A good Firewall for an NT network is one that provides you with the
tools and options to secure your environment in the way you want to.
This doesn't mean it has to be an NT Firewall! Unlike, say, a good
modem (where its important that its reliable, fast, compatible, and
easy to install), a Firewall has to first meet one very important
criteria, namely, that it can do the job that your security policy
dictates it must do.
*
So before you worry about whether it should run on a Pentium or not,
you should define what it is you are trying to secure, who you are
trying to secure it from, and what access you are going to give to
people who pass through it. Without detailing these items, its
impossible to pick a "good" Firewall for any environment.
*
Do you need to allow remote access to your network from the Internet?
Do you want to have an HTTP server inside or outside of the Firewall?
Do you need to pass SQL through it? Do you have the time to read reams
of logs, or do you want some AI that will do much of that work for you?
Do you need support for Real Audio? Are you going to use some advanced
authentication to allow access out from your Internal network or do you
want the Firewall to be transparent? Do you have multiple sites which
you'd like to connect into a virtual LAN across the Internet? I could
go on and on...
*
Once the features have been determined, and the assets that you are
protecting have been quantified, then you can start looking at vendors.
For many COTS Firewalls the operating environment isn't important. They
only present you with a shell interface that can do their commands, so
you don't need to understand Unix or NT in order to operate them. These
Firewalls are specifically designed to do their task at hand, and
nothing else. Other vendors have made products based on an underlying
OS and have left access to that OS available. Usually this is so it can
be customized by the user, or because they realize that other tasks
might be done on the Firewall (like running an HTTP or SMTP server).
The ability to run programs other than those provided by the Firewall
vendor, on the Firewall, is arguable. The more you run on a Firewall,
the more potential there is for something to be exploited, giving a
hacker the opportunity to compromise your security.
*
Since I'm an NT bigot, I'd say that the ability to run IIS or MS
Exchange on a Firewall represents a huge opportunity for savings for
small to medium sized companies, since the cost of duplicating hardware
is often not part of the budget. This lack of budget is usually because
enough time wasn't spent detailing the assets that are trying to be
protected. If those assets are properly quantified, the cost of the
additional hardware is rarely an issue (its usually a single digit
percentage of the assets that are being protected). However, if the
vendor has done their work well, they may be able to run happily with
other products and add security to those products as well. Given that
none of the NT products have been around that long, their ability to do
this is still in question.
*
On the surface, however, there are a number of good ports of well-known
Unix Firewalls to Windows NT. Their feature sets vary, so recommending
one is entirely dependent on your particular needs.
*
- Raptor Systems Inc. (http://www.raptor.com), has the Raptor Eagle for
NT
*
- Global Internet (http://www.gi.net) has the Centri Firewall for
Windows NT (based on TIS Gauntlet)
*
- Checkpoint Software Technologies Ltd. (http://www.checkpoint.com) has
the Firewall-1 for Microsoft Windows NT
*
- Digital Equipment Corporation
(http://altavista.software.digital.com/products/firewall/nfintro.htm)
has their Altavista Firewall product for NT
*
- NetGuard Ltd. (http://www.netguard.com) has the Guardian Internet
Firewall System, which has the dubious distinction of being the only
Firewall listed on Microsoft's Server resources webpage, despite the
fact that Global Internet is working closely with Microsoft on other
products.
*
Of course there are others, but that should be sufficient to get your
thought process working on what you need and how you can achieve it.
Each vendor will probably make their own recommendations as far as
hardware/ram is concerned. Remember, for most sites (i.e. those with
ISDN/FR/FT1), the performance of your Internet access is dependent on
the size of the pipe you have to the Internet, not on your Firewall.
*
Cheers,
Russ
R.C. Consulting, Inc. - NT/Internet Security Consulting
mailto:Russ .
Cooper @
RC .
on .
ca <-- *note the new address*
|
|
