| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 1851.1 | you're not the only one asking this | BRSDVP::ROELANDTS | Wa d'es ma da ve ne stuut | Mon Mar 10 1997 11:19 | 12 |
|
C�lia,
You're not the only one .... more and more people are asking about V3.0
but no answers ..... check in the previous notes and you'll find some
others asking the same thing.
Regards,
Guy
|
| 1851.2 | try here | SNOFS1::snod14dgp26.gen.sno.dec.com::snov14.sno.dec.com::stylianoua | | Tue Mar 11 1997 06:12 | 3 |
| http://www.altavista.software.digital.com/firewall/products/97/index.htm
Andrew Stylianou
|
| 1851.3 | thank you | BACHUS::ROELANDTS | Wa d'es ma da ve ne stuut | Tue Mar 11 1997 06:48 | 6 |
|
Thank you Andrew,
Guy
|
| 1851.4 | | NCMAIL::SMITHB | | Tue Mar 11 1997 07:49 | 312 |
| AltaVista Firewall 97
The Active Firewall
AltaVista Firewall 97 offers best in class for both local
and remote management.
Listen to some comments from NetworkWorld (2/3/97):
"AltaVista Firewall is the easiest to configure and control
of all the firewalls we looked at". "AltaVista Firewall has
one of the most sophisticated features in the reporting
and accounting area."
AltaVista Firewall provides you with OnSite Protection,
the highest level of security available on your choice of
platforms Windows: NT* (Intel or Alpha), BSD/OS on Intel
and Digital UNIX on Alpha. AltaVista Firewall 97 makes
managing heterogeneous configurations easy. AltaVista
Firewall 97 management is consistent and compatible
with your existing systems.
AltaVista Firewall 97 offers remote management
capabilities through the AltaVista tunneling technology at
no cost. From a centralized remote station running either
Windows 95 or NT, system administrators can view
firewall activities from anywhere and quickly take
appropriate actions.
Remote Management provides the following
capabilities:
Display the states of all services, alarms and
current status
Start/stop specific services, like ftp (on UNIX)
Maintain and manage security policies, user
authentication. DNS, mail and new SNMP alarms
on any Digital UNIX machine (on UNIX)
URL and Java Blocking is provided for both
performance and security. AltaVista Firewall 97 blocks
URLs to preserve network performance and to restrict
access to Web sites. It detects and blocks Java applets
entirely by allowing selective filtering through the firewall
to protect against network attacks.
Enhanced WWW proxy
AltaVista Firewall 97 contains significant performance
improvements, based on code optimization.
Real-Audio Proxy allows or prevent users on internal
network systems with Web browsers to access
RealAudio services on the external network.
UDP proxy is a new proxy which allows specific UDP
applications like Internet Chat to pass through the firewall
securely on UNIX .
SQL* net proxy
The best news is that you can now build your own
networks of Oracle7 or other third-party data repositories
across the Internet simply. SQL*Net establishes a
connection to a database when a client requests a
session. Since this proxy is based on the Oracle
Multi-Protocol Interchange (MPI), it inherits many of the
Multi-Protocol interchange features. Such as:
Superior Security Proxy
Generic TCP relay enhancements
With TCP relay enhancements for added security,
AltaVista Firewall 97 broadens security policies using
TCP relay for one-to-many and many-to-one connection.
The management GUI also supports the TCP generic
relay for ease of use.
Powerful and Flexible Authentication
Authentication for WWW users or group of users
The enhanced WWW proxy includes authentication for
specific users or group of users by any authentication
schemes currently supported by the UNIX firewall such
as CRYTOcard or re-useable passwords. This feature
provides system administrators with great flexibility to
implement their policies with finer granularity
Windows NT domain authentication support
This feature Integrate Windows NT domain
authentication scheme. This allows access to Internet
services (e.g. ftp, telnet) to users authenticated by this
scheme and finer grained control over firewall traversal.
This is a clear win for both end-users and MIS
managers.
Dual-DNS Server, Dual-DNS servers understand which
name services are internal and external. The Dual-DNS
server is fully configurable through GUI based
management.
With DMZ (Demilitarized Zone), AltaVista 97 on UNIX
offers more than a simple trusted/untrusted
implementation supporting only two LAN connections.
Look at the following AltaVista Firewall 97 checklist and
you will see that AltaVista Firewall 97 has your security
needs covered both now and future at an affordable
price.
Firewall checklist
AltaVista Firewall 97 (V3.0)
Features
Digital
UNIX
NT (Alpha and
Intel)
Best-in-class Management
X
X1
URL and JAVA blocking
X
X2
Proxies
Enhanced WWW proxy
X
Real-audio proxy
X
X
Generic UDP proxy
X
SQL*net proxy
X
One to one and many to one
generic proxy
X
X3
Authentication
NT domain login
X
Web user or group of users
X
Dual DNS
X
Single server for firewall and
VPN
X4
X
DMZ support
X
1.Some restrictions apply. See feature description.
