RE: Controlling outbound access to the firewall

["Joe Ippolito" <joe () joesnet com>]

We are also a primarily NW 4.11 shop.  I currently use MS Proxy 2 behind
Firewall-1 on NT. We also found Border Manager to be too pricey and quite
complicated to set-up.  Firewall-1 is not inexpensive either though.  A word
of caution too, Cheek Point's ability to support their product is almost
non-existent. I have gotten much better help from this news list than from
our reseller or Check Point.  Make sure you purchase it from a reseller with
lots of experience and write your contract carefully.  If you do use
Firewall-1, put it on Solaris.  Check Point is a Unix software vendor and it
may be awhile before they get serious about NT.

I originally set-up MS Proxy 1.0.  If I knew what I know now about 2.0 and
did not need to host a public Web site, I would have used MS Proxy without
Firewall-1.  MS Proxy is simple to set-up and works well.  Use the latest
hot fixes, unbind everything but TCP/IP from the outside NIC, use private
(non-route-able) addresses on the inside and filtering.

What I have heard about NDS for NT makes it sound like it would work with MS
Proxy and the price has gotten much more reasonable.  If you use it I would
like to know what you learn.  Otherwise I will wait for ADS and try to
convince my management to dump NW.  My goal is one security provider, one
network OS, one layer-3 protocol suite (TCP/IP), lots of application server
capability and Internet standards.  I know there are lots of MS-haters out
there but I like boating in the deepest part of the river.

I also use MS SQL Server to log Internet access down to the URI by user name
and a custom html front end that managers can use to view what their
employees have been doing.  It is actually even fast on the same box as MS
Proxy.  Be sure to point the ODBC DSN to local, configure memory allocation
for SQL Server, and use lots of RAM.  We do not block sites and employees
are left responsible for their own actions.

The other product we use is Symantec's NAV for Firewall's.  Check Point has
a considerable amount of work to do on CVP.  Anyone out there tried any of
the virus scanning products for MS Proxy?

-----Original Message-----
From:   owner-firewall-wizards () nfr net [mailto:owner-firewall-wizards () nfr net]
On Behalf Of Tyrrell Kevin
Sent:   Thursday, April 16, 1998 12:25 PM
To:     'Firewall Wizards'
Subject:        Controlling outbound access to the firewall


We are in the process of planning a direct connection to the Internet.
Our Enterprise Network is based on Netware 4.11 and we use NDS for our
directory service. We have narrowed the choices  for the bastion host
down to Checkpoint FW-1 on Solaris and TIS Gauntlet on BSD. We do not
plan on giving all employees Internet access, but there will still be
around 300 who will have access.

Our original plan was to use Novell's BorderManager between the bastion
host and the EN for caching and controlling access to the outside
through the NDS object rights associated with BorderManager. This part
of the plan has been cut out due to -$$$. It may be put in place later
if the caching is needed.

(We are also putting up an Intranet based on IIS. All EN users will have
browsers and we plan on controlling what they can access on the Intranet
server by using NDS for NT.)

How does one go about controlling access to the bastion host? I don't
want these users having ids on the bastion host. So what other choices
are there?

PS: Please, no comments on FW-1 vs. Gauntlet preferences outside of the
access question. That's for us to decide - which product will implement
our security policy the best.

Thanks,

Kevin