Controlling outbound access to the firewall

[Tyrrell Kevin <tyrrell () foremostsales com>]

We are in the process of planning a direct connection to the Internet.
Our Enterprise Network is based on Netware 4.11 and we use NDS for our
directory service. We have narrowed the choices  for the bastion host
down to Checkpoint FW-1 on Solaris and TIS Gauntlet on BSD. We do not
plan on giving all employees Internet access, but there will still be
around 300 who will have access. 

Our original plan was to use Novell's BorderManager between the bastion
host and the EN for caching and controlling access to the outside
through the NDS object rights associated with BorderManager. This part
of the plan has been cut out due to -$$$. It may be put in place later
if the caching is needed. 

(We are also putting up an Intranet based on IIS. All EN users will have
browsers and we plan on controlling what they can access on the Intranet
server by using NDS for NT.)

How does one go about controlling access to the bastion host? I don't
want these users having ids on the bastion host. So what other choices
are there?

PS: Please, no comments on FW-1 vs. Gauntlet preferences outside of the
access question. That's for us to decide - which product will implement
our security policy the best.

Thanks,

Kevin