RE: non-IP firewalls

From: Stout, William (
Date: Fri May 01 1998 - 13:19:25 PDT

  • Next message: Joseph S. D. Yao: "Re: Network Security Certification"

    The Non-IP (multiprotocol) firewall issue is a loaded gun.  You're
    talking about Intranet firewalling, and passing applications that are
    not either designed to use a proxy or a packet filter.  Internal IP
    applications tend to use random higher-number ports, just try to filter
    ports 20000-30000.  Intranet includes LAN, private WAN and remote LAN
    Since MIS groups primarily want things to work and security is a
    secondary consideration, restrictions will cause workarounds, such as in
    one company where IP is routed via FW-1, and all other protocols
    (DECnet, IPX, NetBEUI, etc) are bridged via a direct connection.  
    You can't successfully firewall a existing corporate Intranet.  Period.
    The only way to bring Intranet firewalling into the network is with a
    network redesign, and lots of thought about the applications.  If a
    company's network or systems locations are dynamic, it's a lost cause.
    It's better to monitor and record traffic with an IDS system.  
    Network-1 is one of the few software choices when choosing a
    multi-protocol firewall, and it has it's own issues that aren't present
    when using standard router filtering.  It is an NDIS shim that resides
    below the network stack, and should be independant of limitations of the
    O.S..  However firewall management and control software runs in the
    O.S., and various issues cause it to crash, most likely because NW-1
    tech support is not obviously familiar with NTsecurity, hotfixes, or
    patches.  Four of the issues that hopefully someone on this list from
    NW-1 can address are the following:
    1. File transfers >1.3GB cause FW-1 to crash, runs out of virtual
    2. Sessions with excessive lifetime (>6 hours)fill NT virtual memory,
    crash firewall.
    3. Installation techs do not take any steps to harden the O.S. during
    4. MS-TCP stack with all it's flaws is present and required for remote
    1 & 2 are probably fixable with a November hotfix related to NDIS
    drivers running out of virtual memory (hint, hint).
    OTOH, Bill Hancock is an impressive speaker, apparently knowledgable,
    and knows his stuff.
    Bill Stout

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:58:13 PDT