Yes, you are right, this would make it much more secure.
But if you're going through all the trouble of rolling your
own IP stack, why bother with running it under NT in the first place,
when you could just as easily run it on your own miniature operating
system? That way you'd save $$$ for your customers who won't have
to buy NT (or any other OS for that matter).
Besides, I like that solution better anyhow, since it keeps
nitwit admins with a low IT budget from installing 3rd party
software on the firewall itself. :-)
Regards,
Mike
Don Kelloway wrote:
>
> What you're speaking of, is unfortunately an issue where the firewall runs
> on top of MS's IP stack. However, if one were to do the following:
>
> 1. Install NT4 as a "stand-alone" server, no IIS, no add-on optional
> applications (not even calculator)
> 2. Install the 2nd NIC and insure that it works. Insure that "IP forwarding"
> is not enabled.
> 3. Apply SP3 (min). Reboot
> 4. Apply your favorite reg hacks to tighten it further.
> 5. Go to Network Properties and "unbind" the 2nd NIC. Reboot
> 6. Go back to Network Properties | Protocols and remove all but the TCP/IP
> protocol.
> 7. Click TCP/IP protocol, don't use WINs, don't use LMHOSTS, don't use DNS.
> 8. Then go to the Services tab, remove all of them. This includes
> Workstation, Server, all of it. Reboot
> 9. Then go to Control Panel | Services and set the Startup option for
> everything 'cept Event Log, Plug and Play, and RPC to "disabled". Reboot
> 10. Install a firewall, one that binds it's own IP stack to the external
> NIC.
>
> The end-result? A pretty darned secure installation, if you ask me...
>
> Best Regards, Donald Kelloway
> http://www.commodon.com
>
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
