| Title: | SEAL |
| Moderator: | GALVIA::SMITH |
| Created: | Mon Mar 21 1994 |
| Last Modified: | Fri Jun 06 1997 |
| Last Successful Update: | Fri Jun 06 1997 |
| Number of topics: | 1989 |
| Total number of notes: | 8209 |
==============================================================
AltaVista Firewall 97 - Beta Test Kit #2 Release Announcement
and Release Notes
==============================================================
Date: 20-March-1997
AltaVista partners as well as other interested parties are invited to
copy,install and test this release.
This kit may be tested in internal lab or testbed configurations and
also in network configurations where a direct connection is made to the
Internet. When a direct Internet connection is used, the internal
network being protected using the firewall MUST not have ANY connection
to Digitals internal network without the necessary EXARC approvals
having first being obtained.
This document comprises the FT announcement and release notes for this
kit. It provides information on how to copy and install the kit, and
also how to report problems. A list of known problems is also included.
Any sites that already have a previous test kit are requested to upgrade their
installation to use this kit.
Have fun!
AltaVista Firewall Engineering
NOTE: Details of UNIX included below , Details of NT kit to follow
=============================================================
1. AltaVista Firewall 97 for Digital UNIX V3.2G and V4.0B
AltaVista Firewall Version T3.0 for Digital UNIX
Release Notes
03 March 1997
These Release Notes contain the following sections:
1. Kit Contents
2. Installation
3. Configuration
4. GUI
5. Authentication
6. Administrator's Guide
7. Problem reporting
8. Performance and Tuning
9. Changes and Enhancements since Version 2.1
10. Applying patches from Digital UNIX
Each section identifies known issues or problems, and provides a
solution or workaround, if applicable. It is recommended that you
review these notes carefully.
1.. Kit Contents
The field test fit comprises of the following components:
- setld kit tar file archive (includes both firewall and tunnel
server software)
- compressed POSTSCRIPT Administrators Guide (not yet available
please use on-line help where possible)
- compressed POSTSCRIPT Digital Firewall for UNIX SPD
- release notes (this document)
- bug reporting information
2.. Installation
This section contains notes relating to the installation of the
AltaVista Firewall.
2.1. Copying the kit
This kit can be copied using FTP from the following host:
ftp.wfa.digital.ie
[Please mail [email protected] for
location of kits]
with the following filenames
AFWU300-EFT.tar tar archive containing
the kit
AFWU300_EFT_installguide.ps.Z Installation Guide
AFWU300_EFT_release_notes.lis Release Notes
When you have copied the kits components, you will need to uncompress
the POSTSCRIPT documents prior to printing (# uncompress file.Z),
and will also need to restore the setld product from the
tar archive, e.g.
# tar xvf AFWU300_EFT.tar
2.2. Product Installation
The Installation Guide contains comprehensive instructions detailing
the required hardware and software, and how to install the product.
This kit will be released on CD from the SSB, and is intended to
be installed immediately after the installation of the Digital UNIX
Operating System.
This field test kit is also available for download from
[email protected]
The following steps should be taken to mimic installation from a CD.
2.2.1. Install a supported version of Digital UNIX OS on your test
system as directed by the Installation Guide.
2.2.2. Using the netsetup utility, configure one of the interfaces on
your test machine and set up a default route as appropriate.
Restart the network.
2.2.3. Create a temporary directory and using FTP copy the kit
components to your test machine.
2.2.4. Using the netsetup utility again, delete the configuration for
the interface, previously set up in step 2. Restart the network to
ensure that you have deleted the network interface configuration
correctly.
2.2.5. Restore the setld kit from the compressed tar archive, and
proceed with the kit installation as directed in the
Installation Guide
#tar xvf AFWU300-EFT.tar
#cd firewall
#setld -l .
Note: The AltaVista Firewall is a security product that requires a
non-standard configuration of hardware and operating system
software. It is important that you follow carefully the
pre-installation and installation instructions in the Installation
Guide.
2.2.6. Tunnel Installation, for Remote Management.
Before installing the tunnel software (described in installation guide)
you must install the tunnel server PAK.
#cd tunnel
#chmod +x temp-int-tunnel-server.pak
#./temp-int-tunnel-server.pak
#setld -l . (to install tunnel software)
2.3. Logging into the GUI Web Browser
The Netscape[TM] web browser provides the GUI for the AltaVista Firewall.
