The Non-IP (multiprotocol) firewall issue is a loaded gun. You're talking about Intranet firewalling, and passing applications that are not either designed to use a proxy or a packet filter. Internal IP applications tend to use random higher-number ports, just try to filter ports 20000-30000. Intranet includes LAN, private WAN and remote LAN networks. Since MIS groups primarily want things to work and security is a secondary consideration, restrictions will cause workarounds, such as in one company where IP is routed via FW-1, and all other protocols (DECnet, IPX, NetBEUI, etc) are bridged via a direct connection. You can't successfully firewall a existing corporate Intranet. Period. The only way to bring Intranet firewalling into the network is with a network redesign, and lots of thought about the applications. If a company's network or systems locations are dynamic, it's a lost cause. It's better to monitor and record traffic with an IDS system. Network-1 is one of the few software choices when choosing a multi-protocol firewall, and it has it's own issues that aren't present when using standard router filtering. It is an NDIS shim that resides below the network stack, and should be independant of limitations of the O.S.. However firewall management and control software runs in the O.S., and various issues cause it to crash, most likely because NW-1 tech support is not obviously familiar with NTsecurity, hotfixes, or patches. Four of the issues that hopefully someone on this list from NW-1 can address are the following: 1. File transfers >1.3GB cause FW-1 to crash, runs out of virtual memory. 2. Sessions with excessive lifetime (>6 hours)fill NT virtual memory, crash firewall. 3. Installation techs do not take any steps to harden the O.S. during installation. 4. MS-TCP stack with all it's flaws is present and required for remote management. 1 & 2 are probably fixable with a November hotfix related to NDIS drivers running out of virtual memory (hint, hint). OTOH, Bill Hancock is an impressive speaker, apparently knowledgable, and knows his stuff. Bill Stout
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:58:13 PDT