Firewalls-Digest Monday, November 25 1996 Volume 05 : Number 632
In this issue:
Re: InfoSec organization
Re: CryptoCard = SecureNet Key + $
Download FREE NT FireWall/Plus
Re: guantlet firewall config help require
Redundant FW-1s in Parallel!?
Re: Redundant FW-1s in Parallel!?
Firewalls-Digest V5 #631 -Reply
See the end of the digest for information on subscribing to the Firewalls
or Firewalls-Digest mailing lists and on how to retrieve back issues.
----------------------------------------------------------------------
Date: Sun, 24 Nov 1996 07:52:58 -0500
From: heuman @
mail .
cibc .
com (R.S. [Bob] Heuman)
Subject: Re: InfoSec organization
On Thu, 14 Nov 1996 16:47:54 -0600, you wrote:
>I have a question concerning the "usual" structure of IT departments in
>bigger organizations:
>1) Information security is split up between several different
>departments: Database administration does database security, Network
>services does network security, Computing services does host security on
>their systems...
>2) There is ONE department, let's call it "InforSec Dept." that is in
>charge of ALL the information security aspects for the different
>"sections", i.e.e.g. THEY control host security, database security and
>network security. Of course, there are still Database administration,
>Network services and Computing services departments, but those are
>merely responsible for "running" the things.
>
>What is more likely to be the structure in bigger organizations? What is
>the opinion of the audience on the 2 "scenarios" above --
>advantages/disadvantages and the like...
Type 2 exists in many larger organisations. It's role is not to actually
handle database security, network security, etc., but rather to document
and disseminate the Policy, standards, procedures, etc., that ALL in the
organisations must use. In addition this area will do R&D work re
security, keeping abreast of new security products as well as the
implications of using the security components of applications, operating
systems, etc. In many cases they also maintain an approved products =
list,
so that individuals or units do not rely on the password protection of a
product such as WordPerfect if a commercial password cracker for that
product is available. This unit may also administer the organisation's
host access control product, be it RACF or ACF2 or TopSecret, and various
encryption devices, such as link encryptors, centralised hand held
challege-response devices, etc.
Type 1 will exist in conjunction with type 2, but will have to meet the
policies, standards and procedures set by the type 1 group. They will =
also
have to clear new applications or products with type 1 if there are =
changes
in the security component of the product. Type 1 may be part of the
overall group or may report within the application group instead. It
varies.
The larger the organisation, and the more various locations with major
hardware installations, the more likely that type 2 is centralised at =
head
office and type 1 is scattered throughout the various sites.
=46WIW, this is what I have observed, but then again.....
------------------------------
Date: Sun, 24 Nov 1996 07:52:56 -0500
From: heuman @
mail .
cibc .
com (R.S. [Bob] Heuman)
Subject: Re: CryptoCard = SecureNet Key + $
>From: Tom Zerucha <root @
deimos .
ceddec .
com>
>Date: Fri, 15 Nov 1996 14:48:50 -0500 (EST)
>We are installing a Borderware Firewall that said it only works with
>Cryptocards.
>I had a securenet key I was using with TIS fwtk, and the methods looked
>similar, I tried the cryptocard, and it worked in place of the SNK, so I
>tried it the other way, and it worked.
>SNK was just over half the cost of the cryptocard, and has a better
>keypad (IMO). The only downside is that you have to pull the battery to
>reset it.
If these two work, then the Racal WatchWord II (English product, made in
Singapore) and the ActivCard (French product made in China) should also
work. In that case I suspect the ActivCard will be even cheaper than the
SNK, since I do know the relative prices of all of them. Incidently, the
ActivCard will read the challenge off the screen and send the response =
back
in some configurations/setups....
Check their web sites for more info on each, if interested.
=46WIW....
Bob
------------------------------
Date: Sun, 24 Nov 1996 09:12:09 -0600
From: russo @
network-1 .
com (Bob Russo)
Subject: Download FREE NT FireWall/Plus
Download a FREE beta evaluation copy of
FireWall/Plus for Windows NT (3.5.1 or 4.0) at:
http://www.network-1.com
Network-1 Software & Technology, Inc.
