|
Firewall Wizards
mailing list archives
fw-1 general & VPN questions
From: AC <ac0 () io com>
Date: Sun, 19 Apr 1998 23:34:43 -0500 (CDT)
Hi folks,
Currently I am involved in a project which requires that
I set up a central fw-1 mgmt station, to manage 2 fw-1 (on
solaris 2.5.1) boxen via an encrypted VPN over the internet.
I also intend to do some "out-of-band" mgmt with a dialin
modem on the serial console of the two sun boxes (yes, yes,
wardialers I know). However, this is what the customer wants,
and I have no say-so, so I need to simply get it set up.
A couple general questions about fw-1:
1) Does fw-1 actually *break* the client/server model? Application
gateways like FWTK actually will generate an entirely new packet
from the OS IP stack to to handle communication between
clients and & external servers. This is a more secure setup,
IMHO. So, does fw-1 actually *forward* IP packets to
internal clients after checking its ruleset? Can I turn this
off i.e. (ndd /dev/ip stuff?) and the fw-1 still work?
2) Does fw-1 handle fragmented packets correctly? i.e. does it
handle the reassembly or does the OS IP stack?
3) Concerning NAT: client has a T1 to Net, fw-1-A, and also
a private point-to-point T1 connection to another company,
with fw-1-B sitting there. Both fw-1s are doing NAT.
Now if an internal client has his default route pointing
to the internal interface of the fw-1-A, and he wants to
talk to somebody on the Net, packet hits fw-1-A, internal
IP gets translated, and out it goes. BUT, if that same
clients wants to talk to a machine on the other side of
fw-1-B, he cannot, as his IP has been translated to an
external (public) address, and can't get back in. SO
I have been forced to segregate clients who can talk
to the internet via fw-1-A, and clients that can
talk to other_company via fw-1-B. Is there any way to
solve this problem nicely? BY putting in appropriate
routes, I think I can get this to work, but the fw-1-A will
be putting this packet out on the wire twice, and
I have to turn on ip forwarding.
Ok, now a couple VPN-specific questions: I
1) I am going to use DES instead of the proprietary FWZ
encryption for the fw-1->fw-1 connection. Any patches
or anything I need to know about? Also the licenses
that I require to make this whole VPN setup work
are extremely confusing, checkpoint is as bad as
microsoft, nickel and diming you the whole way.
If anybody knows what licenses I need on the central
mgmt station, as well as the managed firewalls, I'd
appreciate it.
2) Which TCP/UDP ports do the "firewall control connections"
use?
a) If this is a known port or range of ports, is it
not possible to launch a denial-of-service
against a fw-1 being managed by a VPN over the
INternet? i.e. simply flood those ports on
fw-1, and boom, the mgmt station cant talk to
the firewall its trying to manage.
b) On the 2 fw-1s to be managed, I am being forced
to use the GUI interface, as I don't get INSPECT
yet. Now if I check the box "enable firewall-1
control connections" how/where do I specify
a list of IPs to accept control connections
from? or do I install a new rule in the rulebase
for this? I certainly hope that Joe Random
Hacker cant manage my firewalls remotely!
Thanks you for your time and any light you can shed is
greatly appreciated. If you are in NYC, I'll owe you
a brew ;)
--ANindya
 By Date 
By Thread
Current thread:
- fw-1 general & VPN questions AC (Apr 20)
|
Intro
