Sign in with
Sign up | Sign in
Your question

W2K Firewall That Can Route Outbound Packets on Same Inter..

Last response: in Networking
Share
Anonymous
May 16, 2004 10:52:05 PM

Archived from groups: comp.security.firewalls (More info?)

I'm looking for a firewall or router that will run on Windows 2000 that can
route packets out on the same interface they arrived on, or could apply
different routing tables based on the interface to which a packet arrives.
This is to support a mail server which we want to connect to two ISP
networks. We don't want a default outgoing route on any one interface,
which is what Windows 2000's IP implementation requires.

If this is not available for Windows, is it available for any UNIX
implementation?

--
Will
westes AT earthbroadcast.com
Anonymous
May 17, 2004 8:11:43 AM

Archived from groups: comp.security.firewalls (More info?)

I am not using this firewall as a "firewall". I'm using this firewall as a
way to replace the default IP stack in Windows with one that gives me the
desired routing behavior I seek.

Based on this I assume Cyberguard is not a solution to my problem, because I
cannot run my application on the Cyberguard box. Morever, it's not clear
that Cyberguard would return packets on the same interface on which they
arrived.

The application and box we are trying to find an alternative IP stack for is
behind a firewall and an additional NAT layer, and moreover only our service
provider's selected hosts can contact it. I have few security concerns
about it. My problem is how do I get it to simultaneously converse with
two different ISP networks without having return packets go to a single
ISP's network.

--
Will
westes AT earthbroadcast.com


"DaveT" <bgates@sbcglobal.net> wrote in message
news:2YWpc.27498$eq2.10043@newssvr22.news.prodigy.com...
> http://www.cyberguard.com/snapgear/products.html
>
> I'd suggest using a hardware solution.
> Do you really want to trust your security to microsoft?
> I sure wouldn't.....
>
>
>
Related resources
Anonymous
May 17, 2004 11:28:06 AM

Archived from groups: comp.security.firewalls (More info?)

On Mon, 17 May 2004 04:11:42 GMT, DaveT spoketh

>http://www.cyberguard.com/snapgear/products.html
>
>I'd suggest using a hardware solution.
>Do you really want to trust your security to microsoft?
>I sure wouldn't.....
>

Firewalls running on Microsoft platforms are just as secure as firewalls
running on any other platform...

Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)
Anonymous
May 18, 2004 5:28:22 AM

Archived from groups: comp.security.firewalls (More info?)

From the requirements you mentioned. What you are looking for is a
"persistant" or "Sticky" session. Server Persistance and/or client
Persistance for sessions is required if you are using MEP (multi entry
protocols) for redundant connections.

I know that CheckPoint has it. As far as using different ISP as carrier
providors. What you need to do is configure fail over or High availablity
that will sense a failure on the primary connection and failover to the
secondary connection in case of failure.
"CHANGE USERNAME TO westes" <DELETE_westes@earthbroadcast.com> wrote in
message news:0M2dneKSTtvNhzXdRVn-sw@giganews.com...
> I'm looking for a firewall or router that will run on Windows 2000 that
can
> route packets out on the same interface they arrived on, or could apply
> different routing tables based on the interface to which a packet arrives.
> This is to support a mail server which we want to connect to two ISP
> networks. We don't want a default outgoing route on any one interface,
> which is what Windows 2000's IP implementation requires.
>
> If this is not available for Windows, is it available for any UNIX
> implementation?
>
> --
> Will
> westes AT earthbroadcast.com
>
>


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.686 / Virus Database: 447 - Release Date: 5/14/2004
Anonymous
May 18, 2004 1:28:56 PM

Archived from groups: comp.security.firewalls (More info?)

Checkpoint has persistence of sessions, but under Windows 2000 Checkpoint
does NOT implement the behavior of sending outbound packets on the same
interfaces they arrived. Checkpoint only modifies the headers of the IP
packet, and then it passes the packet to standard Windows networking.
Windows networking in turn only recognizes one default outgoing route.

Regarding failover, you are looking at the problem backwards. I'm not
trying to configure a behavior for sessions that are initiated on our side.
Our mail host will be seen through its public MX records as being two
separate MX hosts with two separate IP addresses on different networks.
So the case I care about is where an outside mail server initiates a
connection into us on different ISP networks. I need to make sure that the
packets return back on the same interface they arrived.

