Firewall Wizards mailing list archives

RE: Router management with FW-1

From: Amirmadhi Foorood <Foorood.Amirmadhi () Columbia net>
Date: Mon, 5 Apr 1999 08:58:53 -0500

OSM 1.0 (Open System Management) from Checkpoint is the software that
manages rules in Checkpoint firewall activated on 3COM routers.  OSM
initially uses the SNMP to communicate with 3COM router and then actually
uses an scripted telnet session to download the rules onto the routers.

Presently, there is a limitation on 3COM routers code that do not accept
more than about 7 Kb of script.  This translate to about 140 firewall rules
that can be pushed to the 3COM routed (on even latest hardware and latest
rev. code).  Note that the number of rules is not the same as the number of
rule on FW-1 Security policy GUI table. For a given rule, the number of
actual rules is determined by the following.
 
(# of Source) x (# of Destination) x (# of Services) = Actual # of rules.

If you are interested in FW-1 on 3COM routers and you think that you might
have a need for more than 140 rules (as described above), check the status
of 3COM for router code revision requested by our company to increase the
size of the script that can be telneted to the 3COM routers.

The are other limitations (unwanted features) of OSM that if you are
interested happy to share it to you.

-----Original Message-----
From: lart () hacksec org [SMTP:lart () hacksec org]
Sent: Friday, April 02, 1999 6:15 PM
To:   Sandy Green
Cc:   Firewall Wizards
Subject:      Re: Router management with FW-1

On 30 Mar, Sandy Green wrote:
:  This is about the router management feature 
:  provided with the Checkpoint's firewall.
:  
:  First, is that how do they write into the access-list
:  of the router. Is it telnet or via snmp ?

Depends on the type of router being managed.  For Cisco,
it's telnet.  If it's a Bay^H^H^HNortel Networks Router,
it's SNMP.  I forget what 3Com and Steelhead use.

:  second when the rules are installed or dumped on 
:  the router , is it the inspect code that is dumped or
:  plainn ascii text as needed by the access-list.
:  ( I am asking this because if it is inspect then
:  is there a co-operation between cisco and 
:  checkpoint ?

Plain old access-list statements.

:  and third , are there any other ffirewalls by which we
:  can dump rules into the routers.

None that I know of, at least in a way as automated as Check
Point does it.

-- 
                           Lart <lart () hacksec org>
                       Technologist, Cryptonerd, Human
                           http://www.hacksec.org/

Current thread:

Router management with FW-1 Sandy Green (Apr 01)
- Re: Router management with FW-1 Chris Brenton (Apr 02)
- Re: Router management with FW-1 lart (Apr 03)
- Re: Router management with FW-1 Jean-Marc Boulier (Apr 13)
- <Possible follow-ups>
- RE: Router management with FW-1 Amirmadhi Foorood (Apr 05)