Date: Wed, 15 Jan 97 08:48:00 EST From: Alexander Don W
<DWALEXAN @
dol .
gov> Subject: Eagle Raptor
I'm reviewing several firewall products one of them being Eagle by
Raptor Systems, Inc. Is there anyone out there familiar with this
product? If so, I would appreciate any comments that you may have.
Also, if there are any other NT based firewall products that you know
are worth taking a look at, please let me know. Thanks.
-Don W. Alexander dwalexan @
dol .
gov
Yes Eagle is a very good firewall which offers proxies for http, smtp,
ftp (put/gets) and gopher. The new 4.0 version, currently available on
UNIX, has filtering and tunneling capabilities as well, but the 3.6
version on NT is solid. VPN has been supported for sometime now. Since
its an application gateway, NAT is inherent to the product. It has good
throughput for an application gateway, see data comm article " Can
firewalls take the heat in 1996, not the 1995 article, it was
retracted. They also have a product called Eagle Lan, which are
headless units you can place at differrent perimeter points within your
organization and manage them all from the master Eagle unit. It
actually works! Everything is done through a nice GUI.
One note: The earlier versions of Raptor were not gooFrom firewalls-owner Sat Jan 18 01:55:35 1997
Received: (majordom @
localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA06989 for firewalls-outgoing; Fri, 17 Jan 1997 09:48:07 -0800 (PST)
Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA06455 for <firewalls @
GreatCircle .
COM>; Fri, 17 Jan 1997 09:46:05 -0800 (PST)
Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-961106)
id IAA26871; Fri, 17 Jan 1997 08:47:29 -0800
Received: from gw3.pacbell.com(129.245.2.24) by mycroft via smap (V1.3mjr)
id sma026863; Fri Jan 17 08:47:05 1997
Received: from d4bdonapc01 (dhcp-17-005.srv.ptss.com) by gw3.pacbell.com (5.x/PacBell-10/18/95)
id AA07250; Fri, 17 Jan 1997 08:48:00 -0800
Message-Id: <9701171648 .
AA07250 @
gw3 .
pacbell .
com>
From: "David B. Donahue" <ddonahue @
emf .
net>
To: <firewalls @
GreatCircle .
COM>
Cc: <ddonahue @
emf .
net>
Subject: Re: Firewalls for dial-up access
Date: Fri, 17 Jan 1997 08:53:23 -0800
X-Msmail-Priority: Normal
X-Priority: 3
X-Mailer: Microsoft Internet Mail 4.70.1155
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner @
GreatCircle .
COM
Precedence: bulk
For some unknown reason this didn't go through yesterday - here it is
again, my apologies if you get it twice (any more than the normal
plague of duplicate messages that is) - David B. Donahue
----------
> From: David B. Donahue <ddonahue @
emf .
net>
> To: Jarn Calubiran <920145 @
balut .
admu .
edu .
ph>; Paul Ferguson
<pferguso @
cisco .
com>
> Cc: firewalls @
GreatCircle .
COM
> Subject: Re: Firewalls for dial-up access
> Date: Thursday, January 16, 1997 11:55 AM
>
> I would think that setting up a separate DMZ for the Dial-up modems would
> be a more secure configuration, users would then Authenticate and then
> pass through the firewall to get internal access.
>
> Even if you trusted/relied upon your authentication (e.g. Secure-ID
cards),
> you would still be able to implement policies for this DMZ that would
> allow the users to do their work but wouldn't open up the internal
> network to unneeded risk (e.g. Telnet but not NFS, HTTP but not Rlogin).
>
> This configuration can be done cheaply and easily using another Ethernet
> interface on your existing firewall a small ethernet hub and a second
> rule base for the new dial-up DMZ.
>
> Don't Forget that if you decide to implement Call-Back modems, get the
> new kind with two lines. Where the modems gets dialed into on line one
and
> then dials out on line two (line two configured as outbound only by the
> LEC).
> Also make sure that none of the targeted user phone lines have call
> forwarding.
>
> Otherwise the call-back security is trivially broken with well known
> methods.
>
> -David B. Donahue
>
> ----------
> > From: Paul Ferguson <pferguso @
cisco .
com>
> > To: Jarn Calubiran <920145 @
balut .
admu .
edu .
ph>
> > Cc: firewalls @
GreatCircle .
COM
> > Subject: Re: Firewalls for dial-up access
> > Date: Wednesday, January 15, 1997 4:28 AM
> >
> > At 01:19 PM 1/15/97 -0800, Jarn Calubiran wrote:
> >
> > >
> > > I apologize beforehand if I missed a discussion on this but most
> > >of the things I've been hearing from this list concern protecting the
> > >network from the outside. How about protecting the network from the
> inside
> > >in the case where you have dial-up lines into your network. I am aware
> > >that some dial-up servers perform strong authentication but what if
you
> > >really want the dial-up access to be essentially "isolated" from the
> > >network. How is this implemented.
> > >
> > > Thanks in advance...
> >
> >
> > Convential wisdom indicates that dial-up access is located adjacent to
> > the internal network, behind the firewall, and security is provided by
> > authorization, authentication, one-time passwords, and perhaps even
> > call-back.
> >
> > - paul
> >
> >
> > --
> > Paul Ferguson || ||
> > Consulting Engineering || ||
> > Herndon, Virginia USA |||| ||||
> > tel: +1.703.397.5938
..:||||||:..:||||||:..
> > e-mail: pferguso @
cisco .
com c i s c o S y s t e
m s
|
|
