Daniel Rubin wrote:
> Tim Shoemaker wrote:
> > I have a listing of the products (OS's & Network Components) that
> > rated at A1, B1, B2, B3, C1, & C2, and nowhere does it mention what
> > hardware the OS, etc was running on. The only thing mentioned in the
> > "Orange Book" is the way that the OS handles security measures. This
> > pertains to firewalls also in the fact that firewalls must have
> > contingincies that provide security between two areas, and can be
> > documented to do so.
> > If you all are interested, I found the B1, B2, etc. rated products
> at :
> > http://www.radium.ncsc.mil/tpep/epl/epl-by-class.htn
> > Also, you can access the "Orange Book" at :
> > http://www.iss.net
> > I read the hardcover version, and also have a printed out version.
> > goes over all the classifications, but it must be read from the
> > beginning because many of the definitions rely on the previous
> > If you have any questions that I can answer, please let me know.
> > Tim Shoemaker
> > Technical Support
> > Norman Development, USA
> > http://www.norman.com
> I thought I would post this note to the list to warn people of some
> limitations of the Sun Soltice Firewall-1 product. Our requirements
> included multiple ethernet interfaces that were used to connect
> multiple networks. The idea was to protect one of the interfaces
> from all the others. The others included the internet, WAN
> connectivity to our clients etc. The license we purchased for
> firewall one was the Light Security Center License since we only
> have about 12 hosts that need to protected.
> After much research and fighting with the support reps at Sun
> we discovered that the Light Security Center License only supports
> one external interface (terminology used for licensing purposes).
> As a result it counted each host it received packets from on any
> of the other interfaces as an internal host. That license only
> allow 50 internal hosts. That license was about $5000.00 and
> it turns out the license we needed is just about $40,000. Try to
> sell that to management!
Someone told me FW-1 detects how many hosts you have from the broadcast
packets of those hosts. So one way to solve your problem is to configure
those hosts not to send out broadcast packets.
> If we knew this earlier we would have just purcased a CICSO
> enterprise router, which does just about everything the
> firewall-1 software does.
"Everything" ?? I am not too sure I follow you here. I think you are
confusing FW-1 packet inspection technology with plain old packet
filtering that ANY router is capable of doing. Anything beyond that I
can't see for the life of me how the 2 can be comparable.
If really what you want is filter packets based on IP address and you
don't care about logging, you are not concern about opening up high
ports etc etc... Sure, go ahead and get a router. But I am sure you need
more then that.
Licensing issue aside, FW-1 is a robust and highly regarded security
> - Dan
Senior IT Architect (Security & Cryptography)
Information Infrastructure Group
National Computer Board
Email: martin @
sg, mkhoo @
sg, markhoo @
DID: 7703878 FAX: 7747159
PGP: 1D 5F DA E5 56 CD 6A B6 FA E0 83 55 BD 07 9C C0