Firewalls: Re: Firewall case study

Firewalls
(December 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Firewall case study
From:	maass @ odb . rhein-main . de (Joerg Maass)
Date:	Fri, 2 Dec 1994 19:25:57 +0100
To:	beames @ ins . com (Ken Beames), firewalls @ greatcircle . com, info @ checkpoint . com

Hi Ken,

At 13:01 Uhr 30.11.1994 -0800, Ken Beames wrote:
>1. How does Firewall-1 handle mail?  Does it come with something like TIS's
>SMAP?
>

>From what I understand from the Checkpoint Web Server and promo literature
(remember, Firewall-1 is NOT a Sun product), Firewall-1 is a simple packet
filter. If you want to handle mail, do it yourself.

>2. I have users that need to dial in to get mail, and this means _through_
>the front door of the firewall. (We don't have our own dialup server)
>

Get one and/or use authentication devices like the ones from Security
Dynamics and Digital Pathways.

>We are using a bunch of different mail servers; not everyone goes to the
>same server.
>
>I'd like to pass mail, as well as basic services (ftp, telnet, http), but in
>order to do so securely, (well, as much as possible) I'm of the opinion that
>I'll need access lists a mile long to allow this.
>

No. Different mail hubs is no problem. Allowing the several applications is
not a problem if you use application gateways, which to my knowledge
Firewall-1 doesn't provide. I'd suggest (and I'm biased :-) that you
contact a vendor that sells a firewall, not a packetfilter.

>the design is a dual screening router with a application filter (sparc with
>something like firewall-1) in between.
>

You mean that the router filters in- and outbound traffic, don't you? If
so, you essentially have a bastion host design (additional security by
means of the screening router). This design can be hacked (see GE incident
this week). I'd try to install a screened subnet configuration, if
possible.

Check the Digital SEAL page :

                http://www.digital.com/info/seal.html

      SEAL docs/kits :

                ftp://www.pcs.dec.com/pub/net-tools/SEAL

      FTPable documents :

                ftp://ftp.digital.com/

Internet Security: Screening External Access Link (SEAL)
    Customer Update Article -- May 1994, 2 Pages
    Text      : /pub/Digital/info/Customer-Update/940509010.txt

Screening External Access Link (SEAL) Consulting Service
    Infosheet -- May 1994, 1 Page
    Abstract  : /pub/Digital/info/infosheet/seal-consulting-service.abs
    PostScript: /pub/Digital/info/infosheet/seal-consulting-service.ps

United States Contact:

    Dick Calandrella at 508-496-8626


As I said, I'm biased :-).


All the best



Josch


--
Am Tiergarten 22            Tel.: +49/69/4990880
D-60316 Frankfurt           Fax : +49/6103/383-157

Germany                     privat: maass @
 thinkfish .
 rhein-main .
 de
                            biz.:   Joerg .
 Maass @
 frs .
 mts .
 dec .
 com

PGP signature available upon request.

Indexed By Date	Previous:	Re: automated firewall software From: maass @ odb . rhein-main . de (Joerg Maass)
Indexed By Date	Next:	Re: disabling source routing on SunOS From: ddrew @ mci . net
Indexed By Thread	Previous:	Re: automated firewall software From: maass @ odb . rhein-main . de (Joerg Maass)
Indexed By Thread	Next:	Re: Firewall case study From: Ken_Beames @ ins . com (Ken Beames)