FireWall-1 will run on NT server or workstation. Since this system should be dedicated to firewall functionality, the license count difference between these two products should not be an issue. Therefore, you can use either product. It is recommended, however, that NT server be used, because the permission setting on the Registry makes this platform a bit more secure.
Note The Windows NT Registry, which stores all the configuration information for the system, varies slightly between NT Server and Workstation. NT Server has a stricter access control policy with regard to Registry keys. This insures that only the system
administrator is able to change the values stored within the database keys, thus increasing the integrity of the Registry information.
When installing NT server, observe the following guidelines:
Install all required network cards before loading NT.
Create an NTFS C partition of at least 800MB which will hold the NT operating system and swap file.
Create an NTFS D partition of the remaining drive space (200MB minimum) to hold the firewall software as well as the firewall logs.
Load TCP/IP as the only protocol. Make sure IP forwarding is enabled.
Remove all services unless you plan to have this server join a domain in order to use OS authentication for inbound access. If you do wish to use OS authentication, you will need to run the Computer Browser, NetBIOS Interface, RPC Configuration, Server, and
Configure the system as a stand-alone workgroup, not a domain, whenever possible. If the server will be part of a domain, disable all WINS bindings on the external interface. Disable the guest account and create a new Administrator-equivalent account for
performing firewall management. When you are ready to install the firewall software, log off as Administrator, log on as the new account name, and disable the Administrator account.
Enable auditing and track logon failures in User Manager. Under User Rights, remove the right for all users to log on from the network. Modify the Logon Locally right to include only the user name you created as an Administrator equivalent.
Install Service Pack 6a. This is considered the most stable service pack and has the most comprehensive security fixes to date.
Change the boost to the foreground application to None under the Performance tab in System Properties.
If you are running the server service (for domain authentication), go to the Server Properties dialog box and change Optimization to Maximize throughput for network applications.
Tip NT has a problem where it associates driver names with the NIC card loading order in the Registry. If the card settings are changed in any way (IRQ change, cards added or removed, and so on), this Registry setting may become corrupt. You can check this by running the ipconfig command, which will return incorrect card information or an error message that states, "The Registry has become corrupt." This is why it is important to install the NICs before installing NT. The only sure fix is to reload the operating system and all patches from scratch (not as an upgrade).
Once you have followed these guidelines, you are ready to make an emergency recovery disk and begin the FireWall-1 product install. Remember that if you load any new software from the NT server CD after this point, you will have to reinstall
SP6a All hotfixes
The firewall software (as an update) The firewall patch
Make sure you have your system exactly the way you want it before you install the firewall software.
Pre-install Flight Check
At this point, you should verify that the firewall platform has IP connectivity. Create a default route that points to the local router interface leading to the Internet. Create required route table entries for any internal network segments that are not directly connected to the firewall. The correct syntax to use when creating route table entries is
route add -p {remote IP} mask {subnet mask} {gateway address}
So to create a route entry to the network 192.168.2.0, which is on the other side of a local router at IP address 192.168.1.5, you would type
route add -p 192.168.2.0 mask 255.255.255.0 192.168.1.5
Likewise, if the route entry was only for the host 192.168.2.10, you would type route add -p 192.168.2.10 mask 255.255.255.255 192.168.1.5
Note The -p switch tells the operating system to make this route entry permanent, allowing the route entry to remain persistent over operating system reboots.
Once you have created your route table, you should test connectivity. This can be done using ping and traceroute. At this point, the firewall platform should have connectivity to all internal and external hosts. If it does not, you need to troubleshoot the problem before going any further.
You should also make sure that you can ping external IP addresses from internal hosts. This will not be possible, however, if you are using private address space for your internal hosts. If you are using private address space, pinging the external interface of the firewall should suffice.
You should also run the ipconfig command and record the adapter drive name associated with the external IP address. This name will be similar to Elnk32. This information will be required later during the firewall software installation if you have purchased a single gateway product. Make sure you record the name exactly, because the entry is case sensitive.
Tip If you are worried about someone trying to break in to your network while you are testing for connectivity, simply disconnect the WAN connection to your router. You can then test connectivity as far as the IP address on the router’s serial interface.