RE: Gauntlet transparency issue

["Starkey, Kyle" <Kyle.Starkey () msdw com>]

Greg....
I implemented this version of Gauntlet and some of the older versions on NT
and I was unimpressed by the Issue transparency (in fact I actually had 2
NAI developers at my site once debating on what trnasparency did, this was a
VERY frightening scene).... why not simply use the HTTP-gw that they supply
for you.  It seems to me that it worked Ok when I used it, it works like a
netscape proxy server (kindof) you can configure users and even use SecureID
for auth if I rememeber correctly (it has been about 6 monthes since I
touched it). 

Also something else that perked my ears on this was that the FW only knew
about the external nets... is that right?  how is that possible if this is
supposed to be an internet gateway (outside = internet)... perhaps it was a
typo perhaps it is my brain that has been at this terminal for near 12 hours
already today... if this in fact the case, then you need to configure it the
other way round, tell it about the internal nets with statics (remembering
to use the -p flag to make them persistent in NT) and give it a default
route of the outside upstream gateway (should be your ISP
router/switch/whatever)

Read it again.... also take a look to see what the default gateway is for
the enterprise is.  You say that when you config the browser to look at the
firewall for a proxy addr that it works fine.  Perhaps the internal nets
have a default route that is other than your gauntlet box, this could be why
you are not seeing traffic to the firewall itself, and by actually forcing
the browser to look at the friewall it goes that way instead of following
the default....

just a couple of thought from a guy who has dealt in the world of
NT/Gauntlet.... hope it helps!

-Kyle 
Information Security
Morgan Stanley Dean Witter Online

-----Original Message-----
From: Greg Austin [mailto:gaustin () rkon com]
Sent: Friday, March 10, 2000 12:22 PM
To: firewall-wizards () nfr net
Subject: [fw-wiz] Gauntlet transparency issue


Hello,

     I'm having problems with the HTTP proxy not operating transparently
with gauntlet 5.5 for NT.  I'm converting a big software company's existing
BSDI Gauntlet 4.2 installation to a fault-tolerant GVPN 5.5 installation
(no load balancing, just a backup fw waiting in the wings).  The BSDI
installation works fine for them now (although there are some pretty
questionable packet screening rules that need to be killed or tightened),
they're changing to NT for internal reasons (fear of UNIX, urge to
standardize, etc.).  The company has remote offices all over the world, and
a mixture of routable and non-routable addresses (they have 20 or 30 whole
class C's to themselves).  Also, they're not doing any NAT as yet.  Anyway,
here's the problem:

        HTTP traffic coming from any network other than the network the fw's
inside interface lives in doesn't get proxied out, regardless of whether
the client generating it has a real IP or a 10.10.  If I configure the
remote client's browser to "use proxy" and fill in the fw's inside
interface's address as the proxy address, then HTTP works fine.  If I rely
on transparency, the traffic is dropped without even a mention in
Gauntlet's log file.  Again, this problem only occurs for traffic routed in
from other internal networks.

        Much like the BSDI box, the NT box only knows the external networks
through a whole bunch of static routes.  I had to add one static route
(pointing to the router local to the inside interface) for each of the
remote networks.  In their existing configuration they're not using the use
proxy setting on client browsers, they're just letting the fw transparently
proxy this stuff.  Needless to say, they'd be pretty unimpressed if they
had to touch many hundreds of workstations (in fifteen+ countries) because
of a firewall upgrade.

        To make sure there wasn't some background configuration issue, I set
up an
extremely simple home test network last night.  I built a plain vanilla
gauntlet installation whose inside interface I connected to a cisco 3K I
own.  On another interface on the router I connected a test workstation.  I
configured all the IP's to match my problem situation, so that my test
machine was mimicking a machine coming in across a frame link from Denmark.
 I configured the router as simply as possible (default route to the inside
interface of the firewall) and the fw similarly (default gateway outside
interface, static route to my bogus Denmark network naming the local router
as the route).  Again, HTTP won't work transparently, but works correctly
if I set the client's browser to proxy off the fw.
        
        I'm not a moron, I've covered all the obvious ground here.  I do
full time
security/VPN/firewall consulting work for a consulting company in Chicago.
I have a pretty strong background in routing (particularly on Cisco
equipment), and I've been working with many of the popular fw packages for
a while.  I've done PIX, FW-1, and Gauntlet on several platforms.  Anybody
got any ideas?  If the NT version of this product can't do this right I
can't imagine my company (NAI partner, Checkpoint partner as well) will be
installing it anymore.

        Thanks in advance for any light anyone may be able to shed,

Gregory Austin

Senior Systems Engineer
RKON Technologies
gaustin @rkon.com 

P.S.  I'm hopping a plane for the islands tomorrow (3/11) and will be gone
for a week, so if anyone replies to this or e-mails me about this (please
do!) you probably won't hear back from me for a week or so.  Thanks again.