We are also a primarily NW 4.11 shop. I currently use MS Proxy 2 behind Firewall-1 on NT. We also found Border Manager to be too pricey and quite complicated to set-up. Firewall-1 is not inexpensive either though. A word of caution too, Cheek Point's ability to support their product is almost non-existent. I have gotten much better help from this news list than from our reseller or Check Point. Make sure you purchase it from a reseller with lots of experience and write your contract carefully. If you do use Firewall-1, put it on Solaris. Check Point is a Unix software vendor and it may be awhile before they get serious about NT. I originally set-up MS Proxy 1.0. If I knew what I know now about 2.0 and did not need to host a public Web site, I would have used MS Proxy without Firewall-1. MS Proxy is simple to set-up and works well. Use the latest hot fixes, unbind everything but TCP/IP from the outside NIC, use private (non-route-able) addresses on the inside and filtering. What I have heard about NDS for NT makes it sound like it would work with MS Proxy and the price has gotten much more reasonable. If you use it I would like to know what you learn. Otherwise I will wait for ADS and try to convince my management to dump NW. My goal is one security provider, one network OS, one layer-3 protocol suite (TCP/IP), lots of application server capability and Internet standards. I know there are lots of MS-haters out there but I like boating in the deepest part of the river. I also use MS SQL Server to log Internet access down to the URI by user name and a custom html front end that managers can use to view what their employees have been doing. It is actually even fast on the same box as MS Proxy. Be sure to point the ODBC DSN to local, configure memory allocation for SQL Server, and use lots of RAM. We do not block sites and employees are left responsible for their own actions. The other product we use is Symantec's NAV for Firewall's. Check Point has a considerable amount of work to do on CVP. Anyone out there tried any of the virus scanning products for MS Proxy? -----Original Message----- From: owner-firewall-wizardsat_private [mailto:owner-firewall-wizardsat_private] On Behalf Of Tyrrell Kevin Sent: Thursday, April 16, 1998 12:25 PM To: 'Firewall Wizards' Subject: Controlling outbound access to the firewall We are in the process of planning a direct connection to the Internet. Our Enterprise Network is based on Netware 4.11 and we use NDS for our directory service. We have narrowed the choices for the bastion host down to Checkpoint FW-1 on Solaris and TIS Gauntlet on BSD. We do not plan on giving all employees Internet access, but there will still be around 300 who will have access. Our original plan was to use Novell's BorderManager between the bastion host and the EN for caching and controlling access to the outside through the NDS object rights associated with BorderManager. This part of the plan has been cut out due to -$$$. It may be put in place later if the caching is needed. (We are also putting up an Intranet based on IIS. All EN users will have browsers and we plan on controlling what they can access on the Intranet server by using NDS for NT.) How does one go about controlling access to the bastion host? I don't want these users having ids on the bastion host. So what other choices are there? PS: Please, no comments on FW-1 vs. Gauntlet preferences outside of the access question. That's for us to decide - which product will implement our security policy the best. Thanks, Kevin
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:55:30 PDT