Firewall Wizards mailing list archives
RE: Gauntlet transparency issue
From: "Starkey, Kyle" <Kyle.Starkey () msdw com>
Date: Tue, 14 Mar 2000 19:00:34 -0800
Greg.... I implemented this version of Gauntlet and some of the older versions on NT and I was unimpressed by the Issue transparency (in fact I actually had 2 NAI developers at my site once debating on what trnasparency did, this was a VERY frightening scene).... why not simply use the HTTP-gw that they supply for you. It seems to me that it worked Ok when I used it, it works like a netscape proxy server (kindof) you can configure users and even use SecureID for auth if I rememeber correctly (it has been about 6 monthes since I touched it). Also something else that perked my ears on this was that the FW only knew about the external nets... is that right? how is that possible if this is supposed to be an internet gateway (outside = internet)... perhaps it was a typo perhaps it is my brain that has been at this terminal for near 12 hours already today... if this in fact the case, then you need to configure it the other way round, tell it about the internal nets with statics (remembering to use the -p flag to make them persistent in NT) and give it a default route of the outside upstream gateway (should be your ISP router/switch/whatever) Read it again.... also take a look to see what the default gateway is for the enterprise is. You say that when you config the browser to look at the firewall for a proxy addr that it works fine. Perhaps the internal nets have a default route that is other than your gauntlet box, this could be why you are not seeing traffic to the firewall itself, and by actually forcing the browser to look at the friewall it goes that way instead of following the default.... just a couple of thought from a guy who has dealt in the world of NT/Gauntlet.... hope it helps! -Kyle Information Security Morgan Stanley Dean Witter Online -----Original Message----- From: Greg Austin [mailto:gaustin () rkon com] Sent: Friday, March 10, 2000 12:22 PM To: firewall-wizards () nfr net Subject: [fw-wiz] Gauntlet transparency issue Hello, I'm having problems with the HTTP proxy not operating transparently with gauntlet 5.5 for NT. I'm converting a big software company's existing BSDI Gauntlet 4.2 installation to a fault-tolerant GVPN 5.5 installation (no load balancing, just a backup fw waiting in the wings). The BSDI installation works fine for them now (although there are some pretty questionable packet screening rules that need to be killed or tightened), they're changing to NT for internal reasons (fear of UNIX, urge to standardize, etc.). The company has remote offices all over the world, and a mixture of routable and non-routable addresses (they have 20 or 30 whole class C's to themselves). Also, they're not doing any NAT as yet. Anyway, here's the problem: HTTP traffic coming from any network other than the network the fw's inside interface lives in doesn't get proxied out, regardless of whether the client generating it has a real IP or a 10.10. If I configure the remote client's browser to "use proxy" and fill in the fw's inside interface's address as the proxy address, then HTTP works fine. If I rely on transparency, the traffic is dropped without even a mention in Gauntlet's log file. Again, this problem only occurs for traffic routed in from other internal networks. Much like the BSDI box, the NT box only knows the external networks through a whole bunch of static routes. I had to add one static route (pointing to the router local to the inside interface) for each of the remote networks. In their existing configuration they're not using the use proxy setting on client browsers, they're just letting the fw transparently proxy this stuff. Needless to say, they'd be pretty unimpressed if they had to touch many hundreds of workstations (in fifteen+ countries) because of a firewall upgrade. To make sure there wasn't some background configuration issue, I set up an extremely simple home test network last night. I built a plain vanilla gauntlet installation whose inside interface I connected to a cisco 3K I own. On another interface on the router I connected a test workstation. I configured all the IP's to match my problem situation, so that my test machine was mimicking a machine coming in across a frame link from Denmark. I configured the router as simply as possible (default route to the inside interface of the firewall) and the fw similarly (default gateway outside interface, static route to my bogus Denmark network naming the local router as the route). Again, HTTP won't work transparently, but works correctly if I set the client's browser to proxy off the fw. I'm not a moron, I've covered all the obvious ground here. I do full time security/VPN/firewall consulting work for a consulting company in Chicago. I have a pretty strong background in routing (particularly on Cisco equipment), and I've been working with many of the popular fw packages for a while. I've done PIX, FW-1, and Gauntlet on several platforms. Anybody got any ideas? If the NT version of this product can't do this right I can't imagine my company (NAI partner, Checkpoint partner as well) will be installing it anymore. Thanks in advance for any light anyone may be able to shed, Gregory Austin Senior Systems Engineer RKON Technologies gaustin @rkon.com P.S. I'm hopping a plane for the islands tomorrow (3/11) and will be gone for a week, so if anyone replies to this or e-mails me about this (please do!) you probably won't hear back from me for a week or so. Thanks again.
Current thread:
- Gauntlet transparency issue Greg Austin (Mar 13)
- <Possible follow-ups>
- RE: Gauntlet transparency issue Starkey, Kyle (Mar 21)