Re: Firewall on a stick?

From: shope (stephen_hope@ntlworld.xx.com)
Date: 01/08/03

• Next message: R@teket@: "Re: Zonealarm vs Kerio"
• Previous message: Duane Arnold: "Re: Firewall Testing"
• In reply to: Kevin Dorrell: "Firewall on a stick?"
• Next in thread: Greg Hennessy: "Re: Firewall on a stick?"
• Reply: Greg Hennessy: "Re: Firewall on a stick?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "shope" <stephen_hope@ntlworld.xx.com>
Date: Wed, 8 Jan 2003 18:49:15 -0000

"Kevin Dorrell" <Nospam.Kevin.Dorrell@pt.lu> wrote in message
news:3e1bbae0$1_2@news.vo.lu...
> Does anyone out there have a a Firewall-1 connected to a LAN switch via an
> ISL or 802.1Q trunk, in order to inspect traffic between two VLANs? My
idea
> is to have a Firewall with a single (trunk) interface, with one VLAN for
the
> external side, one for a DMZ, and one for the intenal network, I shall
take
> all the normal precautions to stop VLAN leakage, e.g. nothing on the
default
> VLAN etc. Of course I shall disable multilayer switching, otherwise this
> would bypass the Firewall!

Kevin,

the Nortel Alteon switched firewall does what you want - runs Checkpoint NG,
up to 240+ VLAN interfaces across 8 10/100 or Gig ports depending on the
model.

See www.nortelnetworks.com

"unit" is actually a *nix software engine and a separate hardware
accelerator (2 boxes, couple of "U" each of rack space) for around 3 Gbps
throughput claimed max. They were talking about a low end software only
version but dont know if that got anywhere.

Hardware engine is based on the alteon load balancer.
>
> Does Firewall-1 support this architecture, and does anyone out there use
> this architecture in practice?
>
> Kevin Dorrell (CCNP)
> Luxembourg

-- 
Good luck
Stephen Hope - remove xx from address.

---

• Next message: R@teket@: "Re: Zonealarm vs Kerio"
• Previous message: Duane Arnold: "Re: Firewall Testing"
• In reply to: Kevin Dorrell: "Firewall on a stick?"
• Next in thread: Greg Hennessy: "Re: Firewall on a stick?"
• Reply: Greg Hennessy: "Re: Firewall on a stick?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Vlan Hopping Vulnerability ... > and forward it on trunk port without native tag. ... > vlan 20. ... > - Why the first SW accepts tagged frame? ... if the switch has ingress filtering ... (comp.dcom.lans.ethernet) Re: bond interface arp, vlan and trunk / network question ... So far vlan and trunking works as expected. ... The exact problem is that the bonding driver don't switch the ... interface because the mii-tool don't recognize that the connection ... serverinterface is connected via a trunk to one of the switches. ... (Linux-Kernel) Re: Layer 3 and Firewall ... while a technical solution exists, the best solution to this specific ... switch admin playing foul. ... Subject: Layer 3 and Firewall ... interfaces on a single physical port by using 802.1q VLAN tagging. ... (Pen-Test) Re: VLAN on 3750 ... There will be a trunk between 3750 to each ... VLANs in use on each switch. ... VTP does have a major gotcha that should be well-known to any network ... to maintain updating vlan names on every switch in a 50 switch ... (comp.dcom.sys.cisco) Re: VLAN on 3750 ... There will be a trunk between 3750 to each ... VLANs in use on each switch. ... VTP does have a major gotcha that should be well-known to any network ... to maintain updating vlan names on every switch in a 50 switch ... (comp.dcom.sys.cisco)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)