What you're speaking of, is unfortunately an issue where the firewall runs
on top of MS's IP stack. However, if one were to do the following:
1. Install NT4 as a "stand-alone" server, no IIS, no add-on optional
applications (not even calculator)
2. Install the 2nd NIC and insure that it works. Insure that "IP forwarding"
is not enabled.
3. Apply SP3 (min). Reboot
4. Apply your favorite reg hacks to tighten it further.
5. Go to Network Properties and "unbind" the 2nd NIC. Reboot
6. Go back to Network Properties | Protocols and remove all but the TCP/IP
protocol.
7. Click TCP/IP protocol, don't use WINs, don't use LMHOSTS, don't use DNS.
8. Then go to the Services tab, remove all of them. This includes
Workstation, Server, all of it. Reboot
9. Then go to Control Panel | Services and set the Startup option for
everything 'cept Event Log, Plug and Play, and RPC to "disabled". Reboot
10. Install a firewall, one that binds it's own IP stack to the external
NIC.
The end-result? A pretty darned secure installation, if you ask me...
Best Regards, Donald Kelloway
http://www.commodon.com
-----Original Message-----
From: Mikael Olsson <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Thursday, June 17, 1999 7:38 PM
Subject: Re: Why not FireWall-1 on NT?
>
>From: "gill" <[EMAIL PROTECTED]> on 11/06/99 04:21
>>
>> It has been my experience that the majority [of FW1's] are installed
>> on Solaris and NT boxes.
>> [Snip]
>>
>> This reasoning does not lead me to believe that the NT OS is an
inherently
>> secure one, but it does lead me to believe even more strongly that the NT
>> OS *can* be made secure and that the real important factor is the
installation
>> and administration ... a point that has been made several times through
>> the course of this discussion.
>>
>
>Sorry for adding to the noise - I just can't stay quiet any more.
>
>Fact: FW1 on NT is simply not as good as FW1 on Solaris.
>
>For instance, I've seen FW1's on NT go belly-up just
>by sending them several large, illegally-fragmented pings.
>As you may guess, this does not happen to FW1's running
>on Solaris.
>
>You simply cannot judge security from popularity.
>Once you start looking at NT in detail, and I don't
>mean looking at what services are running and what
>Microsoft says that they do, you can clearly see the flaws.
>
>I do C coding on NT systems as well as *nix systems, and
>at a low level at that. I'm not religious here - I view
>the different OSes as a palette of tools, with different
>pros and cons, to choose from to the create the best
>solution for a given task.
>
>
>One particular problem with Windows is the flawed design of
>its Winsock implementation. It's the old Win 3.11 (Wolverine?)
>winsock revved up to 32 bits, patched, tweaked and
>patched again to work with the multitude of protocols that
>customers demand windows to work with.
>
>The real overall problem is the lack of well-defined programming
>interfaces between the different layers. The fact is that
>the entire network module of Windows (any flavour) is
>really just one large code-cludge where calls are being
>made in all directions.
>
>Take, for instance, the childishly simple attack where
>you send ARP replies to a Windows machine, saying that
>you are using the same IP address as that Windows machine.
>For some reason that I will never understand, dialog
>boxes start popping up on your screen?!?! And if you
>keep pumping ARP replies, the message queue floods and
>the machine goes belly up!
>Now do you really think that that is testimony to a sound
>programming approach? Having one of the lowest-level
>network protocols interact directly with the GUI?
>
>
>The tradition in Unix systems has been to layer and separate
>everything, and document the well-defined interfaces between
>these components. These interfaces may be function calls,
>streams or network protocols, it's all there.
>This is the foundation of the security and reliability of
>unix flavour OSes.
>
>
>Actually, my personal opinion is that the *best* foundation
>for a firewall is a "clean slate". That is, run the firewall
>on its OWN miniature operating system, and start with a clean
>IP stack that is designed to do only two things : forward and
>filter packets.
>Doing that, you don't need to start patching up the underlying
>operating system and IP stack with its complex and therefore
>inherently insecure design. Operating systems need to be able
>to do LOTS of things. Firewalls don't.
>
>'nuff rambling.
>/Mike
>
>
>--
>Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
>Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50
>WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
