using firewall with ib

[nitro]

Originally posted by dottom


Yes, but if you are "behind a firewall" you are either using NAT or a proxy server to talk to the outside world. (Unless you're using some crappy consumer desktop-only firewall.)

Hence, the reason I said what I said.

NAT has nothing to do with a firewall. You can run NAT without a firewall, and vice versa (although nobody does. On the higher end firewalls, the public servers sit on the Demilitarized Zone, with public IP's, and the computers on the LAN are on NAT'ed subnets.)

You do not have to be running NAT if you are "behind" a firewall and still get protection from things like DOS attacks, Syn flood, Ping of death, IP Spoofing, Land attack, Smurf amplification, sequence number prediction, etc.

NAT is a great convenience for those that don't have a lot of public IP's. It was realized that NAT could be used as a poor mans "firewall" and a lot of hardware makers, in their infinite marketing schemes, sold their harware as "firewalls" when in fact all they did was NAT. That is at best false advertising, and at worst just a plain con.

nitro

 

[dottom]

If you are "behind a firewall" then you need NAT (aka "masquerade") or a proxy server to talk to the outside world.

If you're referring to the personal desktop firewalls, then you're reall "on the firewall". You argue semantics on network vs. application layer but no one ever runs a production service "on a firewall".

 

[nitro]

Originally posted by dottom
If you are "behind a firewall" then you need NAT (aka "masquerade") or a proxy server to talk to the outside world.

If you're referring to the personal desktop firewalls, then you're reall "on the firewall". You argue semantics on network vs. application layer but no one ever runs a production service "on a firewall".

That is false.

Look, I have seven servers behind a firewall right now. The ones in the DM are not running NAT, _have_real_IP_addresses, yet the firewall is doing statefull inspection on every packet that goes to the DM.

The fact that the LAN resides in a NAT'ed network has NOTHING to do with Firewalls!!! It is simply a way to save on public IP's! In addition, the harware keeps track that nothing aimed at the public network has access to the "internal" network. BUT, the internal network could also be a set of IP's that are in a different network than the ones on the public space. True, the private Network does not contain Internet Routable IPs, but a REAL hacker could break into the firewall, and then getting aroung tghe NAT would be a joke.

FWIW, on my Firewall, I can map a public IP to my class C network NAT'ed addresses!

nitro

 

[dottom]

Originally posted by nitro
Look, I have seven servers behind a firewall right now. The ones in the DM are not running NAT, _have_real_IP_addresses, yet the firewall is doing statefull inspection on every packet that goes to the DM.

Then you are not following best practices guide for building DMZ. You should put the physical IP on the firewall and do redirect to non-routable IP's in your DMZ.

Besides, my original response was to deal with the *vast majority* of users who are either using personal desktop firewall or are in a corporate environment using NAT or proxy server. Very few people are going to be using a desktop, using TWS, in a DMZ. (and DMZ services should all have non-routable IP's)

 

[nitro]

Originally posted by dottom


Then you are not following best practices guide for building DMZ. You should put the physical IP on the firewall and do redirect to non-routable IP's in your DMZ.

Besides, my original response was to deal with the *vast majority* of users who are either using personal desktop firewall or are in a corporate environment using NAT or proxy server. Very few people are going to be using a desktop, using TWS, in a DMZ. (and DMZ services should all have non-routable IP's)

What???

Most of what goes in the DMZ are exactly things that need to be routeable. Here are the servers on my DMZ:

1) DNS server
2) Mail server
3) Web server
4) IMAP server
5) ftp server

If those didn't have routeable IP's, how would you suggest that DNS resolve them?

nitro

 

[dottom]

The physical IP is on the firewall which redirects to internal IP. That is standard best practice.

Show me any best practices or install guide from Checkpoint or Cisco that shows public IP's in the DMZ. They are all non-routable private IP's. The firewall does the forwarding.

 

[dottom]

To get this thread back on topic, it is likely that the original question refers to a user who is either:

1. using personal desktop firewall
2. in corporate environment with desktop using NAT
3. in corporate environment with desktop using proxy server

I haven't tested TWS with #3 but have used it with #1 and #2 no problems.

 

[nitro]

Originally posted by dottom
The physical IP is on the firewall which redirects to internal IP. That is standard best practice.

Show me any best practices or install guide from Checkpoint or Cisco that shows public IP's in the DMZ. They are all non-routable private IP's. The firewall does the forwarding.

Checkpoint is a joke, so let's throw that one out.

As to CISCO, you are confusing "Best Practices" and Best Practices on a CISCO firewall. Many firewalls have a seperate _physical_ port called the DMZ - it is a seperate ethernet all together and is PHYSICALLY seperated from the LAN. The firewall then does the routing to the correct interface.

For example:


ftp://ftp.sonicwall.com/pub/info/SonicWALL_Family_Manual.pdf

read pages 99-102

In case you don't want to download it, here is all that matters:

"Servers on the DMZ must have unique, valid IP addresses in the same subnet as the SonicWALL IP address. Your ISP should be able to provide these IP addresses, as well a information on setting up public servers."

nitro

 

[dottom]

Originally posted by nitro
Checkpoint is a joke, so let's throw that one out.

Hmm, Checkpoint is only the premier firewall vendor to enterprise environments and Fortune 500 & Global 2000.

As far as Cisco best practices, here's just something I found quickly (notice DMZ uses internal IP's):

http://www.netcraftsmen.net/welcher/papers/pix01.html

Anyways, like I said in my last post to get this thread back on topic, it is extremely unlikely that the user in question, or the average user for that matter, is using TWS to trade while in a DMZ.

It is more likely they are accessing internet behind corporate firewall using NAT or proxy server; or are using local firewall on their desktop trading from home.

 

[nitro]

Originally posted by dottom


Hmm, Checkpoint is only the premier firewall vendor to enterprise environments and Fortune 500 & Global 2000.

As far as Cisco best practices, here's just something I found quickly (notice DMZ uses internal IP's):

http://www.netcraftsmen.net/welcher/papers/pix01.html

Anyways, like I said in my last post to get this thread back on topic, it is extremely unlikely that the user in question, or the average user for that matter, is using TWS to trade while in a DMZ.

LOL.

That is why they are always getting hacked.

LOL, Windows dominates the fortune 500 as well, and if you ask any decent programer or computer scientist what they would rather use, windows or Unix, they would look at you like a rookie.

Checkpoint runs on Windows. Any firewall that runs on Windows doesn't deserve to be called a firewall. How can you run a firewall on an OS that is itself full of holes?

CISCO is another story, but I am not impressed by them either. Most REAL firewall vendors that know their ass from a hole in the wall use the OpenBSD kernel and OS to begin with and then make it "pretty" by adding simple commands or GUIS for the consumer. Therefore, assuming a secure OS, there is very little difference between a CISCO FW, a Checkpoint FW, and a SonicWALL FW, save the OS and the "GUI."

I can make a Firewall that is better than 99.999999% of everything in existence by using nothing more than OpenBSD - and the cost - $0.

nitro