909 Third Ave.
New York, NY 10022
800-638-9751 * 212-293-3068
Email - sales @
network-1 .
com
support @
network-1 .
com
Bob Russo
russo @
network-1 .
com
------------------------------
Date: Sun, 24 Nov 96 10:43:24 CST
From: jeromie @
garrison .
com (Jeromie Jackson)
Subject: Re: guantlet firewall config help require
> I am also having another problem on the BSDI unix that comes with
> TIS Gauntlet. When I try to install it on one of the pentium machine.
> During the installation phase, There are error messages poping out
> saying "IRQ 6 STRAY INTERRUPT". The installation goes on normal
> but just that irritating error message keeps coming out on the screen
> every time the BSDI installation diskette is read from the drive A:.
>
The firewall should have been installed by your reseller. Contact
them!
Jeromie Jackson
Garrison Technologies
jeromie @
garrison .
com
------------------------------
Date: Sun, 24 Nov 1996 20:39:19 -0800
From: "Jeff C. Flynn" <us028272 @
mindspring .
com>
Subject: Redundant FW-1s in Parallel!?
Suppose someone wants a FW-1, but he also has a requirement for "no single
points of failure." Suppose he thought he could address this by putting two
FW-1s in parallel as follows...
|----- Primary FW-1 -----|
| |
Dept #1 -----| |-----Dept #2
| |
|----- Secondary FW-1 ---|
It seems to me that there could be problems with this topology (with both
FWs powered and connected). Since a packet could take either FW route to
get to (for example) Dept #2 from Dept #1, context could be lost and packets
could be lost. I know all this is pretty general, and what happens depends
on the protocols and rules. Still, I'm just looking for a general answer.
Any suggestions on how to best satisfy this type of requirement?
Tia,
Jeff
------------------------------
Date: Sun, 24 Nov 96 23:23:47 PST
From: pat @
tandem .
com
Subject: Re: Redundant FW-1s in Parallel!?
> Any suggestions on how to best satisfy this type of requirement?
two ways come to mind:
1) SecureWatch from Qualix (3rd party high-availabilty failover software).
http://www.qualix.com/sysman/product/securewatch.htmld
2) Wait for version 3.0 of Firewall-1 to ship (version 3.0 will allow two
Firewall-1 systems to exchange state table information.
http://www.checkpoint.com/press/30release.html
-pat
- --
Patrick Mulrooney
Tandem Computers
- -------------------------------------
Date: Sun, 24 Nov 1996 20:39:19 -0800
To: Firewalls @
greatcircle .
com
From: "Jeff C. Flynn" <us028272 @
mindspring .
com>
Subject: Redundant FW-1s in Parallel!?
Sender: firewalls-owner @
greatcircle .
com
Content-Length: 851
Suppose someone wants a FW-1, but he also has a requirement for "no single
points of failure." Suppose he thought he could address this by putting two
FW-1s in parallel as follows...
|----- Primary FW-1 -----|
| |
Dept #1 -----| |-----Dept #2
| |
|----- Secondary FW-1 ---|
It seems to me that there could be problems with this topology (with both
FWs powered and connected). Since a packet could take either FW route to
get to (for example) Dept #2 from Dept #1, context could be lost and packets
could be lost. I know all this is pretty general, and what happens depends
on the protocols and rules. Still, I'm just looking for a general answer.
Any suggestions on how to best satisfy this type of requirement?
Tia,
Jeff
------------------------------
Date: Mon, 25 Nov 1996 08:03:09 +0000
From: Colin Craig <craigc @
scot-homes .
gov .
uk>
Subject: Firewalls-Digest V5 #631 -Reply
I'm on Holiday and am not due back until Monday 25th November. I'll
deal with this then.
Colin.
------------------------------
End of Firewalls-Digest V5 #632
*******************************
To unsubscribe from Firewalls-Digest, send the following command
in the body of a message to "Majordomo @
GreatCircle .
COM":
unsubscribe firewalls-digest
If you want to subscribe or unsubscribe an address other than the
account the mail is coming from, such as a local redistribution list,
then append that address to the command; for example, to subscribe
"local-firewalls":
subscribe firewalls-digest local-firewalls @
your .
domain .
net
A non-digest (direct mail) version of this list is also available; to
subscribe to that instead, replace all instances of "firewalls-digest"
in the commands above with "firewalls".
Compressed back issues are available for anonymous FTP from
FTP.GreatCircle.COM, in pub/firewalls/digest/vNN.nMMM.Z (where "NN"
is the volume number, and "MMM" is the issue number).
|
|
