Hi,
Not to muddy the waters, but...
When I last talked to Checkpoint, they would only offer the compiled
binary libraries for their FCP, they would not provide source. As my
company's product does not use Intel x86 (and kindred), the prospect
of reverse engineering their library and protocol was not overly
attractive. Also, from looking at their API, it wasn't that
flexible/adaptable.
On another front, you might want to take a gander at the IETF FOGLAMPS
BOF (or whatever they are calling themselves these days). They are
trying to develop a protocol to punch pinholes in NAT firewalls for
VoIP. They appear to be facing an uphill battle, as doing so would
implicitly provide IETF "recognition" of NAT, an anathema to the
end-to-end purists... From the BOF proposal in July:
Reading:
o http://www.ietf.org/internet-drafts/draft-kuthan-fcp-01.txt
o http://www.ietf.org/internet-drafts/draft-tiphon-foglamps-00.txt
o http://www.ietf.org/internet-drafts/draft-ietf-nat-interface-framework-00.txt
Mailing list:
The mailing list is foglamps_at_lists.panix.com. To subscribe,
send email to majordomo_at_lists.panix.com with "subscribe foglamps"
in the body of the message.
I myself would like a mechanism/protocol by which a properly
authenticated endpoint (or agents) could request that a specific
POLICY be applied at a firewall to a particular flow or set of flows,
be they extant or future for some period of time. The issue of how to
specify/learn what policies are known or enforceable on the firewall
is almost as sticky as the need for a "firewall discovery protocol":
firewalls are supposed to be invisible...
Cross your fingers and hope to fly...
--
Charles C. Lindsay TopLayer Networks, Inc. 508-870-1300 x147
lindsay_at_TopLayer.com "Layers Above The Rest" 508-870-9797 FAX
2400 Computer Drive, Westboro, MA 01581
_______________________________________________
Firewall-wizards mailing list
Firewall-wizards_at_nfr.net
http://www.nfr.net/mailman/listinfo/firewall-wizards
Received on Aug 17 2000
Intro
