Got several good responses, thanks everyone. Quick summary: - (Tunnel IPX & AppleTalk through IP) - Cisco PIX - Elron Software CommandView Firewall - Lucent Managed Firewall - Network-1 CyberwallPLUS - Sun SunScreen EFS 3.0 - Sun SunScreen SPF-200 - TAMU Drawbridge Useful replies below, some previously sent to the list, but in one package here. We're having vigorous internal discussions on router filters vs. firewalls. -- Rex Sanders, USGS ========== >From: "AEHeald" <[EMAIL PROTECTED]> >Date: Thu, 16 Mar 2000 15:35:10 -0500 I have used the Elron Command View SecureOS firewall. It bridges IPX traffic quite well. Doesn't filter well at all! Regards Arian Eigen Heald, CNE,MCP Network Administrator DIRECT Federal Credit Union Needham, MA 02494 ========== Date: Thu, 16 Mar 2000 13:37:15 -0800 From: "Marc Renner" <[EMAIL PROTECTED]> Subject: Re: Firewalls that bridge AppleTalk & Netware? I'd check out the Cisco PIX: http://www.cisco.com/warp/public/cc/cisco/mkt/security/pix/index.shtml +++++++++++++++++++++++ Marc Renner - Director http://ci.marysville.wa.us Network Operations Dept. Mailto:[EMAIL PROTECTED] City of Marysville, Wa. (360) 651-5000 ISSA Member # 10281 http://www.issa.org +++++++++++++++++++++++ ========== >From: "Fogel, Avi" <[EMAIL PROTECTED]> >Date: Thu, 16 Mar 2000 17:36:25 -0500 Rex, I'm off-course biased, but I believe Network-1's is the only product that does full filtering and logging for IPX and Appletalk, while doing all the regular things for IP. If you need more detailed info than available on our site (http://www.network-1.com) or if you'd like a free fully functional short term license (up to 30 days) pls let me know. Brgrds Avi Fogel Network-1 ========== >Date: Thu, 16 Mar 2000 14:53:36 -0800 (PST) >From: Valerie Anne Bubb <[EMAIL PROTECTED]> Rex - If you are considering Sun's SunScreen SPF-200, you may want to consider the latest release of the firewall: SunScreen EFS 3.0b. EFS 3.0 includes all of the functionality of the SPF-200, and you can run it like the SPF-200 (stealth mode, that is, like a bridge). The big advantages of EFS 3.0 over SPF-200: cheaper, layered (you can choose to run it on Solaris 2.6 or 7, SPARC or Intel hardware), improved packet filtering, improved performance, improved network address translation, centrally managed groups, new GUI and CLI, and "free" High Availabilty. *"free" -- you only have to pay for one copy of the firewall, then you can install multiple HA hosts for that cluster w/out additional licensing fees. Also, you can run SunScreen EFS 3.0b in routing mode, if you want to deploy this as router instead of a stealth box. SunScreen EFS 3.0b in stealth mode does filter on non IP traffic. (ether level). The SunScreen product line has been around for several years, is very stable, and scales very well as you add processors to the firewall machine. http://www.sun.com/security/ hope that helps. Valerie (I'm biased -- I work on the product... ;-) ========== >From: Ben Nagy <[EMAIL PROTECTED]> >Date: Fri, 17 Mar 2000 17:11:16 +1030 If you look at a Cisco router you can actually do real filtering for both Appletalk (filter GZL / ZIP to block zone advertisements and filter data to stop network A accessing network B's stuff etc etc) and IPX (pretty much whatever you want). You'll need the "Desktop" feature set at least to get IP/IPX/AT/DEC. If you want IP/Firewall as well then bump it up one more. Ask your local Cisco reseller for router configs / required RAM etc etc etc. Cheers! -- Ben Nagy Network Consultant, Volante IT PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520 ========== >From: [EMAIL PROTECTED] >Date: Fri, 17 Mar 2000 10:14:24 -0500 DISCLAIMER: I work for Elron Software (but I am not a sales or marketing guy ) Elron Software's CommandView Firewall is also a bridge based firewall that can serve your needs. You can either bridge the IPX traffic or pass it through the IPX SMLI engine. Its one of the few firewalls in the market that have SMLI engine for IPX traffic. In addition, it allows you to bridge all other non-IP and non-IPX traffic including Appletalk. It not only allows you to bridge traffic based on protocols but also based on MAC addresses which makes it a good fit as an internal firewall. You can download the CommandView firewall for free for evaluation from Elron Software's web site (www.elronsw.com). Mohammed Elron Software ========== >From: "Don Kelloway" <[EMAIL PROTECTED]> >Date: Fri, 17 Mar 2000 10:12:52 -0500 Elron Software's CommandView Firewall for NT (v3) or SecureOS Firewall (v2.5) offers the ability to filter the IPX/SPX protocol. Both offer SMLI and are available as fully-functional trials. Visit http://www.elronsoftware.com for more information. Best Regards, Don Kelloway http://www.commodon.com ========== >Date: Fri, 17 Mar 2000 10:37:25 -0500 (EST) >From: "Paul D. Robertson" <[EMAIL PROTECTED]> On Thu, 16 Mar 2000, Rex Sanders wrote: > I need internal firewalls, which can pass (if not filter) AppleTalk and > Netware, while doing the usual firewall things to IP. If you understand the risks of tunneling these protocols (esp. Appletalk), and you're using Cisco routers internally at both ends, you can tunnel both protocols over IP and do some filtering at the end of each tunnel. You can also encrypt the traffic over an IPSEC tunnel if you want to give some measure of privacy and ensure that the contents haven't been modified in transit. At that point, it's a matter of letting the tunnel through the firewall and you can pick almost any popular firewall. AppleTalk is just plain nasty as an internetwork protocol. Try to avoid it if at all possible. Most Apple products will talk IP these days. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." PSB#9280 ========== Date: Fri, 17 Mar 2000 22:49:27 +0100 (CET) From: The Pal / Patrik Bodin <[EMAIL PROTECTED]> A Cisco router can do all of the requested (including bridging), and if you include the Firewall Feature Set you will get protection above level 3 too. /P - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
