[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference gyro::internet_toolss

Title:Internet Tools
Notice:Report ALL NETSCAPE Problems directly to [email protected].rnet? Read note 448.L for beginner information.
Moderator:teco.mro.dec.com::tecotoo.mro.dec.com::mayer
Created:Fri Jun 25 1993
Last Modified:Fri Jun 06 1997
Last Successful Update:Fri Jun 06 1997
Number of topics:4714
Total number of notes:40609

4670.0. "IP Filtering software needed" by NQOS01::voyager.lex.dec.com::wav14.pko.dec.com::isler () Tue May 13 1997 16:41

A customer needs an IP filter. 

They already have a firewall on a Sun server, and Domino (Lotus Notes) will 
be running on an Alpha NT machine. 

They want the Domino web server to sit outside of the firewall, but only 
allow certain certain IP addresses (either a range, a subnet, or a specific 
IP address) to have access to it.

I suggested Altavista Tunnel as an alternative, but although they like the 
Digital products, they want a simpler solution for this, since they will be 
working with many other companies, and cannot dictate them to use 
additional software. 

Are there any products that can do this, can it run on the Alpha NT Domino 
server, and only filter the allowed IP addresses and give them access? Or 
would it have to sit on the Sun firewall server and filter the addresses 
for the Domino's proxy server?

Yasemin
T.RTitleUserPersonal
Name		DateLines
4670.1teco.mro.dec.com::tecotoo.mro.dec.com::mayerDanny MayerTue May 13 1997 17:506
	This is a case where they actually want the server to sit INSIDE the
  firewall and set up the firewall to allow access by specific IP addresses
  (or sets of addresses) to only that server.  This is easier to do than the
  other way round.

		Danny
4670.2BIGUN::nessus.cao.dec.com::MayneA wretched hive of scum and villainyTue May 13 1997 18:546
Presumably their network is using a router to get to the Internet. If all they 
want is a packet screener, the router should be perfectly capable of providing 
that functionality. The logging probably won't be as good as the firewall's, 
though.

PJDM
4670.3CHEFS::16.42.4.227::hattosI'm back - as a matter of factWed May 14 1997 04:072
Can't they use the packet filtering which is *supposed* to be built into NT4 
now?
4670.4teco.mro.dec.com::tecotoo.mro.dec.com::mayerDanny MayerWed May 14 1997 10:1810
> Can't they use the packet filtering which is *supposed* to be built into NT4 
> now?

	I'm not aware of packet filtering being built into NT 4.  Why would
  they do that?

	PS: Stu, you need to get reverse lookup records set up in your local
  domain, it's all showing up as IP addresses in this notes conference.

	Danny
4670.5BIGUN::nessus.cao.dec.com::MayneA wretched hive of scum and villainyWed May 14 1997 19:145
That'll be Steelhead:

http://www.microsoft.com/ntserver/info/steelhead.htm

PJDM
4670.6Any shipping products?NQOS01::voyager.lex.dec.com::wav14.pko.dec.com::islerThu May 15 1997 16:1611
Steelhead is still in beta, and these guys need to have it in production by 
June 1st.

They did look into a freeware from the GNU folks (CNS) which does what they 
want, but they want a product that is supported and with a GUI interface.

Also, being inside the firewall, this web site will be strictly for 
external use, limited to certain customers; that is why outside the 
firewall.

Yasemin
4670.7should be builtinULYSSE::PIKEFri May 16 1997 06:0614
    Doesn't the Domino web server have configurable access directives?
    
    Something like:
    
    <Limit GET>
    allow from .dec.com .digital.com 16.
    deny from all
    </Limit>
    
    The major web servers (Apache, NSCA, Netscape...) have this
    type of functioanlity.
    
    /charly
4670.8teco.mro.dec.com::tecotoo.mro.dec.com::mayerDanny MayerFri May 16 1997 12:2424
> Steelhead is still in beta, and these guys need to have it in production by 
> June 1st.
> 
	Steelhead is overkill for what they need.  In any case it's a router
  rather than a filter.  I don't see how it would be useful to them.

