At 10:33 PM 11/16/96 -0500, Rabid Wombat wrote:
>> Generally, these products may be able to protect your network, provided you
>> can *guarantee* there are no IP stacks loaded on any of your machines (other
>> than the Novell server). The problems start when people (for example) have
>> Windows 95 and decide to load their own IP stack. Any communication not
>> sent through the IP-IPX gateway is not protected by whatever mechanism the
>> gateway provides.
>How so? If you construct the network correctly, there will be no routing
>of IP between segments - IPX routing only. If a user enables IP on a
>workstation, they can't get off the segment, and nobody on an "outside"
>segment can get in.
Generally, we've found that when correctly installed and configured, these
gateways can indeed give some measure of protection, *but* the vendors don't
make it at all clear how to do this. I've seen situations in which people
think they're protected, but have only one NIC card and Windows NT servers
on the same segment, with TCP loaded. In fact, I've seen this more than
once, which leads me to believe that as with all security, the answer to the
question "can this IP-IPX gateway protect me?" is "yes and no".
>I wouldn't call this a "firewall" by today's standards, though. Your
>points on logging are on the mark. You also need to properly configure
>all the Novell servers on the network to prevent the routing of IP, or
>the above arguement holds - this gives you m,ore than one point of
>failure to manage, and starts looking suspiciously like host-based
>security in disguise ...
Exactly. It's a shame that no one can agree on terminology. This is
probably because there are many situations in which vendors like to
obfuscate. It's sort of a different kind of security through obscurity
(half a :-).
Ian Poynter ian @
Jerboa, Inc. +1-617-492-8084
PO Box 382648, Cambridge, MA 02238 www.jerboa.com
Providing unbiased Internet consulting for businesses.
PGP Fingerprint: BA 0C 82 C5 F2 03 3D 95 7C CE FD D3 57 4E 15 73