I concur with Brian. I have several friends who manage NT firewalls and have no problem doing what he has said. I put up DEC's Alta-Vista firewall product, which was Unix based but used the Netscape GUI as the administrator interface. A very nice, admin friendly firewall. My friends with their NT based firewalls could do all the system functions that ours could and they didn't have to reboot anymore than ours did. We did reboot ours 3 times in the first year due to software patches for Unix. There were no crashes of any kind within the first 14 months. System logs were not an issue and we did have automatic reboot enabled. We also challenged the firewall periodically. We also had it on a UPS and we would also "pull the plug", literally, to test it. Brian's point regarding "not" running any 3rd party software should be well-taken. Firewall software is special purpose software. It is not designed or tested to have a lot of 3rd party software running on the firewall system. I also specified as part of our security policy that there should be no RAS to the firewall. I have heard this mentioned at several security seminars as a "how not to configure" element of firewalls. Again, this is up to your respective site security policy, one size doesn't fit all and this isn't intended to "enflame" anyone. Cheers Ken > -----Original Message----- > From: Brian Steele [SMTP:[EMAIL PROTECTED]] > Sent: Monday, January 11, 1999 11:54 AM > To: [EMAIL PROTECTED] > Subject: RE: OS Platform for firewall > > > System logs are one reason. How do you send one NT host's logs to > > another host, or several other hosts (for non-repudiation). Answer: you > > can't. > > You should be able to, via UNC (and perhaps directory replication between > servers). > > > > How do you parse through multiple logs quickly using any text > > viewer in NT? Answer: you can't. > > Not with NT's default viewer. But these are TEXT logs. Hell, you could > use > Word to look at them, or any shareware text viewer. This is a non-issue > as > far as I'm concerned, as the tools are easily available. > > > > How do you discriminate between NetBIOS and DNS names and IP addresses? > > Once again: you can't do this under NT. > > The question is whether or not this would be a requirement. > > > > Remote access is important in any server farm. Sure you can setup > > RAS+VBscript+various other hacks under NT but it is not going to be > > reliable. Under Unix you install SSH for encrypted access including > > X11, even including public-key authentication. SSH is rock solid. > > Some would argue that a remote-access point for a firewall server is > itself > a security risk ;-). > > > > And if the server goes down? > > Configure it to reboot automatically. This won't work in the case of a > "hard" crash, where the system completely locks up, but I rarely see this > with NT. > > > > The last large shop I worked at which > > used NT proxy firewalls had to reboot at least 3 times a week. This > > was with the best NT system administration available. > > They need to get better system administrators. There's no reason why an > NT > server assigned to firewall/proxy duties alone should have to be rebooted > so > often, unless they're using improper hardware, or 3rd party s/w that > doesn't > work well with NT. > > > > And what do you do when your NT firewall crashes, which it will do > > frequently? You really have no choice but to get to the console and > > power cycle the thing. > > Nope - set it to reboot automatically (see note above). > > > Regards, > Brian > > - > [To unsubscribe, send mail to [EMAIL PROTECTED] with > "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
