[Date Prev][Date Next][Thread Prev][Thread Next][Thread Index]
RE: [fw1-gurus] Policy-Routing and per-interface Firewalling
I am in the process of switching some aging IPxxx series Nokia
appliances, in favor of DL360's running splat - I've been through a lab
scenario and the switch from VRRP to Failover in NGX/Splat (not
clusterXL just failover) seems pretty straight forward.
I also wanted to be able to do source based routing and I was under the
impression from CP that NGX would have this ability (source based /
policy based) Just recently the word from Nokia/Checkpoint is you can
not do source based or policy based routing.
Is anyone using OS based tools underlying splat to achieve source based
routing in a non dynamic protocol fashion?
TIA.
Edward B.
Ebroo-at'healthydirections'dot'c o m
-----Original Message-----
From: Martin Hoz [mailto:martinhoz@xxxxxxxxx]
Sent: Saturday, December 31, 2005 1:04 AM
To: FireWall-1 Gurus Mailinglist; j.weber@xxxxxxxxxxxx
Subject: Re: [fw1-gurus] Policy-Routing and per-interface Firewalling
On 12/30/05, Hugo van der Kooij <hvdkooij@xxxxxxxxxxxxxxx> wrote:
> On Fri, 30 Dec 2005, [iso-8859-1] Jörg Weber wrote:
>
> > I'm running a rather sophisticated firewalling setup with several
linux-based firewalls. On these, I can do some neat things like
source-based policy routing and firewall rulematching depending on
input/output interface. Furthermore, some of our firewalls are part of
our OSPF framework.
> > I'm currently evaluating the pros and cons of migrating our
infrastrukture to IPSO-based Checkpoint Firewalls (for
Loadbalancing/HA/Management improvements). The biggest drawback I see is
losing the two mentioned possibilities of source-based policy routing
and per-interface rulematching.
> > Has anyone any pointers or comments with regard to these concepts
within a Nokia/Checkpoint context, ie. how to implement policy routing
and whether it's somehow possible to take interfaces into account where
the rulebase is concerned?
>
> Routing isssues are handled by IPSO. I am however rather curious why
your
> network needs source-based routing. It might be that one would simply
> choose to design the network differently with IPSO.
>
> And per-interface firewalling is usually a sign of ACL based setups.
In a
> object oriented setup I have not yet seen the need to do per-interface
> firewalling.
>
> I would say you should need to talk to a knowledgeable Check Point and
> Nokia partner and discuss your setup. Because such a discussion would
> contain a lot of details one would not like to post to a public
> mailinglist.
>
That being said, it is also true that Check Point always leaves the
routing
to the underlaying operating system, you may as well keep your iproute2
routing to do policy-based routing on a Linux box or a SecurePlatform
box
(which is GNU/Linux at the end, and has iproute2 has well) and put Check
Point on top of it ...
There are pros and cons of both approaches (Nokia and Linux-SPLAT),
and it is of total agreement that an experienced Check Point/Nokia
partner
(the one that's going to sell you anyway) can tell you what's best after
discussing your infrastructure. In some way, that's part of the job...
;-)
Good luck!
- Martín
--
** Mi página web: http://gama.fime.uanl.mx/~mhoz/
* "Somos consecuencia del pasado, y causa de nuestro futuro."
* "Este mundo no nos ha sido legado por nuestros padres, sino lo hemos
recibido prestado por nuestros hijos..."
* "E no final das contas, como diz um sábio persa, o amor é uma doença
da qual ninguém quer livrar-se". Paulo Coelho
** My Linux - http://www.slackware.com == My BSD -
http://www.openbsd.org
---------------------------------------------------------------------
FireWall-1 Gurus Mailing List (http://fw1-gurus.phoneboy.com/)
To unsubscribe, mailto:fw1-gurus-unsubscribe@xxxxxxxxxxxxxxxxxx
For additional commands, mailto:fw1-gurus-help@xxxxxxxxxxxxxxxxxx
---------------------------------------------------------------------
FireWall-1 Gurus Mailing List (http://fw1-gurus.phoneboy.com/)
To unsubscribe, mailto:fw1-gurus-unsubscribe@xxxxxxxxxxxxxxxxxx
For additional commands, mailto:fw1-gurus-help@xxxxxxxxxxxxxxxxxx
|