[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference noted::seal

Title:	SEAL

Moderator:	GALVIA::SMITH

Created:	Mon Mar 21 1994
Last Modified:	Fri Jun 06 1997
Last Successful Update:	Fri Jun 06 1997
Number of topics:	1989
Total number of notes:	8209

1806.0. ""Does Digital Firewall support the following appl"" by QCAV02::XFMV01::HARESH () Thu Feb 20 1997 03:06

Hi All :

	I am currently working on a Request for Proposal for a large Financial
	Institution in India who is looking for a Firewall as part of the total
	solution. I have listed out the features which need to be avialable as
	part of the requirement.Also the Firewall solution needs to work on a 
	X86 based PC.

	I would need assistance from one and all for positioning a Firewall
	solution for the given requirement.

	Can I position any of the Digital Firewall Intel PC based solutions ?

1.	Support for the following outgoing proxies/gateways :
	
	-  Telnet
	-  FTP (with support for passive mode)
	-  HTTP/Gopher/WAIS/shttp/SSL/anonymous-FTP using a URL-based
	   proxy server
	-  SMTP (with full support for ESMTP to the extent supported by
	   Sendmail V8)
	-  NNTP (circuit gateway to external server)

2.	Support for the following incoming proxies/gateways :
	
	-  Telnet (using one-time passwords and/or HHA)
	-  FTP (using one-time passwords and/or HHA)
	-  SMTP (with full ESMTP support to the extend supported 
	   by Sendmail V8)
	-  NNTP (circuit gateway to internal server)
	-  SQL (specifically Oracle)
	-  POP3

3.	Access control on URL-based proxy server :
	
	-  control list of URLs accessible from the inside, using 
	   regular expressions (e.g. block out http://+.playboy.com)
	-  control lsit of URLs from where Java/Javascript/ActiveX applets 
	   can be downloaded in the pages (by using a content filter) using
	   regular expressions to specify URLs
	   (e.g. allow access to http://www.hacker.com but block all inline
 	   java/activeX in the pages)
	-  Control lists of data types (using MIME specifications) that can 
	   be accessed (e.g. block all resources of the type video/mpeg)
	-  control access based on IP address of client host

4.	Servers required on firewall :

	-  DNS
	-  anonymous FTP
	-  finger

5.	Protection mechanisms :

	-  Hardened kernel
	-  Protection against source routed packets
	-  IP filtering support, based on:
	   -  source addr/port
	   -  dest addr/port
	   -  protocol (TCP/UDP/ICMP/other-IP)
	   -  top flags (SYN, ACK)
	   -  accept, deny (silent), or reject (send ICMP "unreachable"
	      message) responses
	-  Control over ARP cache
	-  Protection against SYN-flooding
	-  IP spoofing protection
	-  Auto shutdown of firewall if specified conditions are satisfied

6.	Detection and logging support for :

	-  SMTP unusual volumes
	-  SMTP unusual address syntax
	-  SMTP DEBUG bug attempt
	-  Unusually long lines input on all line-based TCP services 
	   (finger, SMTP, NNTP, POP3, anonFTP)
	-  checking for binary data on input to all line-based TCP services
	-  All attempts to connect to unavailable UDP services, specially
	   TFTP, mountd, nfsd, portmap, and all other SunRPC-based services 
	    (e.g. rsh) including content of request and name of local user
	   attempted (e.g. attempt to "rlogin" - 1 bin")
   	-  Dynamic packet sucker triggered by portmap query
 	-  Attempts to initiate zone transfers on DNS server
	-  Unsolicited incoming DNS response without outgoing DNS request
	-  All retrieval of/etc/passwd using anonymous FTP

7.	Informational logging for all routine activities, with IP address and 
	domain name of remote site, date and time stamp, brief contents of 
	access, number of bytes transferred, number of data items (messages, 
	news articles, DNS queries) transferred.  All logging should be 
	redirected to an internal host using syslog protocol.