When Netscape starts up, it displays a window with license information.
Click on the Accept button to accept the license and continue. The
system now displays the Netscape Password login window.
The firewall is shipped
with admin as the required user ID and first-time password. To log in to
the browser, enter the following
user ID: admin
password: admin
The system displays a login screen for the firewall main menu. To log in
to the firewall system as administrator, enter the following
user ID: admin
password: admin
2.4. File System Diagnosis
You can use the System Accounting Utilities optional software subset
(OSFACCT) to ease diagnosis of file system problems. For example, you
can use OSFACCT to diagnose disk space usage problems. You may install
this optional software subset when installing the operating system for the
firewall system. Alternatively, you can install it at a later time.
3.. Configuration
This section contains notes relating to the configuration of the
AltaVista Firewall.
3.1.. Mail Configuration
The firewall system cannot be configured as a mail hub system or central
mail server (that is the machine that handles mail for the internal
domain). An internal system must be used to perform this role. The
firewall system relays incoming mail to the mail hub system for the
internal domain. The name service for the internal domain must be
configured so that appropriate MX records exist to direct mail for the
internal domain to the mail hub system. The mail hub system must be
configured with suitable aliases to pass mail for internal users to the
appropriate internal destination. You must also configure the mail hub
system to send external mail (that is, mail destined for outside the
internal domain) to the firewall. The firewall distributes this mail to
the appropriate external destination.
3.2.. Switching on the Mail Gateway
For security reasons, when you install the AltaVista Firewall, the mail
gateway is disabled. To allow the firewall system to deliver mail, you
must switch the mail gateway on using the Managing the Firewall menu
item. To allow the firewall system to deliver mail, you must switch the
mail gateway on using the Managing the Firewall menu item.
3.3.. Mail Sent to the root Account
When mail is sent to the root account on the firewall system (for
example, reports and alarm notifications), the mail is automatically
delivered to the root account on the mail hub system.
3.4.. Application Gateway Configuration
For security reasons, when you install the AltaVista Firewall, all
application gateways are disabled. To enable a gateway, you must specify
a security policy for the gateway using the Application Gateways menu
item, and also switch the gateway on using the Managing the Firewall
menu item.
3.5.. DNS Configuration
Initial configuration of DNS sets up an invalid entry for the host name.
This must be modified. To modify, select DNS from "Managing The Firewall"
section of the Main Menu and add DNS entries as required. You can also
search for DNS entries to check that they have been added correctly.
3.6.. Save Firewall Configuration
This section is not included in this Field Test version
3.7.. Firewall within a firewall
If the firewall is behind another firewall, non-local DNS does not
resolve because the query packets (UDP Port 53) can't escape through the
outer firewall. A forwarders entry must be added to
/usr/dfws/named.red/named.boot
for example,
forwarders outside-firewall-IP-address
slave
The internal name server daemon must then be restarted.
4.. GUI
This section contains notes relating to the AltaVista Firewall GUI.
4.1.."Document has no data" error
The Netscape Web browser may display the following error message in a
dialog box while performing firewall configuration and administration
tasks:
Document has no data
Click OK to dismiss the dialog box. Then click Reload to reload the page
correctly. If the dialog box is displayed again, repeat these steps.
4.2.. Window Border Disappears When Window is Moved
Depending on the severity status of the firewall system, the border of a
window that is being moved may disappear. This may make it difficult to
position the window being moved. Modify the window border color to
increase contrast.
4.3.. Error Opening a Directory During Summary Report Generation
If you generate a Summary Report for a period for which data logs do not
exist, an error message appears, as follows:
Error: OPENDIR: cannot open directory '/var/adm/syslog/logs/date': No
such file or directory
The date indicates the days for which log data is missing. You may
ignore these messages when the firewall was not operational for the
report period.
4.4.. Firewall Status and Alarm Settings
When you install the AltaVista Firewall, the alarm system is configured
to the default alarm configuration. This default configuration is very
sensitive. This may result in the firewall changing state shortly after
deployment or during initial testing. It is recommended that you become
familiar with the alarm configurations for the gateways you are
operating. If a gateway is not functioning as expected, check the
current status of the gateway using the Select Individual Services menu
item in the Firewall Operation Control menu. The gateway may have been
disabled as a result of a gateway event for which an alarm was
generated.