2.Only URL blocking is supported on NT.
3.Already supported on NT.
4.Already supported on UNIX.
Type of Firewall
Digital UNIX
Windows NT
- Hardware
Alpha
Intel and Alpha
- Software
Only
Only
- Packet filtering
Yes
Future
- Application-level
Yes
Yes
- Circuit-level
Yes
Yes
- Dual Homed
Yes
Yes
- Multi-homed
Yes (via SI
Service)
No
- Fast networking connections
Yes
Yes
- DMZ support
Yes
No (Future)
Additional
security
Digital UNIX
Windows NT
- Anti-spoofing
Yes
Yes
- Internal address
hiding
Yes
Yes
- Trusted Operating
System
Yes
Partial
- Virus Scanning
Yes (via third-paries
e.g. Finjan, McAfee)
Yes (via third-parties
e.g. FinJan, McAfee)
- Java Blocking
Yes
No
- URL Blocking
Yes
Yes
- ActiveX Blocking
Future
Future
Certification
Digital UNIX
Windows NT
NCSA
Yes
Yes (first vendor to obtain
certification)
ITSEC
Future
Future
Management
Digital UNIX
Windows NT
Graphical interface
Yes (HTML)
Yes (HTML and
Windows)
Real-Time monitoring
Yes
Yes
Real-Time reporting
Yes
Yes
Service-user logging
Yes
Yes
Failed-Usage attempt
logging
Yes
Yes
Statistical analysis
Yes
Yes
Alarm analysis
Yes
Yes
Evasive action
Yes
Yes
Paging
Yes (SNPP and
script)
Yes (script only)
Remote administration
Yes
Yes
Central admin of multiple
firewalls
Yes
Yes
TM Copyright � 1996 Digital Equipment Corporation. All Rights Reserved. AltaVista Internet Software, 30 Porter Road, Littleton, MA Fax:
(508) 486-2017 AltaVista Public Search Site | AltaVista ForumForum | Digital Equipment Corp.
|
| 1851.5 | | NCMAIL::SMITHB | | Tue Mar 11 1997 07:51 | 5 |
| Will the next version of the www relay allow web publishing through ftp puts
like with Netscape Gold?
Also, we noticed that passwords come out in clear text in the www logs, will
that be fixed in the next release?
|
| 1851.6 | | BIGUN::nessus.cao.dec.com::Mayne | Churchill's black dog | Tue Mar 11 1997 16:36 | 4 |
| You can do this already by opening a hole from the development system inside to
the public machine outside. (UNIX only, of course.)
PJDM
|
| 1851.7 | MS updates web content thru proxy | PRMS00::COLE | | Tue Mar 11 1997 17:10 | 10 |
| The latest Microsoft Visual Interdev will publish (ie update
web server content) using http (and SSL if desired) and supports
operation thru a web proxy. I can create content on my Win95
desktop in Digital and push it to a customer's web server
on the Internet with one click ! All you need is the Front
Page extensions for the Webserver (Microsoft even supplies these
for the Netscape Enterprise Server)
...larry
|
| 1851.8 | | EEMELI::EINAMO | | Wed Mar 12 1997 06:01 | 1 |
| when will version 3.0 be shipping ....
|
| 1851.9 | don't use it | ANNECY::HOTCHKISS | | Thu Mar 13 1997 03:06 | 9 |
| re -1 do we really care when it ships???
re -2 even the visionary club members get no forewarning of features.I
would be tempted to call this just another evidence of the security by
obscurity attitude which pervades AV but it also smacks of engineering
arrogance.
My advice to you all is to be network security experts first,product
range experts second and AV experts third.This way you will keep the
expertise people should be paying us for.And if AV doesn't work or
doesn't respond,don't use it.
|
| 1851.10 | V3.0 ship-date | NETRIX::"[email protected]" | tim Shine | Fri Mar 14 1997 11:43 | 17 |
| AltaVista Firewall 97 for WindowsNT , Digital UNIX and BSD/OS
is scheduled to ship to customers by 27-April-1997. Private Beta (formerly
EFT)
is now in progress. The Public Beta kit is scheduled to be available on
28-March-97 which will be downloadable from altavista.software.digital.com.
I apologize for the lack of information flow from AV this has been due in
part to frequent changes in the PM organization.
I can mail you directly a Word document describing the features of V3.0
( I'm not sure if I can post it here). I'm also happy to answer any further
questions you may have.
Regards
Tim Shine
AV Firewall Engineering Manager
[Posted by WWW Notes gateway]
|
| 1851.11 | | CHEFS::espol1.gmt.dec.com::PITT | Gone with the winsock ... | Tue Mar 18 1997 12:02 | 12 |
| The document that Tim refers to in the previous reply has now been
"published" to a WWW server. By this I actually mean that I told
Word to save it as html, and then I undid the worst excesses in the
html that I generated ...
