The only thing behind the firewall is the service. However, the service does use ISAPI extensions, Active Server scripts, and other such CGI extensions. The program is written to block all CGI subversion efforts using a custom three-homed data firewall that detects and blocks data attacks assuming no TCP/IP or network attacks disable it first. The service would become irrelevant if someone were to learn the LSA password for one of the internal machines and turn off auditing, for
As to outgoing ports, the service does not use any, so I'm planning on allowing any to begin with.
Yehuda G. Hahn
Focus Lion Communications, Ltd.
6 Yannai Street, Suite 1
Tel. +972 2-622-1352
Fax. +972 2-622-1289
E-mail: ygh @
From: Bob Beck [SMTP:beck @
Sent: Tuesday, December 10, 1996 7:22 AM
To: ygh @
Subject: Re: Is NT really that bad?
Put it this way, *I* wouldn't do it with NT, since I know I
can do a better job with Unix, and I do have experience with both. NT
is definately (IMNSHO) the riskier, but Unix isn't without risk
either, in spite of what all the religious zealots on both sides of
the fence will say to you. If it's as simple as you say, you're
probably not in bad shape with either, For serious purposes I'd still
stick to Unix, but that advantage only works when properly used and
configured. Both can be misconfigured easily too :-)
You mentioned 443 (https) in. Are you allowing anything out?
I.E. are there users behind the firewall or just the service? If there
are users behind I'd be more worried. I'd also be more worried if
the https server is doing more things than just serving documents.
i.e. is it doing CGI. If that's the case then you must be *much* more
careful, and in that case I might take a second look at how secure you
are if a CGI script gets away from you.
I'm sure you'll get lots of opinions. You'll have to be
the one to sort it out, and with that much in dollar value behind it
I'm sure you'll live in interesting times. I suggest when you
do make your decision and implement it. Have it audited by someone
else who had nothing to do with the process of implementing it.
> Guys, after browsing this list for a few days I realize this is an
> extremely controversial issue, but: if I want to protect a small
> NT network whose sole purpose is to provide a SSL web server, can I
> do so safely by configuring an NT firewall to provide access to
> port 443 exclusively? The network presents data from a legacy network
> (linked via SNA Server) that controls about US $15 billion, so security is
> a massive issue, but the people I spoke to said that if I only allow access
> to port 443 using NT's built-in security features and use even MS Proxy
> Server I can prevent all break-in attacks. (I'm not overly concerned
> about denial-of-service attacks.) My test
> configuration uses Checkpoint FW-1 on NT, with NetBEUI as the internal
> network protocol bound to the internal card and a non-routable IP address on
> the internal web server. The Checkpoint machine is not part of the domain
> and has no permissions there. All standard security precautions pertaining
> to NT were taken (auditing, flag monitoring, password cracking, file and
> registry permissions, etc.) throughout the network and the project was
> already approved, but I am concerned about the underlying OS. Flames
> Yehuda Hahn
> Technical Director
> Focus Lion Communications, Ltd.
> 6 Yannai Street
> #define QUESTION ((bb) | !(bb))