[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    Windows for NT firewalls
From:       blackmer () nbn ! com
Date:       1994-12-31 19:22:40
[Download RAW message or body]

Ken,
	Much like your company we lack UNIX experience and are committed to an 
NT 3.5 environment. We have around 20 NT servers connected by 3COM CDDI cards 
to FDDI backbone driven by 3COM routers in our internal network. We have a NT 
server connected to our external 3COM router running the NT beta versions of a 
WEB and Gopher (both running well,by the way, with people connecting and not 
even knowing they are connected to NT server vs UNIX). We also provided the 
router to our internet provider so we could move some router/firewall 
decisions farther away from our environment.
	At this point we do major and minor access control(filtering) in 
different 3COM routers to keep certain sockets out of this NT server on the 
internet. The router feeding the internet backbone allows no UNKNOWN user 
access from outside in. 
	In the NT server we do extensive logging of just about all kinds of 
foreign access (the Russ Blake book, by Microsoft, "Optimizing Windows NT" was 
a big help here) We do some things with code on the server. Mail, at this 
point, is handled by out internet provider server. North Bay Networks, they 
know alot of UNIX.
	In firewall terms we use a version of a "screened subnet". RPC 1597. 
Most of the work is done in the 3COM routers in which I have a lot of 
experience. We have a lot of NT AS people who are very nervous and we keep 
looking at this server.
	I am willing to provide the "filters" for the 3COM routers if anybody 
is interested. 3COM helped on these and you get them from any 3COM technical 
person.

	You could also call your Microsoft people since the Microsoft stuff on 
the Internet is all NT (www.microsoft.com. gopher.microsoft.com, etc)

	A BIG NOTE OF CONCERN. Maybe we are doing OK because:
		1. Not that many people know,use, or care about the NT 
operating 		system so the years of expierence of attacking UNIX 
systems is 			missing at this time;
		2. There is so much to go after then 3 years ago;
		3. We pay A LOT attention to the firewall user group and try 
to match 		problems mentioned to our area;
		4. We read all the GreatCircle, TIS, etc stuff;
		5. We read the "Firewalls and Internet Security" book by 
Cheswick and 		Bellovin. (How can I get an autograph ??)
		6. its all TCP/IP good or bad, we stay awake;
		7. Its still a test area, we have NOT bet the shop.

Lastly, as part of the MIDAS project for all the schools, cities, etc in Marin 
County, we are using the UNIX operating systems with firewalls in addition to 
our own NT AS environment. SO we will try to keep the best of both worlds.

WARMLY from the hot tub,

Bill Blackmer
County of Marin	

[prev in list] [next in list] [prev in thread] [next in thread]