> -----Original Message----- > From: Irony [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 28, 2001 2:15 AM > To: [EMAIL PROTECTED] > Subject: RE: Just Plain Wrong (Was: Netscreen or Watchguard Firebox) > > > Gauntlet 5.5 for NT may not be the best firewall for my > installation. But it > is what I can afford. Gauntlet 5.5 for NT is actually not too bad. Based on my experience with G5.5 for Solaris, it's possibly even _better_. How amusing.[1] > There has been some debate at NAI regarding the > continued upgrade/enhancement of Gauntlet for NT, as NAI sees > it market > segment (the lower cost non Checkpoint shops) being reduced > by firewall > appliances. No debate. Gauntlet for NT is dead. 5.5 will continue to be supported, but no new features will be added. That's a paraphrase of the PGP Director of Product Management. (Gauntlet-user list, search archives for Marvin Dickerson) > Disregarding the honeypot in my configuration, I just wanted > an additional > level of security, as I am not confident that Gauntlet is > doing a good job. Why? You can't just Make Stuff Up. Have you audited your firewall? Have you done external scans? Have you run an IDS on the internal network? Have you had you configuration checked by a third party auditor? You should at least run through a basic audit. Lance Spitzner has a decent paper on a basic scan-based audit (www.enteract.com/~lspitz and I forget the rest). It uses free tools. > I do not have a tool that I can use to examine the packets > that get pass the > firewall. Any suggestions ? NAI's Sniffer Basic is mad expensivo. Ethereal is free, and available for all Windows versions and most *nixes. It's quite good. > I am hard at work learning Solaris and hope to have an IDS > running on it > soon. > > Any comments > > ps - Adding VPN at a few branch offices to my configuration > in a few months I'm probably giving you a hard time unjustly - your basic plan is good. Two different firewalls with a packet-filter up front and a proxy at the back is a "best practice" topology. I think what you need to focus on now is assurance. Audit your firewall architecture, products, rulebases and policies. Make sure they're doing what you think they are. An IDS is a good plan, but not worth doing until you've verified your config so you can define _exactly_ what is unexpected traffic. Just my usual random ranting... Cheers, [1] Yeah, I probably can't just make a throwaway comment like that. IMHO, the Solaris product is fragile. There are a bunch of areas (Sendmail, Cyberpatrol, BIND) that are...um...tricky. The fact that it runs Sendmail and BIND at _all_ is a grave concern, for me. The new eppliance boxes are billed as plug-in-and-go solutions - feh. Put someone with little Solaris experience in front of one of them and try and firewall a large network. Annnnnyway, that's probably enough ;) -- Ben Nagy Network Security Specialist Marconi Services Australia Pty Ltd Mb: +61 414 411 520 PGP Key ID: 0x1A86E304 - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
