I concur with Brian. 

I have several friends who manage NT firewalls and have no problem doing
what he has said.

I put up DEC's Alta-Vista firewall product, which was Unix based but used
the Netscape GUI as the administrator interface. A very nice, admin friendly
firewall. My friends with their NT based firewalls could do all the system
functions that ours could and they didn't have to reboot anymore than ours
did. 
We did reboot ours 3 times in the first year due to software patches for
Unix. There were no crashes of any kind within the first 14 months. System
logs were not an issue and we did have automatic reboot enabled. We also
challenged the firewall periodically. We also had it on a UPS and we would
also "pull the plug", literally, to test it.

Brian's point regarding "not" running any 3rd party software should be
well-taken. Firewall software is special purpose software. It is not
designed or tested to have a lot of 3rd party software running on the
firewall system.

I also specified as part of our security policy that there should be no RAS
to the firewall. I have heard this mentioned at several security seminars as
a "how not to configure" element of firewalls. Again, this is up to your
respective site security policy, one size doesn't fit all and this isn't
intended to "enflame" anyone.

Cheers
Ken
> -----Original Message-----
> From: Brian Steele [SMTP:[EMAIL PROTECTED]]
> Sent: Monday, January 11, 1999 11:54 AM
> To:   [EMAIL PROTECTED]
> Subject:      RE: OS Platform for firewall
> 
> > System logs are one reason.  How do you send one NT host's logs to
> > another host, or several other hosts (for non-repudiation).  Answer: you
> > can't.
> 
> You should be able to, via UNC (and perhaps directory replication between
> servers).
> 
> 
> > How do you parse through multiple logs quickly using any text
> > viewer in NT?  Answer: you can't.
> 
> Not with NT's default viewer.  But these are TEXT logs.  Hell, you could
> use
> Word to look at them, or any shareware text viewer.  This is a non-issue
> as
> far as I'm concerned, as the tools are easily available.
> 
> 
> > How do you discriminate between NetBIOS and DNS names and IP addresses?
> > Once again: you can't do this under NT.
> 
> The question is whether or not this would be a requirement.
> 
> 
> > Remote access is important in any server farm.  Sure you can setup
> > RAS+VBscript+various other hacks under NT but it is not going to be
> > reliable.  Under Unix you install SSH for encrypted access including
> > X11, even including public-key authentication.  SSH is rock solid.
> 
> Some would argue that a remote-access point for a firewall server is
> itself
> a security risk ;-).
> 
> 
> > And if the server goes down?
> 
> Configure it to reboot automatically.  This won't work in the case of a
> "hard" crash, where the system completely locks up, but I rarely see this
> with NT.
> 
> 
> > The last large shop I worked at which
> > used NT proxy firewalls had to reboot at least 3 times a week.  This
> > was with the best NT system administration available.
> 
> They need to get better system administrators.  There's no reason why an
> NT
> server assigned to firewall/proxy duties alone should have to be rebooted
> so
> often, unless they're using improper hardware, or 3rd party s/w that
> doesn't
> work well with NT.
> 
> 
> > And what do you do when your NT firewall crashes, which it will do
> > frequently?  You really have no choice but to get to the console and
> > power cycle the thing.
> 
> Nope - set it to reboot automatically (see note above).
> 
> 
> Regards,
> Brian
> 
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
    • ... Brian Steele
      • ... Andy Condliffe
        • ... Paul D. Robertson
          • ... Andy Condliffe
            • ... Paul D. Robertson
              • ... Sean Semone
        • ... James D. Wilson
          • ... Rainer Duffner
            • ... Carric Dooley
        • ... Eugene Chupkin
  • ... Knapp, Ken (SD-EX)
  • ... אריק זודמן - Arik Sudman
  • ... Rao, Prashanth
  • ... Jan van Rensburg
  • ... Roger Marquis

Reply via email to