Either you guys are really paranoid or you have something very valuable
to protect. Just a curiousity factor but did your workgroup do any risk
analysis before coming up with this solution?
- A firewall using statefull inspection
This could be integrated into the router along with a good set
of filters to protect you "DMZ".
- A proxy based virus scanner (for NNTP, SMTP, HTTP, FTP)
So far the best solutions for this are on stand-alone systems
but several major vendors are moving to integrate this functionality
into their firewall servers.
- A proxy based access control aplication (for "URL censorship")
Personally I'd bag this and write an acceptible use policy, have
employees sign it and fire those that violate it. However, vendor like
Raptor do have some "URL censorship" add-ons. Or you could use a
passive monitor like ON Tech's Internet Manager.
- A proxy based firewall
An alternative to a second firewall might be a good monitoring
system like NetRanger that would alert you to attacks and/or wrongful
usage. Unless of course you are looking for some of the other benefits
that a proxy might provide like Web page caching.
- A suite of auditing tools - ???
Router based firewalls don't require per user licenses and most
of the passive monitors I've seen don't require them either. As for the
Netscape proxy, it works. So doesn't the Microsoft proxy. Are they
firewalls? Hardly.
> -----Original Message-----
> From: Paulo Jorge Delgado [SMTP:Paulo .
Delgado @
bta .
pt]
> Sent: Monday, November 10, 1997 3:43 AM
> To: firewalls @
greatcircle .
com
> Subject: Need help comparing solutions
>
> Hello,
>
> The company I work for has decided to connect to the Internet using
> a firewall solution. This is a rather long story, but after creating
> a workgroup with people from IT Security, Systems Management and
> Telecomunications, creating a Security Policy and contacting
> several vendors, we decided to propose a solution integrating
> several products, connected in series:
>
> - A firewall using statefull inspection
> - A proxy based virus scanner (for NNTP, SMTP, HTTP, FTP)
> - A proxy based access control aplication (for "URL censorship")
> - A proxy based firewall
> - A suite of auditing tools
>
> With this we aimed at creating a screened subnet architecture, with
> special focus on redundacy. We wanted to make sure that compromising
> one of the elements of the solution, the others would still be able
> to provide some measure of security and eventualy detect attacks
> coming from the compromised element.
>
> Someone else is proposing a cheaper solution, something like:
>
> +------------+
> | Statefull | |
> Outside ----+ inspection +------+
> networks | firewall | | +--------------+
> +-----+------+ | | Dual-homed | |
> | | | Netscape | | Internal
> | +---+ Proxy Server +-----+ network
> | | | HTTP, FTP, | |
> +-----+-------+ | | Gopher | |
> | Netscape | +--------------+
> | Mail Server |
> +-------------+
>
> They say that Netscape proxy server gives some additional security,
> complementing the firewall, so this would also be a redundant solution
> and with the added benefit of reducing the number of licences I need
> on the firewall.
>
> I don't know this Netscape Proxy Server, but I feel that it can't act
> as a real firewall. Can someone on the list comment on the relative
> security of this cheaper solution?
>
> Many thanks,
>
> Paulo
>
> +-------------------------------+-------------------------------------
> --+
> | Paulo Jorge Delgado | Internet: Paulo .
Delgado @
bta .
pt
> |
> | Banco Totta & Acores | Office: +351-1-7922467
> |
> | Av. Miguel Bombarda 4, 7 | Fax: +351-1-7922481
> |
> | 1000 Lisboa |
> |
> | Portugal |
> |
> +-------------------------------+-------------------------------------
> --+
|
|
