> NetSP appears to be a possible choice by the team, especially since ISD can
> make available a RISC/6000 machine, in addition to having a current
> Integration Services contract with IBM. However, the NetSP product is
> approximately 6 months old.
> 1. Is NetSP easy to implement as IBM states?
> 2. Has anyone interrogated a NetSP Firewall?
> 3. Is there any known limitations?
> 4. Is it a viable solution compared to BorderWare, TIS Gauntlet, ANS
> Interlock, etc.
ok, I'll try to answer your questions as good as possible, based on the short
but intensive experiences I've had so far with NetSP SNG :)
[Source: fwws.doc, foil #14, 1995.6.18, by afx @
NetSP Secured Network Gateway
- Integrated packet filter
All IP access to/through SNG can be checked by a packet filter.
NetSP SNG is based on a packet filter that replaces part of the
IP stack in AIX. On top of the packet filter SOCKS as well as
Telnet proxies are supported.
- User authenticated Telnet proxy
- User authenticated FTP proxy
- SOCKS server
- Sendmail relay
Additional authentication methods can allow inbound access if needed.
When using the proxy Telnet function the user can be placed into a
minimum function sub shell that allows network queries and telnet
to other systems. This sub Shell is administrator configurable.
Both the Telnet and the FTP proxy can be augmented (e.g. authentica-
tion methods that use one time password systems from OEM sources
(Digital Pathways and Security Dynamics)).
The FTP proxy allows only outbound access and can not be used from
the outside. The Telnet proxy in contrast can be configured to allow
access from the outside. When used with the previously mentioned one
time password systems, a reasonably secure access can be provided.
This protects only the access though, not the data transmitted during
the Telnet Session.
The Telnet/FTP proxies have been in internal use to protect IBM
research sites (most notably Watson where they were developed) for
years. Most of IBM's Internet gateways are moving now from home
grown solutions to SNG. (Here at Heidelberg, we use it for about
4 months now, before that we had TIS & SOCKS installed.)
- Based on standard AIX
- AIX auditing is available to monitor the firewall
As SNG runs on top of AIX (currently 3.2.5) one can use the AIX audit
facilities to track access to configuration files and other vital
data on the system.
> I believe my company will not change its strategy regarding passwords
> (i.e., user passwords, 90 day change, min. 6 characters, etc.), therefore I
> would appreciate your comments, opinions, and experiences concerning
> authentication strategies such as one-time passwords, SmartCards, etc.
> 4. What effect does it have on users when employing such strategies?
> 5. How cost-effective or cost-prohibitive are such strategies?
> 6. How easy is it to implement such strategies?
partly your strategy is already covered by AIX3. in AIX4 however all this can
be accomplished. AIX4 features a lot of new user-security relevant methods,
like times at which user login is allowed, password history (number of pws and
lifetime), minimum length, minimum difference of old/new pw, dictionary list
of forbidden (easy to guess) pws, user routines to check for trivial pws (e.g.
one could implement a cracklib routine here...)
hope this helps, Xn.
| Christian Karpp ____ European Networking Center Heidelberg, IBM Germany |
| fon: +49-6221-59-4507 __________________ email: twsadm @
| fax: +49-6221-59-3300, 3400 __________________ "Postmaster of the day!" |