[rant]
Art's message about networkMCI WebMaker was the first time I'd heard of the
product. See, I work for MCI, actually, SHL who is owned by MCI. Actually,
I am the National Coordinator for the regional Internet/Intranet
Professional Services groups here in Canada (at least that's the title
they've given me). Unfortunately, my position doesn't mean squat to
corporate MCI. Third party Firewall developers have asked me for my opinion
on their products, but the company I work for doesn't know I exist
(presumably). For Christ's sake, the damn thing even uses NT at its
core...;-[...like I might know a thing or two about NT...;-[ ...Anyone
wonder why I'm looking for new digs??? (p.s. has to be in Canada)
[/rant]
For a more detailed product of networkMCI WebMaker, have a look at;
http://www.webmaker.mci.com/webmaker/features/secbrf.htm
which has some technical information about the security design of the
WebMaker product. It isn't simply NT running on a Pentium Pro. The box
includes a "Router on an ISA card", which is a packet-filtering router
which only allows packets through on tcp 80/443/25, tcp 21 (outbound only),
and port 1023 for established client connections. It also allows udp 53 for
DNS.
With these ports only, its impossible to get to NT's server components like
RPC or NetBIOS from the Internet, so issues like remotely accessing its
registry or logging into the server are pretty much out of the question.
Access to the box from the LAN is restricted by the Intel Proxy Server
which supposedly only understands HTTP. Depending on how that's been
implemented, it may still be possible to access the NT Workstation's
registry from the LAN.
This "Router on a card" has its own Ethernet port, and uses a management
application that speaks directly to it, not to NT. IP Forwarding is turned
off in NT, and two additional ethernet adapters are in the box. One
connects to the ethernet port on the "Router on a card" using a cross-over
cable to establish connectivity to the Internet, the other connects to the
Internal network.
The Proxy Server is from Intel??, and they say it will only allow outbound
HTTP requests (which sorta contradicts the statement about FTP being
allowed for outbound only??). It proxies the requests and therefore does
not use the internal IP addresses.
All the marketing tripe to one-side, this is a nice piece of hardware. So
while the software being used would need to be evaluated to determine if
its safe or not, the concept is pretty sound and the implementation seems
to adhere to the design principle.
[megarant]
Either way, its another example of how my parent company wants to put me
out of a job, embarrass me in public, and in general, ignore their hired
guns in lieu of *unknown* (to me). Maybe they figured that since the
WebMaker will only be available in the U.S. they didn't need the opinion of
a Canadian. Obviously nobody from MCI (other than me) reads this list. Do I
sound bitter?...naw...;-]
[/megarant]
Cheers,
Russ
Follow-Ups:
|
|