5.. Authentication
5.1.. Authenticated FTP does not ask the user for a password, making
it impossible for the user to log in.
5.2.. CRYPTOCard authentication is not operating correctly.
6.. Administrator's Guide
The Administrator's Guide has not been updated to include information
on all of the new features provided with this version of the
AltaVista Firewall for Digital UNIX. Use the online help provided
with the AltaVista Firewall rather than the Administrator's Guide
for information on the following topics:
Generic Application Gateway
WWW Application Gateway
RealAudio Application Gateway
There is currently no online help for the following topics:
DNS
Multiple Administrators
7.. Problem Reporting
Problems should be reported against both the product implementation
and the associated documentation.
Once you have completed the installation, you should use the
builtin bug repoting script that is available as an option
from the Firewall Main Menu. You will need to have mail set up
in your test environment for this to operate correctly.
If you do not have mail setup, you can mail bug reports to
[email protected]
Please identify the following:
- kit release,
- assign a priority to the bug,
- provide a brief and detailed description of the problem,
- how the problem may be repeated
Please provide sufficient information to avoid the need for followup
from AltaVista Firewall Engineering.
8. Performance and Tuning
This section contains notes on how to tune Digital UNIX to improve the
performance of your AltaVista Firewall system.
8.1. Digital UNIX Operating System
You can improve the performance of the AltaVista Firewall by up to 15%,
in terms of a reduced number of dropped connections and an increased
throughput, if you upgrade your system to run Digital UNIX Version 3.2G,
4.0A, or V4.0B. It is strongly recommended that you perform this upgrade.
For information on how to upgrade your version of Digital UNIX, see the
Digital UNIX documentation set. For information on how to reinstall the
AltaVista Firewall after upgrading the operating system, see the
AltaVista Firewall Installation Guide for Digital UNIX.
8.2. Tuning Digital UNIX to Resist SYN Flood Attacks
After you perform the operating system upgrade recommended in 5.1, you
can further tune your system to manage problems involving denial of
service, such as SYN flood attacks. In a SYN flood attack, a remote host
sends you a SYN packet with a nonexistent source address. This uses a
connection slot while your host attempts to acknowledge the connection
to the non-existent source. The number of slots available and the amount
of time a slot remains allocated are specified by the following kernel
parameters:
somaxconn
Sets the maximum number of pending requests allowed to wait on
a listening socket. The default value for Versions 3.2G and 4.0 is 1024.
The maximum value is 32767.
sominconn
Sets the minimum number of pending connections allowed on a
listening socket. When a user process calls listen with a backlog
less than sominconn, the backlog will be set to sominconn. The
sominconn parameter overrides somaxconn. The default value for
Versions 3.2G and 4.0 is 1. The maximum value is 32767.
tcp_keepinit
This is the amount of time a partially established connection remains
on the listen queue before it times out (for example, if a client
sends a SYN but never answers our SYN/ACK).
Partially established connections use slots on the listen queue. If
this queue starts to fill with connections in SYN_RCVD state, you can
decrease the value of the tcp_keepinit parameter to make those
partial connects time out sooner. You specify the parameter in half-
second units. The default value is 150 (that is, 75 seconds).
Note: Be very careful when you modify this parameter, as legitimate
clients may take some time to respond to SYN/ACK.
To determine the network load on your system while the machine is
operating in its maximum load condition (that is, when it is receiving
the maximum rate of new connections), use the following command:
# /usr/sbin/netstat -An | grep SYN_RCVD
The output from this command may have many lines of the following
form:
20e4500 tcp 0 0 10.222.222.12.9996 22.222.222.123.194 SYN_RCVD
If so, your system may have a problem receiving connections and you
should tune your system accordingly. You can tune the kernel on your
computer by modifying the values of three kernel variables described
above as follows:
You can modify the somaxconn and sominconn parameters using the
sysconfig command to increase the number of available slots for
partially established connections. You can set these parameters to a
maximum value of 32767. It is recommended that you assign the sominconn
and somaxconn parameters the same values. This increases the number of
slots available, and therefore significantly improves the ability of
your system to continue to serve all connection requests from valid
clients. For more information on the sysconfig command, see the man pages
for sysconfig and sysconfigdb.
You can modify the tcp_keepinit using the sysconfig command to decrease
the amount of time a partially established connection remains on the
listen queue before it times out.