--
Will
westes AT earthbroadcast.com

"Beoweolf" <Beoweolf@pacbell.net> wrote in message
news:WEdqc.50046$OB4.23079@newssvr29.news.prodigy.com...
> From the requirements you mentioned. What you are looking for is a
> "persistant" or "Sticky" session. Server Persistance and/or client
> Persistance for sessions is required if you are using MEP (multi entry
> protocols) for redundant connections.
>
> I know that CheckPoint has it. As far as using different ISP as carrier
> providors. What you need to do is configure fail over or High availablity
> that will sense a failure on the primary connection and failover to the
> secondary connection in case of failure.
> "CHANGE USERNAME TO westes" <DELETE_westes@earthbroadcast.com> wrote in
> message news:0M2dneKSTtvNhzXdRVn-sw@giganews.com...
> > I'm looking for a firewall or router that will run on Windows 2000 that
> can
> > route packets out on the same interface they arrived on, or could apply
> > different routing tables based on the interface to which a packet
arrives.
> > This is to support a mail server which we want to connect to two ISP
> > networks. We don't want a default outgoing route on any one interface,
> > which is what Windows 2000's IP implementation requires.
> >
> > If this is not available for Windows, is it available for any UNIX
> > implementation?
> >
> > --
> > Will
> > westes AT earthbroadcast.com
> >
> >
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.686 / Virus Database: 447 - Release Date: 5/14/2004
>
>
Anonymous
May 18, 2004 10:33:41 PM

Archived from groups: comp.security.firewalls (More info?)

Appears I misunderstood your problem, your explaination of what you are
attempting to do makes it clear that you do have a handle on the problem. I
will anxiously monitor this thread to see what the eventual solution ends up
being.

"CHANGE USERNAME TO westes" <DELETE_westes@earthbroadcast.com> wrote in
message news:nZOdnVy5NcPRpDfdRVn-sw@giganews.com...
> Checkpoint has persistence of sessions, but under Windows 2000 Checkpoint
> does NOT implement the behavior of sending outbound packets on the same
> interfaces they arrived. Checkpoint only modifies the headers of the IP
> packet, and then it passes the packet to standard Windows networking.
> Windows networking in turn only recognizes one default outgoing route.
>
> Regarding failover, you are looking at the problem backwards. I'm not
> trying to configure a behavior for sessions that are initiated on our
side.
> Our mail host will be seen through its public MX records as being two
> separate MX hosts with two separate IP addresses on different networks.
> So the case I care about is where an outside mail server initiates a
> connection into us on different ISP networks. I need to make sure that
the
> packets return back on the same interface they arrived.
>
> --
> Will
> westes AT earthbroadcast.com
>
> "Beoweolf" <Beoweolf@pacbell.net> wrote in message
> news:WEdqc.50046$OB4.23079@newssvr29.news.prodigy.com...
> > From the requirements you mentioned. What you are looking for is a
> > "persistant" or "Sticky" session. Server Persistance and/or client
> > Persistance for sessions is required if you are using MEP (multi entry
> > protocols) for redundant connections.
> >
> > I know that CheckPoint has it. As far as using different ISP as carrier
> > providors. What you need to do is configure fail over or High
availablity
> > that will sense a failure on the primary connection and failover to the
> > secondary connection in case of failure.
> > "CHANGE USERNAME TO westes" <DELETE_westes@earthbroadcast.com> wrote in
> > message news:0M2dneKSTtvNhzXdRVn-sw@giganews.com...
> > > I'm looking for a firewall or router that will run on Windows 2000
that
> > can
> > > route packets out on the same interface they arrived on, or could
apply
> > > different routing tables based on the interface to which a packet
> arrives.
> > > This is to support a mail server which we want to connect to two ISP
> > > networks. We don't want a default outgoing route on any one
interface,
> > > which is what Windows 2000's IP implementation requires.
> > >
> > > If this is not available for Windows, is it available for any UNIX
> > > implementation?
> > >
> > > --
> > > Will
> > > westes AT earthbroadcast.com
> > >
> > >
> >
> >
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.686 / Virus Database: 447 - Release Date: 5/14/2004
> >
> >
>
>


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.686 / Virus Database: 447 - Release Date: 5/14/2004
!