This is possible and feasible. Whether or not it is advisable depends
on your security policy (running a Beta firewall) and your religious
preferences (re: Microsoft).
All religious arguments aside!!!
This is a workable and pleasant solution. Notes:
1. Catapult is NOT a firewall. It is a proxy server.
2. Catapult has no protective logging or indicators.
3. All errors in this document and any problems are the responsibility
of the reader. The author does not guarantee the quality, correctness,
thoroughness or accuracy of this document. The author appreciates
constructive criticism. All arguments or complaints regarding Windows
NT or Microsoft should be addressed to /dev/null.
If possible you should set up the Catapult machine as a dual homed
bastion (2 net cards). On your exterior router only allow whatever
incoming protocols you desire to present to the outside world (DNS,
SMTP, HTTP or FTP if you are hosting an external web server). Block all
(1-65535) other incoming (non-ACK) ports. On the exterior router also
block all internal source addresses completely and only allow a
destination of the exterior Catapult interface.
On the internal router allow ONLY interior source addresses and only
allow a destination to the interior Catapult interface. As for ports
you will have to open up 135-139, DNS, SMTP, FTP, HTTP, etc.
Set up Catapult according to directions and get the latest Catapult FAQ
from the Catapult newsgroup for extra directions about setup and
running.
For SMTP you will need to pick an SMTP server. I use EMWAC running only
the SMTPDS and SMTPRS (no POP3) to gateway mail into an Internal
Exchange server. What you do will depend on your situation.
To gate SMTP you will need to run a DNS server (to play mail routing
games). Don't even bother with the DNS server in NT4 Beta 2 (Catapult
must run on Beta 2) - it crashes daily. I use Metainfo 2.0a. Use what
you will. On the DNS, set up as a primary and only enter the address of
the machine, localhost, and the address of your internal mail server (if
you have to play mail routing games).
Make sure that everything is set up according to the Catapult
Documentation
Once this is up and running you should have a pretty solid, reliable
Internet Gateway. You will not get the handy automated reports that
Gauntlet and family (FWTK and Centri) give you but they should be pretty
easy to assemble with a PERL script or similar.
***** IMPORTANT *****
. All errors in this document and any problems are the responsibility of
the reader. The author does not guarantee the quality, correctness,
thoroughness or accuracy of this document. The author appreciates
constructive criticism. All arguments or complaints regarding Windows
NT or Microsoft should be addressed to /dev/null.
*****
Chris
---
Chris Pugrud
#include <std_disclaimer.h>
- "Some mornings it's not worth gnawing through the restraints"
>-----Original Message-----
From: Joseph M. Flahiff [SMTP:jflahiff @
mossbaygroup .
com]
Sent: Wednesday, August 28, 1996 10:42 AM
To: Firewalls Mailing list
Subject: Fw: Catapult as a Bastion Host in a Screened Subnet Firewall
setup?
----------
> From: Chris De Laet <cdl @
denkart .
be>
> Newsgroups: microsoft.public.catapult.beta
> Subject: Catapult as a Bastion Host in a Screened Subnet Firewall setup?
> Date: Friday, August 23, 1996 6:42 AM
>
>
> Three questions:
>
> * Is it possible to use Catapult as a Bastion Host in a
> Screened Subnet firewall setup?
>
> (Note that this would mean an NT Server with only one
> Network Adapter, sitting on an insecure network with
> two routers separating it from the internet and the
> internal (secure) network respectively.)
>
> * Can Catapult, for example, replace a Linux machine running
> the TIS FireWall Toolkit?
>
> * And what functionality is lacking from Catapult to
> make this possible?
>
> If anybody (at Microsoft?) knows an answer to these questions
> I'd be endlessly grateful. We seriously would consider replacing
> our Linux Bastion Host by an NT machine if at all possible.
>
> Thanks,
> -Chris
> --
> | Denkart NV
> __ __ _ | Molenweg 107
> / )/ / ) /_) | B-2830 Willebroek,
Belgium
> / /_ __ . _ / / _ / _ _ /_ | Tel: +32 (3) 866-0022
> (__ / )/ (_(_/ ) /__/_</_ ()__(_|_</_(_ | Fax: +32 (3) 866-0301
> | cdl @
denkart .
be
>
>
>
|
|