It is strongly recommended that you have some knowledge of the
characteristics of the network before you decrease this parameter. Be
very careful when you modify this parameter, as legitimate clients may
take some time to respond to SYN/ACK due to network latency.
8.3. Tuning Digital UNIX to Improve Web Proxy Performance
You can improve the web proxy performance by increasing the lookup speed
for the TCP connection table. You can do this by increasing the size of
the hashlist for the TCP inpcb lookup table. To do this, you modify the
following kernel parameter:
tcbhashsize
The number of hash buckets used for the TCP connection
table used in the kernel. The default value is 32. This value
should be specified as a power of 2 and may be set to a
maximum of 1024.
You can modify the value of tcbhashsize by patching the kernel
using dbx. The following steps can be used on Digital UNIX Version
3.2G and 4.0A:
# /usr/bin/dbx -k /vmunix /dev/mem
dbx version 3.11.10
Type 'help' for help.
stopped at [thread_block:2025 ,0xfffffc00002a7a70] Source not available
warning: Files compiled -g3: parameter values probably wrong
(dbx) patch tcbhashsize=128
128
(dbx) quit# /sbin/sysconfig -q inet tcbhashsize
inet:
tcbhashsize = 128
9. Changes and enhancements since Version 2.1
This section describes the changes that have been implemented since the
release of Version 2.1 of the AltaVista Firewall for Digital UNIX.
9.1 Versions Supported
The firewall now supports the following versions of Digital UNIX:
Version 3.2C
Version 3.2D
Version 3.2F
Version 3.2G
Version 4.0
Version 4.0A
Version 4.0B
9.2. New features
The following new features have been added to the AltaVista Firewall
for Digital UNIX V3.0
1. Remote Management
2. URL and JAVA blocking
3. Enhanced WWW proxy
4. Real-audio proxy
5. Generic TCP relay enhancements
6. Powerful and flexible authentication
7. Dual DNS
8. Single server for firewall and VPN
9.2.1 Remote Management
Managing heterogeneous configurations: Because system administrators may
have to manage several platforms, the remote firewall management is very
consistent and compatible on all supported platforms. It implements a
HTML based user interface for a same look-and-feel. It is written in
Java for enhanced portability and it supports flat ASCII configuration
files for management flexibility.
Centralized Management: AltaVista Firewall V3.0 offers remote management
for firewalls within any network sizes from a centralized console
running either Windows 95 or Windows NT. This is both a cost and time
saving feature which allows system administrators to monitor and take
quick actions on their UNIX or NT based firewall.
Remote management without compromises on security: Unlike any
competitive offerings which establish a weak link to the firewall via a
serial port or telnet session on a high port, AltaVista Firewall remote
management includes - at no-cost - the best-in-class features of the
AltaVista Tunnel. The tunnel product provides RSA 512 bit
authentication, MD5 integrity and the strongest encryption worldwide
with RSA 128bit (U.S.) and 56/40 bit (International.)
Efficiently managing firewalls from anywhere: The new remote management
enables system administrators to view firewall activities and allows
them to quickly take appropriate actions. Consistently with the OnSite
Computing vision of AltaVista, network managers are able to manage the
firewall from anywhere within the intranet or from an untrusted network.
On all supported platforms, the remote management displays the states of
all services as well as various statuses and alarms. It also allows to
modify the firewall status and start/stop specific services such as FTP.
Additionally, on Digital UNIX, network administrators can maintain and
manage security policies, user authentication, DNS, mail, new SNMP
alarms and active monitoring of traffic. Furthermore, different levels
of control can be assigned on UNIX. As an example, one Firewall
administrator can monitor the status of the firewall, while another can
change some security policies.
9.2.2 URL and Java blocking
This is both a performance and a security feature. According to easily
definable policies, AltaVista Firewall T3.0 can block URLs to preserve
network performance and to restrict access to specific Web sites for
productivity purposes. Security managers can define specific policies
for URL access. AltaVista Firewall T3.0 can also detect and block Java
applets entirely by allowing selective filtering of Java applets through
the firewall to protect against one the most common network attacks.
9.2.3 Enhanced WWW proxy
Enhanced WWW proxy. This updated proxy contains significant performance
improvements based on code optimization and caching implementation. It
supports the following protocols: HTTP, HTTPS/SSL, gopher and ftp. It
implements the CERN/NCSA Common Log Format for enhanced reporting and
integration with third party analysis tools. As for other proxies,
access restriction policies per user can also be combined with time
limitations.
