Hi!
> Date: Wed, 26 Apr 1995 11:41:38 -0400
> From: mms!eng.ricohcorp.com!fwall (Firewall Subscriber)
> To: greatcircle.com!firewalls
> Subject: Livingston IRX Firewall Router
> Hi
>
> Our company is looking into Firewalls and wondered if anybody is using
> Livingston IRX Firewall and whether it is a good alternative to building
> your own Firewalls. I understand it does have logging capabilities and
> the networks can be separated into Public and Private. The Public being the
> DMZ. It also has RADIUS security authentication server and PMCONSOLE API
> for major Unix Workstations.
>
> Any comments on the Products would be appreciated.
We are using (and selling ;-) Livingston PortMaster 2e
(Terminalservers) and Livingston Firewall IRX. Both use similiar
operating systems (COMOS) and similiar filtering techniques.
IMHO, "black boxes" like the Firewall IRX are better than Unix-based
firewalls for some reasons:
(1) Unix-based systems have first to be made secure prior to
installing the firewall software. This is historically a hard job for unix
;-). If the Unix OS is compromised, the firewall is totally
worthless.
(2) Unix-based systems handle a lot more than just routing and
filtering. Boxes like the IRX mostly achieve a higher packet
throughput.
(3) Firewall boxes are easier to maintain, because they are
specialized on the firewall tasks.
The Livingston Firewall IRX is a good alternative to higher-priced
firewall systems (e.g. Cisco, Wellfleet, ...). Ok, the IRX just
handles TCP/IP and IPX, but for us this is enough.
The filtering mechanisms are very versatile. Filter can be set on the
interfaces (synchronous, asynchronous and ethernet ports) for
incoming and outgoing packets. Filters can also be set on a per-user
basis, you can decide whether the user filters may override the
interface filters.
Here a filtering example on a per-user basis. The user connects via
an asynchronous dial-in port and may connect to a WWW-server, SMTP-
and POP3-server(class-c means a sample class-c net for the dialup-users,
bastion means a sample bastion host with the mentioned services):
# Allow incoming www-connections
set filter pop3.in 1 permit class-c/24 bastion/32 tcp dst eq 80
set filter pop3.out 1 permit bastion/32 class-c/24 tcp src eq 80 estab
# Allow incoming SMTP
set filter pop3.in 2 permit class-c/24 bastion/32 tcp dst eq 25
set filter pop3.out 2 permit bastion/32 class-c/24 tcp src eq 25 estab
# Allow incoming POP3
set filter pop3.in 3 permit class-c/24 bastion/32 tcp dst eq 110
echo set filter pop3.out 3 permit bastion/32 class-c/24 tcp src eq 110 estab
# Allow ICMP for debugging
set filter pop3.in 6 permit class-c/24 bastion/32 icmp
set filter pop3.out 6 permit bastion/32 class-c/24 icmp
# Deny the rest and log violations
set filter pop3.in 8 deny log
set filter pop3.out 8 deny log
This is just an example how to set filters. The log attribute enables
logging on the syslog-host. It is also possible to use src and dst
ports in one rule, not just "eq", also "gt" and "lt" comparisons.
Users and locations may be defined locally on the portmaster. I
personally prefer a RADIUS-server on a unix host (the source is
available and thus may be ported to many systems). RADIUS
authentication packets are sent key-encrypted over the network.
RADIUS also supports accounting data (start and stop entries for the
sessions). Session parameters may be obtained using the PMCOMMAND
utility on the unix host. Together with the RADIUS accounting, one
can compute bandwidth and traffic for each sessions using some smart
perl-scripts.
There is a mailing list for portmaster users,
"portmaster-users @
msen .
com", to participate send "subscribe
portmaster-users" in the mail body to majordomo @
msen .
com .
Further information may be obtained at http://www.livingston.com
regards,
Frank
--
Frank M. Heinzius MMS Communication
frimp @
mms-gmbh .
de Eiffestrasse 596
Phone: +49 40 2111105-0 Fax: +49 40 211598
|
|
