As I have stated numerous times, I have not seen an implementation of a
Firewall under Windows NT myself as yet.
However, if, as you state,
"Thusfar what I have seen uses NT to load the firewall program after which
the OS is politely
but quitely shunted to one side and all critical operations are performed
with direct hardware access (why only certain specified peripherals/NICs
Now if Raptor (or anyone I trust) were to say "we make all hardware calls
through the NT operating system which is left in control of the machine
while the firewall is running" then I would feel less skeptical."
Firewall-1, for example, does implement code at the driver level in order
to get around certain code that Microsoft has included in NT for their own
protocols (probably SMS functionality), which could not be redirected at
anything other than the driver level. This does not mean the OS is being
shunted to one side, but merely that packets are being picked up at an e
arlier point to allow their redirection, if necessary, based on the rules
in place. For a lot of reasons, that I won't get into here, you cannot
simply "shunt the OS to one side" in NT if you still want to do things like
interact with a user via a UI. Unlike DOS, or even Windows, NT's components
are all tied together in the Kernel and cannot be run independently by a
There are known issues with Microsoft's TCP/IP stack that would force
anyone trying to do anything substantial with IP on NT to do certain things
to avoid some of the pitfalls present in their stack. WebSite, from
O'Reilly and Associates, found a timing issue with the stack and had to
write a workaround of their own to ensure the performance of the Webserver.
As we all know, Microsoft's commitment to the Internet is evolving, rather
more quickly now than before, but having to start life from the perspective
"our strategic protocol of choice is IPX", means that Internet-related
Microsoft Product Manager's are pulling their hair out.
So implementing hardware drivers, or even their own TCP/IP stack, does not
detract from their use of NT in my opinion. To me, the bigger question is
how they interact with the Security Reference Monitor, which is used by all
applications running on NT to determine whether or not they can interact
with any other aspect of NT based on rights granted to the
user/service/thread. I'm more concerned that if improperly implemented, an
application could simply step around the security rules and go directly to
the HAL or another driver itself.
It really is too bad that no Raptor or Firewall-1 representative is willing
to speak out on this topic. I'm sure that some might think it marketing to
talk about their product, but if done at a technical level, I believe the
list would be interested. Correct me if I'm wrong list!
Russ Cooper, Senior Consultant - Internet
SHL/Computer Innovations - Consulting Services
Ca - RWCooper @
"can someone tell me where to go today to get the money to go to where I
want to go today"