The Cisco NT Firewall is discontinued. It was "Sentry" but the spelling was
DiFfeReNt and FuNKy. (Escapes me at the minute).
Gauntlet "hardens" the NT _install_, but I don't think they completely
replace the TCP stack. I've played with Gauntlet a little and it's joyfully
easy to install and configure. For small sites I think it's on okay choice.
<pointless $0.02>
Unless someone is waving a particular unfixed TCP stack specific bug in
front of my face, I will not sit still for puerile "NT security sucks"
comments from customers. NT default setups might suck, and out-of-the-box
MCSE NT Administrators might suck, but by design the OS can be made secure.
Tell me I'm wrong, but most of the NT security panics have been users
elevating priveleges, services being insecure, shares being insecure and IIS
sucking badly. For a firewall box, which should really go behind a basic
packet filtering router, I couldn't care less. Apart from the TCP
fragmentation bug and some interesting choices for optional responses to TCP
events, I don't recall seeing any unresolved reports that would remove it
from consideration for a base firewall OS. Don't tell me that linux, for
example, (which a couple of people have recommended) is secure out of the
box. Nuh uh.
</pointless $0.02>
Personally, I say that if you're an NT guru with limited *nix experience,
you're more likely to be able to secure and maintain an NT box than a *nix
box. The IT staff at lots and lots of small to medium outfits fit this bill.
If you want better performance from your hardware, or want to be able to
hack source for your own devious ends, or want to run the FW as a VPN tunnel
server or something, then maybe think about a *nix box.
Now I feel guilty about continuing the OS war thread. I'm not plugging NT,
I'm just advocating careful and realistic consideration of options - without
knee-jerk "NT security bad" hysteria.
--
Ben Nagy
Network Consultant, CPM&S Group of Companies
Direct Dial: (08) 8422 8319 Mobile: (0414) 411 520
-----Original Message-----
From: John Haines [SMTP:[EMAIL PROTECTED]]
Sent: Friday, April 16, 1999 10:14 AM
Cc: [EMAIL PROTECTED]
Subject: Re: Raptor, Gauntlet, etc. on NT
Perhpas it would be better to say, "if you want your firewall to run
on NT,
make sure they use thier own, hardned, TCP/IP stack" (Cisco has such
a
product, the name escapes me (Sentry ?), as is Raptor, I believe).
Brian Steele wrote:
> Could we NOT have one of these silly OS wars again? There are
firewall
> products available for NT
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
