>From: Russ <Russ .
Cooper @
RC .
Toronto .
on .
ca>
[ Original poster deleted before I got here...]
>"Maybe that's because it's not NT and it's not an operating system. It's a
>firewall. Why should a firewall look like an operating system?"
>What if I don't want a Firewall Administrator, what if I want to use my NOS
>Administrator? What if I have a small company who cannot afford a dedicated
>Firewall, or a dedicated Firewall Administrator?
Then I'd be willing to bet you'll have problems. I've seen a variety
of folks setting up "firewalls" for their networks that are to be run by
people who don't understand the Internet. They may undestand Novell/IPX, or
NT/NetBEUI/NbT, but they don't have a clue about how IP works on the 'net.
Even if you have a nice happy NT firewall that gives you the same
"comfortable" interface that you're used to when dealing with file services,
you still need to understand the big picture.
UNIX is useful because that's where the picture came from! If you
have a decent UNIX geek on staff, then you likely have someone who understands
how things work on the Internet (i.e. how the services are provided, how mail
flows, etc). If you have some guy with a Microsoft Certification for NT,
then you probably don't.
If you choose not to supply yourself with the necessary people or
capabilities to understand the problem, you are very unlikely to find a good
solution!
At this stage in the game, things are still very primitive WRT network
security, and for that reason, anyone looking to protect something important
needs to find someone with a clue. Perhaps soon the systems will be easy
enough to be handled by unskilled (in that particular field) workers, but I
don't think anyone outside a marketing department thinks that the tools are
there now.
If you choose to use an unskilled person as a pseudo-admin, then
you'll probably get what you pay for. The Bad Guys (TM) know their stuff,
do you?
>Anyway, you've made my point again. If its going to be an NT-based
>Firewall, it should incorporate NT into its functionality, otherwise, we
>shouldn't be looking at the NT version and instead should be considering
>the original UNIX version. Both Raptor and Centri are ports of UNIX
>products to NT. The point is, if the objective of the port was merely to
>duplicate the Firewall environment running on top of NT, its ill conceived.
Isn't the whole idea "duplicating the firewall environment running on
top of NT" the entire point? When Microsoft took "netstat" from BSD, did they
give it a mongo GUI and lots of bitmaps? No, it's a command-line tool because
it's useful that way (%System_Root%/SYSTEM32/NETSTAT.EXE, try it).
Now I have not seen the NT Eagle, but we do use the UNIX version. Both
the command line stuff & the Hawk GUI. I personally prefer the command line
stuff, as it makes it real easy to config (in our particular circumstances)
with a couple of perl scripts, but the Hawk is useful for some other config
work. If I had to config the Eagle with something like User Manager and
Control Panel applets, I'd go nuts, I prefer to let the computer (not my
fingers/wrists) do all the repetitive stuff....
--Sean
I apologize if seem like I'm attacking (I'm merely ranting some :) but it
comtinues to fascinate me how so many people feel the need to setup a
half-assed Internet attachment based on what they think want, rather than
what makes sense. (My hammer is so cool, I want to drive screws with it!)
_______________________________________________________
Sean Cox, Systems Engineer FactSet Research Systems
scox @
factset .
com Greenwich, CT
|
|
