Re: [fw-wiz] Layer 2 (stealth) firewalls - PBR?



Hi Darren,

I had the same question a while ago during a firewall (Juniper Networks one)
deployment for a customer. He had a proxy-cache and wanted to make it
transparent to its user. I thought to use PBR to redirect internet traffic
to the caching box, but it was impossible as the firewall was set as a
bridge, the only solution I found was to put the proxy-cache inline.

I think it would be useful to have some PBR at layer 2 (or PB Forwarding)
for situations like this, where you have to redirect content to caching or
inspection engine, perhaps some constructors have already implemented same
mechanisms in their firewalls ?

Regards,

Sami.

-----Message d'origine-----
De : firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] De la part de Darren
Reed
Envoyé : mardi 1 avril 2008 05:49
À : Firewall Wizards Security Mailing List
Objet : [fw-wiz] Layer 2 (stealth) firewalls - PBR?

If I can interrupt the usual questions for some product requirements
discovery....

Over in the networking community on OpenSolaris.org, a couple of
us are pondering the question of what it means to do policy based
routing (PBR) at the ethernet (MAC) layer.

For IP, the use case is well understood and people everywhere do
it with firewall software, if only to make up for the inadequacies of
their routing tables however when it comes to ethernet, we're kind
of scratching our heads....so, some questions....

Does running a stealth (bridging) firewall remove the need for PBR?

Do people still do strange, quirky, things to packets even when they
don't want them to go through IP?

If you're using bridging to support your firewall (that still filters
packets using IP header information), can you shed some light on
why/when you want to send packets out a specific NIC regardless
of what the forwarding table for the bridge says?

Thanks,
Darren

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: [fw-wiz] Layer 2 (stealth) firewalls - PBR?
    ... This would not be Layer 2 PBR. ... This would be Layer 2 NAT of MACs. ... so it has dest MAC of Y instead. ... I had the same question a while ago during a firewall ...
    (Firewall-Wizards)
  • RE: [fw-wiz] so much for "deny all"
    ... >> vendors like Juniper Networks, Check Point and Fortinet employ a ... > This is very good publicity for firewall vendors not in the list who ... (if anyone in this politically correct time still indulges in multi-martini ... the company at which I did my first firewall install replaced the ...
    (Firewall-Wizards)
  • Re: opinions about: Juniper Networks NetScreen-25
    ... Our company is well connected to Internet with a firewall. ... Juniper Networks NetScreen-25 for this. ... any traffic/event analysis tools you have running on the network/servers ... However if the NS is your default gateway, it's much simpler, virtual IPs ...
    (comp.security.firewalls)
  • opinions about: Juniper Networks NetScreen-25
    ... Our company is well connected to Internet with a firewall. ... Juniper Networks NetScreen-25 for this. ...
    (comp.security.firewalls)