Catapult is not a Firewall per se, but a caching proxy server with the
ability to remote WinSock calls from clients. Since I've been asked
before, my definition of a Firewall is that its a complete solution,
rather than a component. To me, a proxy server is a component in a
Firewall solution. Maybe if you want to be a bit more specific as to
what you mean by "IP Firewalling capabilities" I can specifically
address your query. Most are probably dependent on NT's abilities rather
than Catapult's.
If anyone is interested in getting the HTML documentation that
accompanies the free download of Catapult, I would be happy to forward
them to you (HTML, 600kb not zipped). If I get enough inquiries I'll
throw them up on my Web Server.
Catapult interoperates with, and very much relies on, things like the
security of the NT 4.0 OS and Internet Information Server. It does not,
as yet, have any specific proxies for NetBIOS traffic, nor does it do
anything specific for SQL, or Exchange. It is fully CERN compatible, so
while it does not accommodate SOCKS clients it certainly accommodates
Unix clients that can work with a CERN proxy.
I would like to put up my testing results of Catapult, but the simple
fact is that with the impending release of NT 4.0, my testing efforts
have been focused on products that will be, available at the time of
that release. Catapult is not amongst those, and their beta code
releases have been frozen at a build of NT 4.0 that is much, much, older
than what I am currently running.
I've pointed out to the Catapult team that there are some serious
problems with the way that Microsoft is currently positioning itself
with respect to security on the Internet. The Microsoft Internet
Security Framework sounds like the logical center point for all security
initiatives that MS plans to implement, right? (see
http://www.microsoft.com/intdev/security ), but the fact is that nowhere
in that wonderful white paper does Microsoft make any mention of
Catapult.
To me, the reality is that Microsoft does not see Catapult so much as a
security product as it sees it as a facilitative product to give more MS
desktops access to the Internet. By implementing the remoting of WinSock
API calls, MS desktops do not have to implement TCP/IP enterprise-wide
in order to get to the Internet. This is not a bad thing, but it doesn't
solve Internet security issues. Remember, though, its my opinion that
Microsoft is not attempting to address Internet security issues with
Catapult as much as their trying to get more customers *to* the
Internet.
So, if you're thinking that Catapult is all you will need for your
Enterprise Internet Firewall, think again. I refer you to the archives
to look up Bill Stout or Chris Pugrud's comments. It has features than
an enterprise would want, like its caching capabilities and the ability
to remote WinSock, but too many things still have to be done as
"anonymous" to make it much use in a cross-platform environment. Still
no robust alerting capabilities and logs that are intended for web
servers and not Firewalls. While NT 4.0 comes with a packet filter, it
can only do so on either *all* IP addresses or *none*. Catapult has the
ability to tune out specific addresses or ranges, and can do so to
particular ports, but the fact that this has to be done in the proxy
rather than at the adapter level leaves me gasping when the underlying
OS has the ability to filter. This is another sign that Catapult is
being retro-fitted to NT rather than integrated. Its integration relies
on IIS' capabilities, not NT's.
Now, if you think of it for the IntrAnet, it has very good possibilities
in improving the response time on IntrAnet web servers, and has the
advantage of not requiring TCP/IP on the clients. For MS only desktop
environments, another plus. This also positions the clients to take
advantage of other IntrAnet products that MS is working on.
Naw, I think that Raptor, Centri, Firewall-1, etc... don't have to worry
much about Catapult cutting into their bottom line for companies that
are serious about their Internet security, although I think they have to
look at Catapult as representing more what customers want than what they
currently provide (and please remember that an MS customer's desire
doesn't necessarily end at security, they also want transparency, ease
of use, and scalability). Catapult will run with other NT BackOffice
components on the same box (big security risk but great scalability for
small customer sites, i.e. branch offices). Catapult will work with any
NT NIC, including ISDN, PPP, SLIP, etc... Catapult is fully integrated
with the NT security model.
Some of those things are big security risks, and need to be judged
carefully if Catapult was being used as the only component in a Firewall
solution, but they are all things that customers want. For NT Firewalls,
in their current releases, I think Centri has come closest to meeting
these (and other) customer "nice-to-have" while maintaining a strong
level of security. Raptor has the best reputation (IMO), but the
released version of Eagle for NT doesn't come close to meeting my
expectations of an NT product. The current beta's are much better, and I
know they are working hard on making it even better, these things take
time. Unfortunately, I haven't seen anyone else's NT product, if anyone
wants to let me have a copy of their beta or released versions, let me
know (but if it doesn't run on NT 4.0, then forget it, you've missed the
boat!).
Cheers,
Russ
...due to licensing restrictions, this message can only be read by 10
people within 10 minutes...
>
|
|
