Firewall Wizards mailing list archives
Re: NT Gauntlet vs. BSD Gauntlet, Gauntlet "users"
From: Linwood Ferguson <ferguson () uvii mag aramark com>
Date: Wed, 10 Dec 1997 09:12:00 EST
At 12:18 PM 12/3/97 EST, Linwood Ferguson wrote:TIS has changed their licensing to allow only limited "users".
That is to say we dropped prices to allow small shops to pay less. :-)
Their explanation of a "user" is any IP address protected by the firewall. Has anyone explored what this means from an implementation standpoint?
You really probably need to ask sales and support at TIS since it is TIS' license you are talking about. No reason you couldn't post the answer here. I don't know the official answer and I'd find out but again, it is best for you to get it directly from the people who are responsible. No?
That's fair, since I did not explain how hard I tried already. I tried and tried and tried, and got what I considered an ambiguous answer. Here is the text of my final exchange with them: My question in single >'s, their answers in double >> from a Katie Duncan at TIS):
Hi. Per our discussion, I have a few questions.
My understanding is that for future updates, whatever maintenance we sign up for will determine the user limitation of the firewall after some future update where you implement enforcement of your user counts. Is that right?
Right, when we start enforcing the user count, the customer's license will permit the firewall to operate up to a given count.
What I need to understand is fairly precisely what a "user" is. Perhaps some specific questions will help:
- We send and receive e-mail from potentially several hundred users inside the firewall, with SMAP acting as the relay between. Are they users?
- We have far less users allowed to do web browseing or ftp or telnet through the firewall outbound, but all of those are proxy out, not some form of tunnel or firewall to firewall encryption. Are they users?
- We have even less still allowed to come inbound through the firewall, again with strict proxy not fw to fw encryption. Are they users?
Here's the definition: Number of networked systems (hosts, printers and other peripherals) with IP addresses that are protected by, and can route to the firewall. This number is to include remote users who are securely accessing the firewall via Virtual Private Networks.
OK, I asked very specific questions, and got what to me is an answer that
might be interpreted two ways, with the key in "AND can route to the
firewall".
Is there a route between our inside users and the firewall -- yes.
Can they use it - NO. We have them blocked from access to the outside
(per my second point). Since they BOTH said "are protected by" and added
on "and can route to" I still do not know if being blocked at the firewall
from any internet access means they are not "users".
OK, so maybe I'm stupid for not being able to correctly interpret their
"definition", but I'm a customer, I needed to issue a PO, I asked specific
questions with our specific scenario. Giving me what I needed to know
would take three "yes" or "no" answers. This was the third attempt (one
via mail, one via phone, and a third via mail).
Since I could not get an answer from TIS after three tries, I thought I
would come to the experts who might know how it was actually implemented.
At this point I picked a middle ground of 250 users. That's marginal
in terms of IP addresses inside, and WAY over the number of users who
can make any use of internet services by touching the firewall. As it
was our maintenance went up by 300% for what is the same service and less
capability, but if that's active internet users I'll be happy enough.
But If I find out a year from now that their software starts blocking
authorized users because it "saw" some IP address inside and counted it,
and I have to send them a check for $5500 (which is the next tier upgrade
price) I'm going to go from being one very happy Gauntlet user to a
very unhappy one.
So if there is someone out there who can give me a straight answer to
those really simple question and know it matches the license enforcement
implementation by TIS (I'm not asking what you think it ought to be), it
would simplify my worry quite a bit.
And I just realized we have another question I didn't ask, but probably
should have. We have a third interface. That interface to us is an
"outside" interface that goes to a much larger corporate network, and we
treat it as untrusted. We also do not allow it to route to the internet
connection (we treat it literally as a second "outside").
With these new rules, is every IP it sees on that third interface going
to count against me as well?
Thanks in advance!
- Linwood
-----------------------------------------------------------------------
Linwood Ferguson e-mail: ferguson () mag aramark com
Director, Software Engineering Voice: (US) 540/967-0087
ARAMARK Mag & Book Services
Current thread:
- NT Gauntlet vs. BSD Gauntlet, Gauntlet "users" Linwood Ferguson (Dec 08)
- Re: NT Gauntlet vs. BSD Gauntlet, Gauntlet "users" Frederick M Avolio (Dec 09)
- Re: NT Gauntlet vs. BSD Gauntlet, Gauntlet "users" carson (Dec 11)
- Re: NT Gauntlet vs. BSD Gauntlet, Gauntlet "users" cbrenton (Dec 09)
- Re: NT Gauntlet vs. BSD Gauntlet, Gauntlet "users" Jyri Kaljundi (Dec 11)
- <Possible follow-ups>
- Re: NT Gauntlet vs. BSD Gauntlet, Gauntlet "users" Linwood Ferguson (Dec 11)
- Re: NT Gauntlet vs. BSD Gauntlet, Gauntlet "users" Frederick M Avolio (Dec 11)
- Re: NT Gauntlet vs. BSD Gauntlet, Gauntlet "users" dnewman (Dec 11)
- Re: NT Gauntlet vs. BSD Gauntlet, Gauntlet "users" Frederick M Avolio (Dec 09)