I'm curious to see the impact of this message on the firewalls list server
community. What opinions are there towards meeting the following requirements
for a firewall/DMZ? Please do not include costs or references associated
with local circuit or access providers as this varies around the globe.
Low Cost Firewall: $2,000 US (hardware/software included)
1) TCP/IP filtering mechanism that allows for priority queuing
2) HTTP caching proxy support (internal and external)
3) FTP caching proxy support (internal and external)
4) GOPHER caching proxy support (internal and external)
5) Telnet proxy support (internal and external)
6) SMTP secured mail transport mechanism (inbound and outbound)
7) DNS Server Capability (forwarding, caching, and secondary support)
8) HTTP Server Support for External/Internal WWW pages
9) MBONE tunnel endpoint (secure internal broadcast)
10) IRC Client and Server support (internal and external)
11) WAIS caching proxy support (internal and external)
12) POP mail support
13) Automatic Status reports and cache management features.
14) ALL ON THE SAME MACHINE!
My intent by clarifying "internal and external" is for a configuration
where a WWW browser (ie Netscape) proxy configuration points to a single
firewall machine for proxy services. The use of command line tools such
as telnet and ftp that DO NOT support proxy gateways in their configuration
MUST also be supported. This firewall should be able to access both an
internal HTTP, FTP, IRC, etc servers from the proxy as well as all known
Internet services. It must also be configurable to support raw port tunneling
for other obscure services such as NFS or MBONE.
Currently, I have personally evaluated many products (UNIX, DOS/Windows,
and NT) to try and meet similar requirements for our site. I was unable
to meet these requirements with a single vendor product. We were forced
to build a hybrid solution of many different software products written
My opinion is that UNIX (whatever flavor you pick) is FAR SUPERIOR to DOS/Windows
or Windows NT (Not There, Nice Try, No Thanks!) for a highly functional
and secure Internet firewall. Not to mention, cheaper and more reliable.
The Microsoft based products evaluated gave me basic services at best.
The opinions expressed here are my own. They in no way reflect the opinions
of my company.
Jay Tingiris - Network Systems Programmer III
AT&T Paradyne Corporation