There was more interest in firewalls from this gang than
I expected, so I thought I'd post a summary for your
collective amusement and gratification. I'm still perusing
the information I've gotten, so I can't make any value
judgements. Just passing it along...
First of all, Stephen Oles sent me the summary I was looking
for. It was more about Internet access than firewalls, but
they go hand-in-hand, so there was a lot of good stuff
there. Stephen also pointed me toward the December '94 "Advanced
Systems" review of Firewall-1 software. I had the magazine, but it
was buried under the mound on my desk, so I hadn't yet
read it. That article had some other good information, too,
such as book references and some ftp-able papers (I'll include
a list of resources at the end of this summary).
Finally, Juergen Peus pointed me toward a WWW page on firewalls
that on first glance looks pretty neat. You can find it at
http://www.tansu.com.au/Info/security.html.
So, in a nutshell (so to speak):
Books: Bellovin, _Firewalls_and_Internet_Security_,
Addison-Wesley, ISBN 0-201-63357-4
Comer, _Internetworking_with_TCP/IP_,
Prentice Hall, ISBN 0-13-468505-9
Garfinkle/Spafford, _Practical_Unix_Security_,
O'Reilly ISBN 0-937175-72-2
Russell/Gangemi, _Computer_Security_Basics_,
O'Reilly ISBN 0-937175-71-4
Curry, _UNIX_System_Security_,
Addison-Wesley
Magazine articles/newsletters:
"Gold Plated Security", _Advanced Systems_, December '94
"Security Insider Report", $99/year, (813) 393-6600
Mailing list/WWW page/anonymous ftp:
firewalls-request@greatcircle.com with "subscribe firewalls"
as the message body
anonymous ftp: ftp.greatcircle.com: pub/firewalls
ftp.tis.com: pub/firewalls
research.att.com: dist/internet_security
net.tamu.edu: pub/security/TAMU
http://www.tansu.com.au/Info/security.html
So, thanks to all who responded to my request for more information.
That reading list ought to last me a while...
Many thanks to Stephen Oles and Juergen Peus. Stephen's mail is
included below, complete with sales pitch...:)
Leslie Dreyer Kalra
AT&T
Allentown, PA
lbd@mhcnet.att.com
----- Begin Included Message -----
>From pa.pdc.com!soles@ig2.att.att.com Tue Dec 13 09:32:56 1994
Orig-From: soles@pa.pdc.com (Steve Oles - KOP Sales)
To: lbd@mhcnet
Subject: Re: Firewalls
Cc: soles@pa.pdc.com
Leslie:
Attached you will find the Internet Summary. You might also be
interested in the AdvancedSystems December '94 article, "FireWall-1:
Good (and $$$) Security, pp34-40. If you do not subscribe, I can fax you
a copy of the article.
Also, I am writing from PDC in KofP, PA. PDC has been helping companies
like AT&T and Bell Atlantic manage their data for over 7 years. We are
a Sun authorized reseller (VAR) and a CheckPoint Software (makers of FireWall-1)
authorized reseller. Sun now offers a Netra Internet Server which
comes bundled with FireWall-1 as an option. As you may know, "the Internet
Society has estimated that roughly 70 percent of the Internet runs
on Sun servers." (taken from the Netra brochure). You also may be
familiar with PDC from BudTool, our non-proprietary, automated backup
management software.
Please let me know if you would like to persue this further. I will be
glad to help.
Stephen Oles
soles@pa.pdc.com
PDC
1002 West Ninth Avenue
King of Prussia, PA 19406
610-265-3300 Ext 119
610-265-2107 Fax
----- Begin Included Message -----
>From sun-managers-relay@ra.mcs.anl.gov Tue Dec 13 05:11:04 1994
Sender: sun-managers-relay@ra.mcs.anl.gov
>From: lbd@mhcnet.att.com (Leslie_B_DreyerKalra)
Reply-To: lbd@mhcnet.att.com (Leslie_B_DreyerKalra)
Followup-To: junk
To: sun-managers@eecs.nwu.edu
Cc: lbd@mhcnet.att.com
Date: Mon, 12 Dec 1994 12:00:09 +0500
Original-From: mhcnet!lbd (Leslie_B_DreyerKalra)
Original-To: eecs.nwu.edu!sun-managers
Subject: Firewalls
Original-Cc: lbd
X-Sun-Charset: US-ASCII
Content-Length: 267
Would the kind soul who summarized firewall software
a short while ago be even more kind and send me a copy?