9.2.4 Support for Real-Audio proxy
RealAudio is an application that allows playback of audio in real-time
over internet connections. Through the RealAudio proxy, managers can
allow or prevent users on internal network systems with Web browsers to
access RealAudio services on the external network. For this proxy,
system administrators can specify security policy details, time
restrictions and blacklists of hosts forbidden access (common with ftp,
telnet and finger proxies.)
9.2.5 Generic TCP relay enhancements
AltaVista Firewall T3.0 broadens security policies by offering a generic
TCP relay for one-to-many and many-to-one connections. Consequently, an
instance of the generic relay such as news can have one server on the
inside of the firewall getting feeds from multiple news servers on the
outside. This generic relay is also fully transparent outbound so there
will be no need to reconfigure internal systems. The management GUI
supports both one-to-many and many-to-one configurations.
9.2.6 Powerful and Flexible Authentication
Authentication for WWW users or group of users The enhanced WWW proxy
includes authentication for specific users or group of users by any
authentication schemes currently supported by the UNIX firewall such as
CRYTOcard or re-useable passwords. This feature provides system
administrators with great flexibility to implement their policies with
finer granularity. This authentication is integrated with the existing
system management GUI on UNIX.
9.2.7 Dual-DNS Server
Before the introduction of AltaVista Firewall T3.0, the recommended name
server configuration was the hidden DNS setup hiding the internal
address space from the untrusted network. However, this recommendation
required to set up a second name server within the intranet causing some
management issues.
With Altavista Firewall T3.0, firewalls can now be configured as Dual-DNS
servers that understand which name services are internal or external.
This Dual-DNS server is fully configurable through the GUI based
management.
9.2.8 Single Server for Tunnel and Firewall
F500 companies are mostly interested in dedicated boxes for security,
performance and management reasons. AltaVista has been offering the
capability of running a security low-end server on the same UNIX box. It
managed to minimize any security impacts by a close integration between
those two products. With Firewall T3.0, AltaVista now extends this
integrated solution to Windows NT servers5.
9.3 Known problems fixed since V2.1
1. /sbin/init.d/inet In V2.1 this script had a syntax error causing it
to query the value of the network interfaces before they were configured.
This is now fixed.
2. ftpxd
The problem where Windows 95 and Windows NT clients cannot connect
to ftp servers using the Digital Firewall for UNIX V2.1 is now fixed.
10. Applying Patches to Digital UNIX
From time to time, Digital[TM] releases patches to Digital UNIX OS. These
patches are often released to fix known bugs, or to improve performance
of machines running Digital UNIX. Never apply a patch to a Digital UNIX
machine running the AltaVista Firewall, unless Digital support can
confirm that the patch does does not adversely affect how the
AltaVista[TM] Firewall works. The installation procedure for the
AltaVista Firewall applies patches to the Digital UNIX kernel to support
the functions of the firewall. If further patches are applied to the
kernel, the patches supporting the AltaVista Firewall could be
overwritten, and some functions of the firewall could be disabled.
- - - - - - - - - - - - - - -
For additional information on the AltaVista Firewall, refer to the
following URL:
http://altavista.software.digital.com/firewall/index.htm
� Digital Equipment Corporation 1996. All rights reserved. [TM]
AltaVista, Digital, PrintServer, and the Digital logo are trademarks of
Digital Equipment Corporation. [TM] Netscape is a trademark of Netscape
Communications Corporation. S/Key is a registered trademark of Bell
Communications Research, Inc. [TM] SecureNet Key (SNK) is a trademark of
Digital Pathways, Inc. UNIX is a registered trademark in the US and other
countries licensed exclusively through X/Open Company Ltd. All other
trademarks and registered trademarks are the property of their respective
Owners.
