[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference noted::seal

Title:SEAL
Moderator:GALVIA::SMITH
Created:Mon Mar 21 1994
Last Modified:Fri Jun 06 1997
Last Successful Update:Fri Jun 06 1997
Number of topics:1989
Total number of notes:8209

1785.0. "Questions: configuring Firewall - new to this?" by EINE::ANDERSON (Still Alive) Mon Feb 10 1997 01:46

    Hi, Keith Anderson from NSIS in Canberra, Australia here. Questions
    below, with ***
    
    Our local gurus are both away (PJDM is in subtropical areas in
    northern Australia and Paul Tanner is helping folks out in Chicago,
    USA. Come home Paul, all is forgiven :-))...
    Anyway, I have to finish a proposal for a customer. They have the
    money, they want to buy, we have to get an approved proposal in before
    end of month...its just that I have never written a Firewall proposal
    before. 
    
    They are a Australian Dept of Defence customer and so have high
    security requirements, even when connecting their Unclassified Network
    to the Internet. Because of the security and because of the potential 
    number of users & systems on their network, it seems clear that a very
    high-end firewall is required and so a 3 node firewall is best. At
    present they ship their network traffic to the Internet to another
    Defence department with a gateway on the other side of the continent.
    They can buy our solution for a local ISP connection with firewall with
    less money than it will take to upgrade their cross continental lines,
    which are bottlenecking traffic in a big way. They want to start with
    256kbps link to ISP and have options to upgrade to 2M. Digital is best
    :-)
    
    They want to see range of choices: full purchase, leasing, full
    outsourcing, and whatever other options we think make sense.
    
    Security is important : want something that is easy for Security Branch to
    approve and so need introduction to a happy Digital Defense user in
    USA.
    
    They want to charge back usage back to the other Defence organisations
    that will use this gateway. They would like a user logon process
    so can track access at user level. I told them that logging activity by
    IP address was normal operation of the firewall, but I did not know
    about a logon process, perhaps log onto proxy server?
    *** Q1. what can be done in terms of user logons (you dont want that
    on the firewall!)?

    My plan:
    
    -   put together a single package of h/w, s/w, and services that
    includes a 3  system firewall (gateway, gate, mailgate), an external
    Web server, and  merging in the internal Web server they already have. 
    *** Q2. How do I size the Alphaservers for this? I found sizing for Web
    servers but not for Firewalls...
    
    -   Get reference sites in USA Defence that are using high-end firewall
    setup 
    *** Q3. How do I find such private sites? - they will NOT be in
    IR for sure 
    
    *** Q4. Does the QS-SEAA9-CP for Digital Firewall Service include
    software licence for unlimited or not? 
    
    *** Q5. How do I put an indicative performance upgrade option in, 
    or non-stop availability options in? 
    
    -   get an OMS price for full outsourcing, with equipment at their
    site, NSIS  to do installs and regular consultancies (like capacity
    planning), and  investigate if can use OMS centre in Melbourne as
    support for 24x7. 
    
    -   provide a purchase option that has a fixed rental plus a usage
    charge so that we can manage the risk that usage will rocket up! 
      
    - provide upgrade option that includes AV Search, AV Tunnel

    
Regards
Keith
T.RTitleUserPersonal
Name		DateLines
1785.1QUICHE::PITTAlph a ha is better than no VAX!Wed Feb 12 1997 07:1289
�   about a logon process, perhaps log onto proxy server?
�   *** Q1. what can be done in terms of user logons (you dont want that
�   on the firewall!)?

telnet and ftp can be permitted on an "authorised only" basis if you want to 
identify by user.  These are not UNIX logons - the accounts are not in the
/etc/passwd file - but are solely for the application proxies on the firewall. 
Hold your breathe for AFWU V3.0 (only a couple of months away) and you will find
similar functionality on the WWW proxy as well.

The other large "user" protocol is mail.  The information to charge for mail by
user (sender for outbound and recipient for inbound) is all in the log files. 
There is a perl script that I made available that will generate a report by user
from the logs.

�    My plan:
�    
�    -   put together a single package of h/w, s/w, and services that
�    includes a 3  system firewall (gateway, gate, mailgate), an external
�    Web server, and  merging in the internal Web server they already have. 
�    *** Q2. How do I size the Alphaservers for this? I found sizing for Web
�    servers but not for Firewalls...
�

I would question your assumption that you need a 3-node firewall, though I
haven't got time to do so.  The arguments have been aired on this notesfile
several times over the past year.  However, if that's how you want to go, then
do it.

As for sizing, again, the information is on this notesfile for the "gatekeeper"
machine.  For gate you can spec a similar machine, but it doesn't need as much
memory - a basic 64M will probably suffice.  

For mailgate, it's very difficult to decide, because it depends on what it has
to do.  Is it going to be a mail server for the internal network, or is it just
going to hand the mail on to somewhere else?  If the latter, then you want
moderate disk (maybe 5G) for logs, and maybe 96M memory - 64 would probably do. 
If users are actually going to log on to mailgate to read mail etc, etc, then
you'll have to ask a UNIX guru to spec the system.

Do consider using RAID hardware for greater availability of all machines - as
far as I know, disk failure is still the most likely thing to cripple a machine,
as it always has been in my computing life ...

    
�    -   Get reference sites in USA Defence that are using high-end firewall
�    setup 
�    *** Q3. How do I find such private sites? - they will NOT be in
�    IR for sure 

Get Paul to help you out ...  He must know someone who knows ...  And do make
sure they know that Digital (that is to say, myself!) put Number 10, Downing St,
London, on the Internet using this technology, though the firewall was a single
box (equivalent to the gatekeeper above).
    
�    *** Q4. Does the QS-SEAA9-CP for Digital Firewall Service include
�    software licence for unlimited or not? 

Wrong part number.  Sell QB-5GLAA-DA, and it does include it.
    
�    *** Q5. How do I put an indicative performance upgrade option in, 
�    or non-stop availability options in? 

To improve performance, add memory.  Alpha chips are bl%%dy fast - we usually
quote that an AlphaStation 200 4/233 can saturate an FDDI without running out of
CPU oomph.  In your case, as in almost every case, the performance you require
is limited by the ISP connection bandwidth.

For non-stop availability, you need to get hold of the write-up that Kevin Carey
has been promising on a firewall on a UNIX cluster.  This is an NSIS offering.
    
�    -   get an OMS price for full outsourcing, with equipment at their
�    site, NSIS  to do installs and regular consultancies (like capacity
�    planning), and  investigate if can use OMS centre in Melbourne as
�    support for 24x7. 
�    
�    -   provide a purchase option that has a fixed rental plus a usage
�    charge so that we can manage the risk that usage will rocket up! 
�      
�    - provide upgrade option that includes AV Search, AV Tunnel

Treat these as separate pieces of work.  The most critical thing in a firewall
installation is to specify what is NOT included.  In the early days of Digital's
sale of firewalls to customers, there were cases where days and days of effort
were wasted on things like integrating Internet mail and internal mail systems. 
It's best to do the firewall as a bounded, single piece of work, and then to
pick up the other bits afterwards ...

T
1785.2Thanks!EINE::ANDERSONPartial ParrotheadWed Feb 12 1997 16:411