> They did look into a freeware from the GNU folks (CNS) which does what they 
> want, but they want a product that is supported and with a GUI interface.
> 
	I've never heard of this one.

> Also, being inside the firewall, this web site will be strictly for 
> external use, limited to certain customers; that is why outside the 
> firewall.

	My suggestion still stands since you can specify to the firewall what
  IP addresses to allow in.  It's not clear why you would want to keep it
  OUTSIDE the firewall, just because it's for external use.  That part doesn't
  matter.  What matters is that you can set up the firewall filters to allow
  ONLY those customers that you want to access that system and limit those
  IP addresses to ONLY access that one system.  It's simple, it's easy and,
  most of all, it does the job.

		Danny
4670.9SPECXN::WITHERSBob WithersFri May 16 1997 12:394
Have you looked at he securities properties of TCP/IP on NT 4?

CONTROL PANEL ! NETWORKS ! PROTOCOLS ! TCP/IP ! ADVANCED ! ENABLE SECURITY
	! CONFIGURE
4670.10NT V4 filteringPARZVL::ogodhcp-124-40-99.ogo.dec.com::kennedynuncam non paratusFri May 16 1997 14:345
>Have you looked at he securities properties of TCP/IP on NT 4?

A quick look at that control panel shows that you can filter
which TCP & UDP ports and which IP protocols to allow, but
doesn't seem to filter by source address.
4670.11BIGUN::nessus.cao.dec.com::MayneA wretched hive of scum and villainySun May 18 1997 19:1022
>        Steelhead is overkill for what they need.  In any case it's a router
>  rather than a filter.  I don't see how it would be useful to them.

Danny, see http://www.microsoft.com/ntserver/info/steelfeatures.htm:

SECURITY

IP packet filtering

"Steelhead" supports a variety of inbound and outbound packet filtering 
features. These packet filtering features provide an important measure of 
network security. Here is a list of filtering options: TCP Port, UDP port, IP 
protocol ID, ICMP type, ICMP code, source address, destination address.

IPX packet filtering

"Steelhead" also supports a similar level of packet filtering for IPX packets. 
Here is a list of IPX packet filtering options: source address, source node, 
source socket, destination address, destination node, destination socket, and 
packet type.

PJDM
4670.12teco.mro.dec.com::tecotoo.mro.dec.com::mayerDanny MayerMon May 19 1997 10:2527
>>        Steelhead is overkill for what they need.  In any case it's a router
>>  rather than a filter.  I don't see how it would be useful to them.
> 
> Danny, see http://www.microsoft.com/ntserver/info/steelfeatures.htm:
> 
> SECURITY
> 
> IP packet filtering
> 
> "Steelhead" supports a variety of inbound and outbound packet filtering 
> features. These packet filtering features provide an important measure of 
> network security. Here is a list of filtering options: TCP Port, UDP port, IP 
> protocol ID, ICMP type, ICMP code, source address, destination address.
> 
> IPX packet filtering
> 
> "Steelhead" also supports a similar level of packet filtering for IPX packets. 
> Here is a list of IPX packet filtering options: source address, source node, 
> source socket, destination address, destination node, destination socket, and 
> packet type.
> 
> PJDM

	What's your point?  It's still a router rather than a filter.  All
  routers need to have some filtering capability.

		Danny
4670.13BIGUN::nessus.cao.dec.com::MayneA wretched hive of scum and villainyMon May 19 1997 19:118
What's my point? Someone asked for an IP filter. Steelhead was mentioned. You 
said "In any case it's a router rather than a filter.  I don't see how it would 
be useful to them." I pointed out that it is (amongst other things) a filter, 
and therefore might be useful to someone who wants to do IP filtering, even if 
it is overkill.

PJDM