8.	Management and configuration tools :

	-  Configurable using Web browser from any internal destop
	-  Complete configuration accessible as ASCII files for backup and
	   storage
	-  Separate log processing tools (runnable on any standard Unix 
	   platform) for generating statistics from daily logs and 
	   detecting alerts.
	-  Statistics reporting should generate HTML output for viewing
	   on internal Web server
	-  Configuration tester, sepatately for SMTP configuration, IP
	   packet filters, UDP probe detectors and others.

9.	Optional encrypted TCP circuit between two firewalls.

10.	Ability to install controlled UDP proxy and tcp circuit gateways for 
	certain hosts and port numbers.	

Thanks in Advance !
Best Regards,
Haresh Keswani.

T.R Title User Personal
Name Date Lines

1806.1 NT intel based AVFW v2.0 GENIE::MUKHERJEE Fri Feb 21 1997 12:41 37

T.R	Title	User	Personal Name	Date	Lines
1806.1	NT intel based AVFW v2.0	GENIE::MUKHERJEE		`Fri Feb 21 1997 12:41`	37
	Looks like someone really did their research when they wrote that RFP. Maybe some of the others want to add their two cents worth on this. last time I looked at Altavista FW for NT (Alpha) I think it could provide many of the desired items. Can someone else verify if the intel version offers the same? Things that were not available in v2.0: - No Oracle (SQL Net proxy) - No POP3 proxy (using gxd instead) - Remote management (no external connections are allowed to the machine) Things not sure about: - Selective control of ActiveX sessions - outbound anon ftp sessions (possible on the Unix FW) - Level of syn-flooding protection - Not sure about the IP filtering strategies. Not sure if there is a packetfilter available in this product. THIS IS POSSIBLE IN THE UNIX version. - existence of UDP proxy? Things supported: - Proxies for FTP, Telnet and HTTP sessions (outbound only) - HHA is Digital Pathways (ONLY) for authenticated FTP and Telnet (outbound sessions) - extensive logging - alarm triggered shutdown of the firewall Basically it looks like your customer has some UNIX in house as you mentioned log processing on UNIX platforms. From the sounds of the requirements, the UNIX firewall is a far better choice. Given that customer insists on x86 box, maybe you should also check out the Borderware kit that Digital sells. It used to be marketed as low end firewall, but it may fit the bill ..... but then again..... Maybe someone can clue us into what the new version of AVFW (NT) might offer....one of these days.

Looks like someone really did their research when they wrote that RFP. Maybe some of the others want to add
their two cents worth on this.

last time I looked at Altavista FW for NT (Alpha) I think it could provide many of the desired items. Can someone
else verify if the intel version offers the same?

Things that were not available in v2.0:
- No Oracle (SQL Net proxy)
- No POP3 proxy (using gxd instead)
- Remote management (no external connections are allowed to the machine)

Things not sure about:
- Selective control of ActiveX sessions
- outbound anon ftp sessions (possible on the Unix FW)
- Level of syn-flooding protection
- Not sure about the IP filtering strategies. Not sure if there is a packetfilter available in this
product. THIS IS POSSIBLE IN THE UNIX version.
- existence of UDP proxy?

Things supported:
- Proxies for FTP, Telnet and HTTP sessions (outbound only)
- HHA is Digital Pathways (ONLY) for authenticated FTP and Telnet (outbound sessions)
- extensive logging
- alarm triggered shutdown of the firewall

Basically it looks like your customer has some UNIX in house as you mentioned log processing on UNIX platforms.
From the sounds of the requirements, the UNIX firewall is a far better choice.

Given that customer insists on x86 box, maybe you should also check out the Borderware kit that Digital sells.
It used to be marketed as low end firewall, but it may fit the bill .....

but then again.....

Maybe someone can clue us into what the new version of AVFW (NT) might offer....one of these days.