At the time it came through, it was not an issue for
us, but now it is.
Thanks veeeeeery much...
Leslie Dreyer Kalra
AT&T
Allentown, PA
lbd@mhcnet.att.com
----- End Included Message -----
----- Begin Included Message -----
>From sun-managers-relay@ra.mcs.anl.gov Thu Dec 8 02:26:56 1994
Sender: sun-managers-relay@ra.mcs.anl.gov
>From: Pschauss@aol.com
Reply-To: Pschauss@aol.com
Followup-To: junk
Date: Wed, 7 Dec 1994 16:15:36 -0500
To: sun-managers@ra.mcs.anl.gov
Subject: SUMMARY: Internet Connection
Content-Length: 3701
First, thanks to everyone who responded.
I got a _very_ large volume of mail as a result of my posting.
Since much of this is new to me, I am still digesting the
information and am not in a position to draw any detailed
conclusions. In any event, I thought it best to post at least
an overview of the responses now so as not to seem ungrateful.
Here is a summary of the responses.
My original post was:
We are looking into an Internet connection for our site. One
potential provider (PSI) has suggested a 56kb connection, putting
a DSU and a router at our site. Our initial use will be rather low
volume email with occasional large (20 mb+) overnight file transfers.
I have several questions:
1. Is 56kb adequate capacity?
Answers:
Response ranged from "This is overkill." to "On a 56kb link it will take
1/2 to 11/2 hours to transfer a 20mb file and it will kill all other activity
on the link." I was also warned that a news feed could consume
considerable bandwidth if we took everything. Also, Mosaic puts a
considerable load on the link. Netscape is a bit more efficient.
My conclusion is to go with the 56kb link to start with and, taking the
advice of several of you, negotiate an option to upgrade by paying
the difference between the 56kb link and the higher speed line.
2. Is there any good packet filter software which I can use
to enhance system security?
Routers provide some packet filtering capability. Morningstar and
Cisco were mentioned. There seems to be some difference of
opinion as to whether packet filtering alone provides sufficient
security.
For increased security I was advised to dedicate a cpu to serve as a
firewall. Two books were recommended on the subject of security:
"Practical Unix Security" - O'Reilly
"Firewalls and Internet Security" - Addison Wesley
There is also a mailing list on the subject: Majordomo@GreatCircle.COM.
Someone sent me the FAQ from Fwalls-FAQ@tis.com. A good summary
on the security issues of connecting to Internet. I am still digesting it.
The FAQ noted, BTW, that even a firewall cannot totally protect against
attacks in which something is mailed to one of the internal hosts and
then executed.
As far as firewall products are concerned there is TIS Firewall Toolkit
(ftp.tis.com)
(public domain?) as well as a commercial product called Firewall-1 from Sun
or from Checkpoint.
3. What do people think of the proposed hardware configuration?
We have 7 Sun workstations (2 Solaris 2.x, the remainder
Sun O/S 4.x).
My intent with this question was to determine whether the router
and DSU/CSU setup was appropriate for our current network
configuration. That appears to be the case.
4. Anyone have any experiences (good, bad, indifferent) with
Internet providers)?
I got an earfull on this one. PSI received some favorable reviews as
well as some warnings to avoid them at all costs. Other providers
also received some negative reviews though not as extreme.
It appears that the ISPs and the network are stretched rather thin
by the increased demand. The result is a decline in service.
The two best bits of advice I got were
1. Call all of the providers who service our area and note what sort of
pre-sales support we get. Service will not get better after we become
a customer.
2. Find out how direct the connection is between our site and the
principle sites we will be communicating with. I believe that the
term for this was "hop count" (experts will excuse me if I got this
wrong.)
Thanks again to everyone who responed.
Peter Schauss
pschauss@aol.com
Gull Electronic Systems Div
Parker Hannifin Corp
Smithtown, NY
----- End Included Message -----
----- End Included Message -----
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:09:17 CDT