[Posted by WWW Notes gateway]
| T.R | Title | User | Personal Name | Date | Lines |
|---|---|---|---|---|---|
| 1896.1 | Firewall 97 NT Kit Details | NETRIX::"[email protected]" | Scott Estabrooks | Thu Mar 27 1997 10:14 | 359 |
AltaVista Firewall 97 for NT Intel
AltaVista Firewall for NT T3.0-2 (Beta)
March 1997
Release Notes
25 March 1997
These Release Notes contain the following sections:
A. Kit Contents
B. Copying the kit
C. Overview
D. Installation Instructions
E. Release Notes
F. Remote Management Instructions
G. Copyright Notice
H. Comments and Suggestions
A. Kit Contents
The field test fit comprises of the following components:
- ntfw30beta2.zip file containing the NT Firewall 97 kit, release notes
and bug reporting information
- ntfwdocs.zip POSTSCRIPT and PDF Administrators Guide and
Installation Guide
B. Copying the kit
This kit can be copied using FTP from the following host:
ftp.wfa.digital.ie
[Please mail [email protected] for
location of kits]
C. Overview
The AltaVista Firewall for NT implements the application gateway
firewall model. The firewall host is a dual-homed system with
network connections to internal and external networks. IP routing
is disabled between the two network interfaces. Network traffic
must relay through the application proxies, which control access
from both sides of the firewall. The firewall logs each access
and monitors suspicious events. The product also includes a Windows
NT style GUI for firewall management and installation. Both Intel
and Alpha platforms are supported.
This release of the product includes the following major features:
o Remote management via a secure channel on Windows NT 4.0
o AltaVista filter driver that prevents IP spoofing.
o This version of the product supports Windows NT 3.51 and 4.0
operating systems.
o Trusted Application Proxy Gateways for web, FTP, telnet, news,
mail, RealAudio and finger access through the firewall.
o A generic TCP proxy, which can be easily configured to relay
tunnel and generic TCP application traffic.
o Windows NT style GUI for easy firewall management and monitoring
firewall traffic.
o Windows-style wizard to provide easy step-by-step firewall
installation and DNS configuration.
o Remote Access Service (RAS) support for environments where the
Internet connection is over a dial-up line.
o Logging subsystem to log all access through the firewall.
o Configurable alarm system that reacts to security events detected
by individual firewall components. The alarm system triggers
actions when suspicious activities are detected.
o Configurable reporting subsystem to generate reports detailing
individual service usage over various periods of time.
o Strong authentication support via Digital Pathways and
CRYPTOCard keycards.
o On-line and context-sensitive help files.
o Comprehensive hard copy firewall administration guide.
D. Installation Instructions
This version of the product supports Windows NT
versions 3.51 and 4.0 operating systems.
The firewall installation program, setup.exe, is located in the
processor-specific directory (Intel or Alpha) on the CD-ROM.
The firewall documentation is in the documentation directory
on the CD-ROM.
Note
The AltaVista Firewall for NT installation
alters your NT system to create a dedicated
firewall machine. If you are installing this
product for evaluation purposes, you should
install it on a non-production system.
Before installing the AltaVista Firewall for NT, it is important
to read the installation file, install.txt in the same directory as
setup.exe, that comes with the product or Chapter 2 and
Appendix A in the Administrator's Guide. These documents help
you establish your firewall environment and understand the
pre-installation and post installation tasks. You must make sure
you have the network addresses, and internal and external name
server information before installing the firewall.
Microsoft has issued patches for Window NT 3.51 and 4.0. It
is recommended that you install the latest patches.
The following are additional items to check for your firewall
installation:
1. Uninstall Services
If you have a DNS server or a Purveyor server running on the
system on which you intend to install the AltaVista Firewall for
Windows NT, remove the software by using its uninstall program.
The AltaVista Firewall for NT installs a DNS server during the
installation. The Purveyor uninstall program by default is located
at \win32app\psc\purveyor\uninstall.exe. The firewall
installation installs a Web proxy server during the
installation.
If you have Mail, FTP, or News services running on the system
on which you intend to install the AltaVista Firewall for NT,
stop and remove the services from the system. The firewall
application gateways (proxies) take over the ports used by
these services.
AltaVista Tunnel Server V1.1 or earlier should be removed.
2 Close Running Programs
Close the Event Viewer, Control Panel, and any other active
programs and open services as you are asked to reboot as part
of the AltaVista Firewall for NT installation.
3. RAS
If you plan to use NT's Remote Access Service (RAS) connect
your firewall to your Internet Service Provider (ISP), you
need to fill in your external network address in the network
configuration step of the installation. If your external
network address is dynamically assigned by the ISP, use the
firewall graphical user interface (GUI) to reconfigure the
firewall external address after the installation.
