Great Circle Associates Firewalls
(September 1992)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: commerical Internet gateway products
From: John Larson <jlarson @ parc . xerox . com>
Date: Thu, 24 Sep 1992 13:42:59 PDT
To: davidsen @ crd . ge . com
Cc: firewalls @ GreatCircle . COM

>> As far as I'm concerned, the proper filtering is to not pass packets.
>> That's the way we run. People must ftp stuff onto the firewall, then
>> off, or log in and telnet out. 

Our experience at Xerox PARC is that one of the weakest links is the
users poor selection of passwords on the firewall gateway (despite
guidelines, password checking programs, etc).   The larger the
commercial internet, the more logins on the firewall, the less secure
things get.

We switched to using the Sun proxy gateway system to eliminate all the
user logins for outbound telnet/ftp.  In my opinion, this is a far more
secure state, plus the users get the increased functionality of direct
access from their home machines.  The proxy client interface is trivial
and it is easy to access and use from most types of machine.  People
have also hacked together Mac and Next interfaces here at PARC.

There are many other aspects to the Xerox PARC firewall system to
support the various needs of a diverse R & D community, but I'm not sure
it is a good idea to go into all the details here.

John Larson
Network Consultant

Indexed By Date Previous: Re: conversion to digest
From: Richard Childers <rchilder @ us . oracle . com>
Next: SGI ipfilterd
From: "USA::JMA21624" <JMA21624%USA . decnet @ usav01 . glaxo . com>
Indexed By Thread Previous: Packet Filter vs. Packet Screen
From: Geoff Mulligan <mulligan @ pa . dec . com>
Next: Re: commerical Internet gateway products
From: sidney @ borland . com (Sidney Markowitz)

Search Internet Search