-1 3.0 is released. I assume this would make a deal with cisco rather difficult, especially considering the way cisco has been pushing the PIX box against FW-1.
Just to throw in a little bit more info.. Theres little comparrison between the two. PIX is more of an address translation unit with firewalling capabilities. Firewall-1 is a fully functional Firewall with limited address translation. i.e. PIX has a pool of IP addresses.. true address translation. Firewall-1 does address 'hiding' making it look to the external world like all connects come from a single IP. I tend to prefer to keep routers as routers and firewalls as firewalls, it reduces the CPU overhead, Problem Determination is easier, and configurations are kept in a distinct logical box. Of course this is at the expense of cost, and space. Glynn Stanton.
Just to throw in a little bit more info..
Theres little comparrison between the two. PIX is more of an address translation unit with firewalling capabilities. Firewall-1 is a fully functional Firewall with limited address translation.
i.e. PIX has a pool of IP addresses.. true address translation. Firewall-1 does address 'hiding' making it look to the external world like all connects come from a single IP.
Actually, hide mode is only one of the options in FW-1. You can do a static one-to-one allocation (but not dynamically).
I tend to prefer to keep routers as routers and firewalls as firewalls, it reduces the CPU overhead, Problem Determination is easier, and configurations are kept in a distinct logical box. Of course this is at the expense of cost, and space.
Agreed...but in certain situations, ie a widely diverse network, to follow this purist paradigm, you really need a separate firewall/ uniquely routed subnet. If someone has a 75XX with a T1 Internet connection, why not let the extra CPU go towards firewall functions. Granted, you are very limited in logging, authentication, and proxies or content monitoring, but such capabilities could be made with proprietary communication to a central firewall/management server...but then you are really straying away from IOS/whatever OS each router uses. In short, if it's built, someone will buy it. Is it enough people to pay for the development/political maneuvering? --------------------------------------------------------------------------- Andrew Smith ** awsmith@neosoft.com ** Network Engineer ** 1-888-NEOSOFT ** "Opportunities multiply as they are seized" - Sun Tzu ** ** http://www.neosoft.com/neosoft/staff/andrew ** ---------------------------------------------------------------------------
On Mon, 3 Mar 1997, Andrew Smith wrote:
PIX is more of an address translation unit with firewalling capabilities. Firewall-1 is a fully functional Firewall with limited address translation.
What about Gauntlet? Or Juniper? Or the TIS FWTK? Or Borderware? Or the Livingston IRX 112? Or KarlBrouter? Or the Norman Firewall? Or Sidewinder? And these are only a few of the dozens of commercial firewalls with features out the wazoo. Read LAN magazine and Network Computing for product tests and reviews. Hire a security consultant. I know what you're asking... What does all this stuff have to do with running a continent-spanning public network? Nothing at all, of course. So send one of the following two messages to majordomo@greatcircle.com subscribe firewalls subscribe firewalls-digest Hey, if you're *REALLY* interested you could send both of them! Michael Dillon - Internet & ISP Consulting Memra Software Inc. - Fax: +1-250-546-3049 http://www.memra.com - E-mail: michael@memra.com
On Mon, 3 Mar 1997, Andrew Smith wrote:
Agreed...but in certain situations, ie a widely diverse network, to follow this purist paradigm, you really need a separate firewall/ uniquely routed subnet. If someone has a 75XX with a T1 Internet connection, why not let the extra CPU go towards firewall functions.
Anyone who has a 75XX and a single T1 needs to be taken out back and shot by their overly generous accounts payable division ;)
On Mon, 3 Mar 1997, Andrew Smith wrote: Anyone who has a 75XX and a single T1 needs to be taken out back and shot by their overly generous accounts payable division ;)
At a recent Cisco seminar aimed at corporate customers, Cisco was specifying the 7500 be used in all the following situations: 1. connecting a single mainframe computer to the campus backbone 2. connecting a large office to the campus backbone 3. connecting a remote office over frame relay at 512 kbs to the campus backbone. But do not despair, if you are running at 256kb, you can drop back to a 7200. #3 implies we are over driving our 7500s. If the 7500 is intended to handle a single serial line at 512kb, no wonder it seems to get overloaded on the backbone. Best Regards, Robert Laughlin ---------------------------------------------------------------------------- DataXchange sales: 800-863-1550 http://www.dx.net Network Operations Center: 703-903-7412 -or- 888-903-7412 ----------------------------------------------------------------------------
On Tue, 4 Mar 1997, Brian Tackett wrote:
On Mon, 3 Mar 1997, Andrew Smith wrote:
Agreed...but in certain situations, ie a widely diverse network, to follow this purist paradigm, you really need a separate firewall/ uniquely routed subnet. If someone has a 75XX with a T1 Internet connection, why not let the extra CPU go towards firewall functions.
Anyone who has a 75XX and a single T1 needs to be taken out back and shot by their overly generous accounts payable division ;)
Why use them as routers? They make *great* ethernet hubs! If only an arcnet card was available for them... -- Paul R.D. Lantinga #planting@vfi.com# Systems Administrator, Verifone IC "...'proactive' and 'paradigm', aren't these just buzzwords that dumb people use to sound important?"-The Simpsons
participants (8)
-
Andrew Smith
-
Brian Tackett
-
Glynn Stanton
-
Michael Dillon
-
Paul Knight
-
Paul R.D. Lantinga
-
Robert Laughlin
-
Tim Crowell