On Wed, 13 Jan 1999, Brian Steele wrote:
> >1. Advanced NAT (One to one, One to many, And in todays world even NAT
> > based on service) Also, it Shouldn't be a problem to forward
> >services to
> > inside NON-Windows(Read Unix servers).
>
>
> Yes, but wouldn't this depend on the user's requirements? I can't see how
> this can be used to determine whether or not an application should be called
> a firewall.
>
>
Perhaps, but I feel that the 'LACK' of features is what makes "MS Proxy
Server" just that, a proxy server.
> >2. Decent logging and reporting
>
>
> MSP has the ability to log to either text files or SQL database for advanced
> reporting.
>
>
Yes, and the text logging is horrible and pretty much useless to read.
Granted the SQL database is a good option, but it should be considered an
add-on...
>
> >3. Various(Numerious forms of authentication) IE,
> > Skey, Secure-ID, Radius, Tacacs, etc...
>
>
> Again, this will depend on user requirements, and should not be used in a
> definition for a firewall.
>
>
Sure, but.... What about all the non-windows clients? How do I
authenticate them???
> >4. Should provide some content filtering, Java, Active-X, etc..
>
>
> Can't answer - never checked this one. See point (3)
>
>
I don't believe that MS Proxy can filter contect and selectivly block
active-x and java applets.
>
> >5. Should provide a simple SMTP relay, or perhaps more advanced like
> > Checkpoint's
>
>
> Confused here - please clarify. It is possible to configure MSP2.0 to allow
> an internal e-mail server to interact with the Internet.
>
CheckPoint supports a faily advanced SMTP proxy.... You could for
example...
Following IP addresses are router to firewall
A B C D
First you could prevent relaying, set a size limit, and scan for viruses.
Next you could take all email bound for A, after filtering it, send it to
yet a differnet box..... OR, everything could come in on the SAME IP, but
different domains and the firewall can filter, and then route based on the
destination domain. So, email for ms.com goes to host A, proxy.com goes
to host B, etc.... Has quite a bit of flexability.... I once used this
functionality in conjunction with MX records to route mail to aid in the
migration from Novell Groupwise to MS Exchange... Made things quite
simple.....
>
> >Centralized management/logging. The abitity to look at live connections...
> >VPN's, both client to network and network to network.
>
>
> MS' VPN works with MSP as stated above. And "centralized
> management/logging" - what do you define as "centralized"?
>
What, PPTP??? Unless MS has cleaned up their act on that mutatated form
of 'GRE', I would be leary of actually utilizing it...... Additionally, I
really hate to play the MS service pack and hotfix act by running too many
services on the same box....
>
> >I just don't think that
> >"MS Proxy Server" is a Firewall. Microsoft probably doesn't either! If
> >they did, I am sure their marketing people would call it "Microsoft
> >Firewall"!!
>
>
> ... so why do they refer to it as a Firewall on the cover for the CD?
>
>> Brian Steele
>
Really, they do?!?! The last I saw, it said something like.....
'Extensible Firewall features'...... I don't remember it actually refering
to MS Proxy as a 'Firewall'..... Granted, to a limited extent it can
be.... From my understanding MS Proxy is great for Inside(Private) net
access to outside(Internet)... BUT not the other way.... Problems with
Virtual IP's, limited to forwarding a port on the firewalls Internet
Address to a port on another machine, IF you run the proxy Winsock. That
would be hard to do on a Unix box, if you are using it for email....
Doesn't really support Cu-Seeme, etc....Some of these can be kludged to a
certain extent, but......
AS I said, it's a good proxy server, but if you require decent control
over inbound connections, real authentification, real crypto(VPN's gotta
love the way MS PPTP mangles the clients routing table...Lose
connectivity to your WAN when you connect to a PPTP server...), etc...
Then MS Proxy isn't the answer.... If on the other hand, you ONLY have a
FEW servers that are going to be accessed from the Internet AND they are
Windows NT servers, then perhaps it would be the right solution.
--=Rick==-
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