4. Installation
During installation, you are instructed to install a filter
driver. If you are using a dial-up connection via RAS or any
local area network other than Ethernet (for example, FDDI or
token ring) to the Internet, you need to skip the step that
installs the filter driver.
E. Release Notes
1. Secure Socket Library (SSL) Support
The Web proxy includes support for SSL. The SSL requests and
responses are proxied through the same port as HTTP traffic.
Users in the firewall environment must define the security proxy
port to be the Web proxy port.
2. Web Proxy Startup Time
The Web proxy does not show a startup time. If the Web proxy
shows a stopped state, check to see if all the Web proxy
configuration fields have the correct syntax.
3. Web Proxy Log
For performance reasons, the Web proxy writes to the log file
every two minutes. Stopping the Web proxy will automatically
trigger the logs to be written to the log file.
4. Stopping Firewall Services
On the Alpha platform, you may sometimes see a warning message
when you stop the firewall services. You can ignore this
warning message.
5. Firewall Proxy State
There may be a delay before the firewall proxies' state
information is refreshed. Clicking on the check box for
Related Firewall Services, or closing and re-opening the
Firewall Management GUI refreshes the proxies' state
information.
6. Starting/Stopping Multiple Firewall Proxies
There may be a delay when starting or stopping multiple
firewall proxies.
7. System Background Color
The firewall alarm system uses the system background color as
one of the ways to reflect the firewall status. The installation
procedure removes any wallpaper that is set. The firewall
administrator should not set a wallpaper background because
the wallpaper would cover the system background color.
8. Reinstalling News or generic TCP proxies
If you need to reinstall the firewall, you may have problems
redefining the news or generic TCP proxies that may have been
defined previously. You should check the images in the \dfw\bin
directory, and delete the previous news.exe or proxy images that
match the service names you are trying to define.
9. CryptoCard Support
If you use CRYPTOCard user authentication tokens, follow the
instructions in the firewall authentication programming screen
and the operation and system guide that comes with the token.
The programming steps generate an eight digit checksum on the
token. The first six digits should match the checksum displayed
in the firewall authentication programming screen.
10. Deinstallation
When you deinstall the remote management tunnel, the following
keys are not properly deleted:
HKey_Local_Machine\\system\\CurrentControlSet\\services\\Deccore
HKey_Local_Machine\\system\\CurrentControlSet\\services\\Decps3x
HKey_Local_Machine\\system\\CurrentControlSet\\services\\Itnd
Run regedt32 to delete these keys. If you do not delete these
keys, the tunnel will not reinstall.
F. Remote Management Instructions
Remote Management for the AltaVista Firewall for NT allows
an administrator to:
o View the status of proxies and related services
o Start/stop proxies and related services
o Change the firewall status
For other management functions, you must use the local user
interface.
Remote Management requires a Java and Frames-capable
Web Browser. Netscape 3.01 or Internet Explorer 3.01
are recommended.
Remote Management is not currently available on Windows
NT/alpha. A tunnel client is available for remote management
for Windows95 and Windows NT Intel.
Remote Management depends on the Java-based application
FwServer running on the firewall. The program
\dfw\bin\StartFwServer.exe launches this application.
StartFwServer is put in the startup group by the installation
process. Currently an administrator must be logged on for
this process to start.
Access to Remote Management is limited to administrators
using secure channels. The Windows NT User Manager can
be used to create administrator accounts. Secure Channels
can be created from the local user interface by clicking
on the remote tab. Only one secure channel can be used
at a time.
The Remote Management Server uses port 5000. The Remote
Management Web Server uses port 8314. These ports should
not be used for Generic Proxies.
Unless you add an alias to your dns files, you should connect
to the tunnel IP address of the firewall. You cannot connect via
the firewall domain name (for example,
http://192.160.1.200:8314).
The event frame (at the bottom of the remote management
page) provides information about important firewall events
such as alarms, and state changes. Currently some events
are missing detailed information.
At times it may be necessary to click reload to update the
Remote Management display.
If the Remote Management page shows an access denied error,
and the event frame is empty, or shows an error, then there
may be a problem accessing the file \dfw\htdocs\eventmsg.html.
Stopping and restarting the remote management web server
should clear the problem.
When changing the Firewall status remotely using an HTML form,
some browsers display a security warning when using HTML
forms. Since remote management access to the firewall is
via a secure channel, all data is encrypted and this warning
does not apply.
