lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <40E325AA.5080003@jsbc.cc>
From: jimb at jsbc.cc (Jim Burwell)
Subject: PIX vs CheckPoint

Heh.  That also suprised me when I started working w/ PIX.  The fact you 
needed some sort of NAT statement to pass traffic regardless whether you 
were NATing had me shaking my head.  Not too suprising I guess, since if 
I recall, PIXes came from the Cisco aquisition of a company called 
Network Translation.

PIXes arn't really routers either, like many firewalls.  This is evident 
by the fact that PIXes can't route traffic back out the same interface 
it received the traffic on.  You have to be concious about these 
limitations when doing network design in the presence of PIXes. 

For instance, if you want to stand up a small VPN access router on a 
typical small LAN where the PIX is the default route, the VPN router 
can't be put in parallel with the PIX unless you either:  a) change the 
LAN's default route to the VPN router (bad if most traffic taking the 
default route is bound for the internet, it'd just get bounced right to 
the PIX and put load on your poor little access router).  b) put static 
routes for the appropriate networks on all hosts (yeah right).  c) run a 
dynamic routing protocl on all hosts (not gonna happen).  The solution 
in these situations, aside from buying a new "core" or "choke" router 
for the network,  is to put the inside interface of the VPN access 
router off of a DMZ interface of a PIX, or spare interface if 
available.  The PIX is perfectly happy to route the traffic to your 
router as long as it passes through the PIX and exits a different 
interface.  Always seemed kind of silly to me.

- Jim


Ben Nelson wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> You must have some static's in place then, which is a static 'NAT'
> translation.
>
> Cyril Guibourg wrote:
> | "Otero, Hernan         (EDS)" <HOtero@...chile.cl> writes:
> |
> |
> |>I think you do, because at least a nat 0 it?s needed to get traffic
> passing
> |>through the pix.
> |
> |
> | This is odd, I do have a running config under 6.2 without any nat
> statement.
> |
> | _______________________________________________
> | Full-Disclosure - We believe in it.
> | Charter: http://lists.netsys.com/full-disclosure-charter.html
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
>
> iD8DBQFA4wsz3cL8qXKvzcwRArrMAJ9Otrq2qHTR4JV2ajPs7bemcR4WwwCcD++K
> LO+GQKUn4B8NRt8zbCq2GaI=
> =DTNj
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


-- 
+---------------------------------------------------------------------------+
|         Jim Burwell - Sr. Systems/Network/Security Engineer, JSBC         |
+---------------------------------------------------------------------------+
| "I never let my schooling get in the way of my education." - Mark Twain   |
| "UNIX was never designed to keep people from doing stupid things, because |
|  that policy would also keep them from doing clever things." - Doug Gwyn  |
| "Cool is only three letters away from Fool" - Mike Muir, Suicyco          |
| "..Government in its best state is but a necessary evil; in its worst     |
|  state an intolerable one.." - Thomas Paine, "Common Sense" (1776)        |
+---------------------------------------------------------------------------+
|   Email:  jimb@...c.cc                              ICQ UIN:  1695089     |
+---------------------------------------------------------------------------+
|  Reply problems ?  Turn off the "sign" function in email prog.  Blame MS. |
+---------------------------------------------------------------------------+



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