To access it, look at the firewall area on the WWW server on sector
- you'll all remember that this is http://sector.gmt.dec.com/firewall
and look under the section on Software Versions.
I hope this will save Tim having too many requests for the information.
T
|
| 1851.12 | | BIGUN::nessus.cao.dec.com::Mayne | A wretched hive of scum and villainy | Tue Mar 18 1997 17:02 | 17 |
| The page in .11 contains not much more than the public page
(http://altavista.software.digital.com/firewall/products/97/index.htm), and
in some minor ways it has less, but it does have the following gem:
Firewall 97 broadens security policies by offering a generic TCP relay
for one-to-many and many-to-one connections. Consequently, an instance
of the generic relay such as news can have one server on the inside of
the firewall getting feeds from multiple news servers on the outside.
This generic relay is also fully transparent outbound so there will be
no need to reconfigure internal systems. The management GUI supports
both one-to-many and many-to-one configurations.
So yes, we now have a generic transparent proxy.
Thanks for the info.
PJDM
|
| 1851.14 | Did I miss something? | PMESD::BEABES | | Wed Mar 19 1997 18:31 | 11 |
| Pardon me, I have been hiding in the realms of the obsolete government applications, so I am a bit behind.
It has been interesting and quite enlightening to be playing catch up on the aspects of V3 also known as AltaVista
Firewall 97. Now I would like to play a bit, before I am required to go back to where there is "NO Assistance" and
install these products while the customer looks over my shoulder.
Where are the kits to be posted for not only the Firewall 97 but also the Tunnel 97??????
Regards
Ernie
|
| 1851.15 | Transparent Web proxy? | BIGUN::nessus.cao.dec.com::Mayne | A wretched hive of scum and villainy | Fri Mar 21 1997 01:54 | 5 |
| Neither "new features" document says if the Web proxy is transparent. Is it?
We've got a customer whose users don't currently use a proxy, and it would be
highly convenient not to reconfigure hundreds of PCs.
PJDM
|
| 1851.16 | | CHEFS::espol1.gmt.dec.com::PITT | Gone with the winsock ... | Mon Mar 24 1997 12:37 | 13 |
| You really don't want a transparent www proxy, as Mark Smith
persuaded me in the Autumn. The WWW proxy handles connections
to ALL ports, whereas a transparent proxy is by definition specific
to some ports.
Having said that, I have used the transparent gxd to proxy port 80,
and thereby got transparent www proxy for that port alone. You could
add in a few likely ones like 8000 and 81, perhaps. What you lose is
the application level logging, of course ...
Still, you pays ya money, and ya takes ya choice ...
T
|
| 1851.17 | | BIGUN::nessus.cao.dec.com::Mayne | A wretched hive of scum and villainy | Mon Mar 24 1997 17:40 | 22 |
| I (actually my customer) really do want a transparent WWW proxy.
I know a transparent proxy only handles one port. However, it's reasonable to
assume that most (not all, but most) Web servers use port 80, so a transparent
Web proxy on port 80 would work fine most of the time.
Now, this customer has many, many PCs that currently don't use a proxy server.
When we put the firewall in, all of those PCs will lose Web access until they've
been modified to use a proxy server, which will be a major undertaking. If we
had a transparent Web proxy, things would continue to work fine, and we can do
the PC modifications over as much time as we like. Whenever somebody wanted to
get to a non-port-80 Web server, we could individually tell them how to do it,
or we could add transparent Web proxies for those ports too.
As you say, we could use a transparent generic proxy, but as you say, there's no
logging, which is a pretty major loss.
Yet again, engineering convenience takes precedence over customer convenience...
PJDM
|
| 1851.18 | | CHEFS::espol1.gmt.dec.com::PITT | Gone with the winsock ... | Wed Mar 26 1997 09:15 | 30 |
| Re .-1: I think the final comment about engineering
convenience and customer convenience is unfair.
This issue has been discussed - as I said before I had a
long conversation with Mark Smith about it in the Autumn,
and he corrected much of my thinking on in. My position
changed as a result of this discussion.
Many of the decisions that are clear cut to one or more
of us are not so clear cut to Engineering (or Product
Management) I am sure. If you - that's you as an
individual, not Digital NSIS firewall consultants as a
community - were to get what you want, then another
feature would probably have to be dropped, thereby
causing pain to another individual. I know that I've
put a great many things on the "wants" list for AFW,
and mine alone are more than they could implement this
year!
I believe that your customer convenience in the short
term _can_ be adequately handled in AFWU V3 by using
the transparent generic relay. Yes, there is a (small)
loss by doing this instead of using a generic WWW proxy,
but it can be done. As a result, I'm glad that
transparent WWW proxy was not pushed up the list at the
expense of something else.
T
|