After NAI announced that it was discontinuing the BSD/OS based version of
Gauntlet, my customer decided to switch to the Solaris based version of the
product. The replacement hardware and Gauntlet 5.5 arrived and have been
installed.
Unfortunately, the switch from the BSD/OS based Gauntlet 5.0 to the Solaris
based Gauntlet 5.5 has been a far more difficult transition than one would
expect. Literals used in IPFW rules, e.g. telnet, were not translated to
the correct port numbers. It's taken a few days but these problems have
been erradicated.
The major problem that remains involves the "securityalert" entries in the
log, /var/log/messages. The target or destination address that is reported
is the IP address of the interface on which the packet arrived. The BSD/OS
based versions of Gauntlet reported the IP address of the actual target or
destination.
The latter is what we would prefer seeing recorded. It allows us to quickly
identify activity involving the "dim stars in our corporate firmament" that
have taken a laptop home and forgotten to change their system configuration
appropriately. In addition, knowing the target IP address allows us to
differentiate between activity targetted at a specific system and activity
that is simply probing for a weakness.
What are the "sweet nothings" that need to be whispered in Gauntlet's ear to
force the recording of the actual destination IP address?
Merton Campbell Crockett
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
