Great Circle Associates Firewalls
(July 1996)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: RE: Catapault firewall
From: Russ <Russ . Cooper @ RC . Toronto . on . ca>
Date: Wed, 3 Jul 1996 20:06:24 -0400
To: "'Firewalls @ GreatCircle . COM'" <Firewalls @ GreatCircle . COM>

[rant]
Art's message about networkMCI WebMaker was the first time I'd heard of the 
product. See, I work for MCI, actually, SHL who is owned by MCI. Actually, 
I am the National Coordinator for the regional Internet/Intranet 
Professional Services groups here in Canada (at least that's the title 
they've given me). Unfortunately, my position doesn't mean squat to 
corporate MCI. Third party Firewall developers have asked me for my opinion 
on their products, but the company I work for doesn't know I exist 
(presumably). For Christ's sake, the damn thing even uses NT at its 
core...;-[...like I might know a thing or two about NT...;-[ ...Anyone 
wonder why I'm looking for new digs??? (p.s. has to be in Canada)
[/rant]

For a more detailed product of networkMCI WebMaker, have a look at;

http://www.webmaker.mci.com/webmaker/features/secbrf.htm

which has some technical information about the security design of the 
WebMaker product. It isn't simply NT running on a Pentium Pro. The box 
includes a "Router on an ISA card", which is a packet-filtering router 
which only allows packets through on tcp 80/443/25, tcp 21 (outbound only), 
and port 1023 for established client connections. It also allows udp 53 for 
DNS.

With these ports only, its impossible to get to NT's server components like 
RPC or NetBIOS from the Internet, so issues like remotely accessing its 
registry or logging into the server are pretty much out of the question. 
Access to the box from the LAN is restricted by the Intel Proxy Server 
which supposedly only understands HTTP. Depending on how that's been 
implemented, it may still be possible to access the NT Workstation's 
registry from the LAN.

This "Router on a card" has its own Ethernet port, and uses a management 
application that speaks directly to it, not to NT. IP Forwarding is turned 
off in NT, and two additional ethernet adapters are in the box. One 
connects to the ethernet port on the "Router on a card" using a cross-over 
cable to establish connectivity to the Internet, the other connects to the 
Internal network.

The Proxy Server is from Intel??, and they say it will only allow outbound 
HTTP requests (which sorta contradicts the statement about FTP being 
allowed for outbound only??). It proxies the requests and therefore does 
not use the internal IP addresses.

All the marketing tripe to one-side, this is a nice piece of hardware. So 
while the software being used would need to be evaluated to determine if 
its safe or not, the concept is pretty sound and the implementation seems 
to adhere to the design principle.

[megarant]
Either way, its another example of how my parent company wants to put me 
out of a job, embarrass me in public, and in general, ignore their hired 
guns in lieu of *unknown* (to me). Maybe they figured that since the 
WebMaker will only be available in the U.S. they didn't need the opinion of 
a Canadian. Obviously nobody from MCI (other than me) reads this list. Do I 
sound bitter?...naw...;-]
[/megarant]

Cheers,
Russ




Follow-Ups:
Indexed By Date Previous: IP translation
From: "Kwanho Shin(신관호)" <skh @ isk . co . kr>
Next: RE: udp 137 broadcast from Win95 PC
From: Russ <Russ . Cooper @ RC . Toronto . on . ca>
Indexed By Thread Previous: RE: Catapault firewall
From: AKRUMSEE @ ncgroup . com (Art Krumsee)
Next: Re: NetworkMCI Webmaker
From: peter @ baileynm . com (Peter da Silva)

Google
 
Search Internet Search www.greatcircle.com