> -----Original Message-----
> From: Lester Herrington [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, 4 November 1999 2:19 AM
> To: '[EMAIL PROTECTED]'
> Cc: Lester Herrington
> Subject: Input on NAI's Gauntlet Firewall/VPN...
>
>
> We are considering our options for a firewall/vpn solution to
> connect and
> protect our two sites. We have looked at several options and are
> considering NAI's Gauntlett 5.5 firewall with PGP protected
> VPN over the
> internet. Wanted to get some input before we proceed.
The "PGP protected VPN" looks to be a marketing spin, judging from the NAI
glossy pamphlets. It says that the VPN is "fully standards based" and
provides "strong comkpliance with the IPSec and IKE protocols". [1]
As far as I can make out, the only PGP in it looks to be for SA negotiation
if you're not using certificates. I've seen other IPSec implementations that
use RSA encrypted nonces (Encrypt random stuff with someone's public key.
They do stuff and send it back encrypted with your public key. You decrypt
it and you can tell that they're really them. Now you go ahead and exchange
keys.) so it would be fairly trivial to use PGP instead of RSA for this
process.
This is not to say that it's bad - au contraire. My stated opinion remains
that "IPSec rocks". However, there's nothing about the NAI product (that I
can see) that really differentiates it as far as the security of the VPN
goes. The implementation might be really good and easy to set up, though.
[snip]
> The Gauntlet solution appears to be a complete solution
> providing Firewall,
> VPN, Monitoring(Cybercop). I have heard that this is one of
> the most secure
> firewalls available, but have not seen solid data supporting this.
Gauntlet is an Application Proxy. IN THEORY, application proxies provide
superior protection to any kind of packet filter, because they go all the
way up and look at application layer data to make sure that the protocol is
not being abused. A firewall that doesn't check this will let through bogus
SMTP commands etc. However, in version 5.5 the user is given EVEN MORE
chances to shoot their security in the head with the inclusion of proxies
for SMB (Microsoft network stuff) and AOL. On the plus side, 5.5 also adds
an SSH proxy.
Oh, and there is also a packet filtering engine, presumably for if you still
can't make your security loose enough just using the proxies.
Having said that, the out-of-box security isn't too bad - just don't assume
that because Gauntlet will support the traffic that YOU should.
Cybercop still remains a host based IDS, AFAIK. It won't scan your network
for intrusion, but it will sit happily on your webserver and alert you (and
then shut down, if you like) if somebody screws with it. Additionally, it
will centrally monitor the alerting on multiple hosts from a console, which
is good. Unfortunately, if you want a complete monitoring solution, I don't
think it's quite there yet.
>
> Thanks for any input that you can provide.
>
> Les
> -
No worries. Hopefully one of our NAI lurkers will followup with some
corrections - one of my other gripes with NAI is that it's hard to get good
technical information out of them.
Oh, and if you want an overall opinion - I think the building blocks are
good. Just be warned - the decision as to which solution you buy is probably
going to be the LEAST important one you make. You'll get far more mileage
out of _really_ understanding what's going on, developing a security policy
that works and making sure that your users and management are behind it.
Cheers,
[1] http://www.nai.com/media/pdf/products/tns/Pgpvpn_b.pdf
--
Ben Nagy
Network Consultant, CPM&S Group of Companies
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