G. Copyright Notice
Embedded Proxy Server Portions Copyright(c) 1996 Process Software
Corp. All rights reserved.Portions Copyright(c) 1996 MetaInfo, Inc.
All rights reserved. Portions Copyright(c) 1995 Corporate Computer,
Inc. All rights reserved.
MetaInfo, Inc. and its suppliers retain all right, title and
interest in and to this software and all components thereof,
including without limitation all patents, copyrights, trademarks
and trade secrets. Other than as set forth in the end user
license agreement, this software may not be copied, modified or
distributed. Additional rights and restrictions are set forth in
the end user license agreement included with the software.
Portions Copyright(c) 1989 The Regents of the University of
California. All rights reserved.
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided
with the distribution.
3. All advertising materials mentioning features or use of this
software must display the following acknowledgment: "This
product includes software developed by the University of
California, Berkeley and its contributors."
4. Neither the name of the University nor the names of its
contributors may be used to endorse or promote products derived
from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS
OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONDEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
H. Comments and Suggestions
Thank you for using AltaVista Firewall for NT. Your comments and
suggestions help us improve the quality of our software and
publications.
Please send your comments to:
[email protected]
(c) Digital Equipment Corporation 1997. All rights reserved.
[Posted by WWW Notes gateway]
| |||||
| 1896.2 | Any news for the BSD version ? | BIS50::BOKOR | Big Browser | Fri Mar 28 1997 01:57 | 0 |
| 1896.3 | what is the highest DU version supported ? | BACHUS::ROELANDTS | Wa d'es ma da ve ne stuut | Fri Mar 28 1997 10:57 | 13 |
Hello,
Having down loaded the kits I'm wondering something : on which
version(s) of Digital Unix can this kit be installed ? The versions
stated in .0 are not the same as the ones mentionned in the
AFWU300_EFT_inst_guide.ps on pg 1-3. So which one is correct ? Will
V3.0 be supported on the current shipping version of DU (V4.0B) or not?
Regards,
Guy
| |||||
| 1896.4 | print install guide ? | PRMS00::COLE | Tue Apr 01 1997 10:12 | 8 | |
Has anyone successfully printed the Installation Guide?
It dies after about 5 pages on an LN17 !
How about making a .pdf version available ?
...larry
| |||||
| 1896.5 | Printed fine for me | PMESD::BEABES | Tue Apr 01 1997 12:07 | 5 | |
Larry It is a .PDF file in the Ntfwdocs.zip Ernie | |||||
| 1896.6 | PLEASE ENSURE Customers sign an NDA and Beta Agreement | NETRIX::"[email protected]" | tim | Tue Apr 01 1997 13:24 | 13 |
Please note that if you intend to provide the Beta kit #2 to your customer you must ensure that the customer has signed an NDA and the Beta agreement. Details from the Firewall Product Manger Philippe Der Arslanian. If you intend to use this kit within Digital you don't need the NDA obviously. Sorry for the omission. [Posted by WWW Notes gateway] | |||||
| 1896.7 | new admin guide; exarc approval ? | SEAWLF::COLE | Digital NSIS, Greenbelt, Maryland | Mon Apr 07 1997 16:57 | 14 |
Tim,
1) Are there any pre-publication copies of the new
Administrator's Guide available yet ?
2) Are any Digital Corporate sites using AFWU 2.0/3.0
on their ISP connection ? (ie, has the EXARC committee
blessed it ?)
thanks,
...larry
| |||||
| 1896.8 | AFWU used in Europe | NETRIX::"[email protected]" | Jan-Erik Pedersen | Thu Apr 10 1997 08:15 | 8 |
We are using AFWU (2.1) at two corporate gateways in Europe in Reading & Munich, in Valbonne we still use the SEAL setup. The EXARC approval is for the gateway and not for the software which means we could as well use TIS or any other software if we found it usefull. [Posted by WWW Notes gateway] | |||||
| 1896.9 | CHEFS::zkodhcp-29-48-237.zko.dec.com::PITT | Gone with the winsock ... | Fri Apr 18 1997 14:33 | 10 | |
Surely the EXARC proposal had some technical specification associated with it, so it can't be quite true that you could use anything... At least it must be capable of doing a particular set of things. For example, I don't think you could use a filtering router as the firewall ... Still, I'm sure you're right that V2.1 to V3.0 won't be an issue. T | |||||