Kelly-
I won't join in the bashing (although deserved) of your companies "secuirty
policy", but would be interested in learning more in this area. For this
reason I have joined this list. My organization has someone that does this,
but lacks the teaching/people skills to effectively teach. If the members of
this list provide you with resources or you would be willing to share the
type of trainign you received I think that could be the greatest benefit. We
all have our strengths, but the wise ones notice their weaknesses.
Good luck, my hats off to you for braving the cyber world in this way.
Cheers,
Paul Done
IT Consultant
-----Original Message-----
From: Paul D. Robertson [mailto:[EMAIL PROTECTED]]
Sent: Monday, November 20, 2000 6:31 AM
To: Willis, Kelly
Cc: [EMAIL PROTECTED]
Subject: Re: Gauntlet
On Mon, 20 Nov 2000, Willis, Kelly wrote:
> Is there anybody out there that can help me get some configurations right
on
> our new Gauntlet firewall? I have never configured a firewall before and
> have not had training and this is very important to our company so I am
> feeling the pressure here. Any help would be appreciated!
Trusting someone on a mailing list to supply good and correct
configuration advice on a core security product is a bad idea.
There are enough ways to slightly misconfigure Gauntlet and leave a gaping
hole that it's a _really_ good idea to get someone who knows what they're
doing and has some accountability involved.
The pressure you're feeling would be nothing like the pain you'd feel if
either someone maliciously had you misconfigure the firewall, or indeed
accidently did so. There are a lot of ways to set up something as complex
as Gauntlet, and some configurations are incredibly bad ideas and some are
incredibly good- differentiating between them requires a core
understanding of the product and technology.
Last minute "drop it in and configure it until traffic passes" type
installations tend to be the absolute worst way to do things. The process
should have started with a security policy and then had an implementation
plan and then a test plan followed by validation.
You really really should (a) try to get training, or (b) try to get
consulting assistance. Training is preferable because you'll be left
holding the bag when the consultant leaves. There will be some ammount of
"this doesn't work" or "I need to do $stupid_thing" that you're going to
need to be able to fix or combat, both of which require technical skills
that aren't best left to mailing lists.
It's _possible_ to set Gauntlet up with just the manual and an idea of how
firewalls work, but it's the easiest way to make mistakes. Heck,, I've
seen experienced firewallers have trouble with Gauntlet's GUI and
configuration- every complex policy supporting installation I've ever done
has required editing the netperm-table and startup scripts by hand.
Changed that recommendation to training *and* consulting with a consultant
who's done Gauntlet a _lot_.
Mailing lists are great for "What's the difference between..." or "How
does $feature work?" questions. Outsourcing your security to the first
person on the Internet who answers is a really bad idea.
If you have spcific questions, here or gauntlet-users work pretty well
(though firewalls isn't as specific as gauntlet-users), but if it's
initial configuration this would be the ideal time to exercise that
support contract (and if you didn't get support with Gauntlet you made a
pretty scary choice- go back and fix that _first!_)
Sorry this isn't the answer you want.
Paul
----------------------------------------------------------------------------
-
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
