--0__=1mOHL4d8VFam8KYIIyJoVpjn9ZhFsYYLfBX0DPDKCkgHRLsdGZOWE1Dz Content-type: text/plain; charset=us-ascii Content-Disposition: inline Juergen, If your bypass is purely layer two (ie. token-ring/ethernet and no IP) then you will be secure from an IP point of view because IP runs on layer three, and you can't play tricks on a protocol that isn't there. However, you still have the vulnerability with SNA traffic. There are ways you can spoof MAC addresses, so you want to evaluate that. Unfortunately I don't know too much about SNA security. You also need some way of ensuring that no one enables layer three on the network devices. If you use DLSw you can treat it like IP through the firewall, however, the firewall is only going to be looking at the IP session characteristics, and not the SNA characteristics or contents. You also need to ensure that the firewall does not cause too much timelag, or else you will end up having dropped sessions all the time if the keepalives can't get through. You also want to ask about how the SNA is being sent over the WAN. He may already be using DLSw, as the only alternative I know is a split-bridge. Whatever way it is being passed, the devices are quite probably IP addressable, and so you need to remove all traces of IP before the layer three element is removed. Hope this helps, Joe Telecomms Specialist Opinions mine own, etc....... AT&T Global Network Services Firewalls, IP & Opennet Services Security Analysis - Network Design Team Juergen.Nieveler@gecits-eu.com on 07/13/99 08:50:01 AM Please respond to Juergen.Nieveler@gecits-eu.com To: firewall-wizardsat_private cc: (bcc: Joe Dauncey/UK/IBM) Subject: Dangers from SNA? --0__=1mOHL4d8VFam8KYIIyJoVpjn9ZhFsYYLfBX0DPDKCkgHRLsdGZOWE1Dz Content-type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-transfer-encoding: quoted-printable Hi all! A client of mine wants to secure his WAN with a firewall, but pass all SNA-traffic through a bypass, because firewalls don=B4t work to well wi= th SNA. In Effect, all SNA-Users (the IBM Net, for example) would connect directly to his network. Are there any dangers from this approach, bes= ides it being bloody ludicrous to bypass a firewall at all? Would repacking the SNA in IP with DLSW add more security, or just help= to put it through the firewall? Thanks in advance for any insights! Mit freundlichen Gruessen - Yours sincerely Juergen Nieveler CompuNet Koeln System Engineering Industriestrasse 161e, 50999 Koeln, Germany Phone: ++49(0)2236/608161, Fax: ++49(0)2236/9651220, Internet: Juergen.Nieveler @ gecits-eu.com = --0__=1mOHL4d8VFam8KYIIyJoVpjn9ZhFsYYLfBX0DPDKCkgHRLsdGZOWE1Dz--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:33:12 PDT