PERSPECTIVES - Great walls of FIRE
Can company networks stand the heat? VNU Labs put seven of the latestfirewalls under the grill.
Today, the cost of getting online is reasonably low and offers all sorts of possibilities for the channel. But the tremendous success of the internet has only increased the risks involved in a company connecting its clients' Lan or Wan to the Web.
Firewall technology is the cornerstone of network security. Put simply, it is a piece of software that determines which forms of network traffic are allowed to pass from PC to PC.
Two types of firewalls exist. A filtering firewall looks at the header of each TCP/IP packet that enters and, based on its contents, determines whether it will be allowed to pass or be discarded. It does this based on the IP address found in the header and the port number, which is specific to various types of network traffic. For instance, email and SMTP use port 23, HTTP and Web pages use port 80 and Lotus Notes uses port 1394.
With an application or proxy firewall, no direct traffic is allowed between networks. Instead, all communications are routed via specific applications, called proxy servers, running on the firewall. Many firewalls feature some form of proxying and because they scan the contents of incoming traffic, they can be used to filter out viruses in email attachments.
A special form of proxy server is network address translation (NAT), which translates IP numbers of machines on the internal network to that of the firewall. This not only helps keep down the number of IP addresses - which are becoming scarce - but also ensures a client's network only has one official IP address while internally having a private IP structure.
Theoretically, a pure application firewall is a lot safer than a filter, as there's no direct traffic between the internet and the private network being protected. Most firewalls, however, use a combination of both types.
The majority of firewalls run on standard hardware platforms, such as Intel, PowerPC, Sparc or RS6000. In the early days, most were made only for Unix, but more NT-based firewalls are making an appearance. This poses an intriguing problem for security consultants, as NT isn't exactly renowned for its safety. Apart from purely software-based packages, some firewall systems come with proprietary hardware.
With the increasing use of the internet as an extranet, firewalls are being utilised for a host of different purposes. Traditionally, users who wanted access to an extranet identified themselves by entering a user name and password, but smart cards or other forms of tokens, such as Security Dynamics' token, are becoming more commonplace. Any resellers that are implementing a firewall for a client would be well advised to ensure the package supports these authentication systems.
The internet is an open network on which anybody can intercept and therefore read information, so all connections to the firewall and the network behind it need to be encrypted using a safe encryption algorithm, creating a virtual private network (VPN). However, a VPN application puts a heavy load on the firewall's CPU, and if it has to maintain many simultaneous VPN connections, a heavier server or multiple servers may be required.
Firewalls are increasingly being used to create barriers between sections within corporate networks. Usually cheap firewalls or filtering routers are used for this purpose.
Good Wan security usually requires a combination of routers, authentication systems and various servers and switches, not just the firewall alone.
Any of these can be equipped with additional protection to create a comprehensive security strategy.
In the case of a simple internet connection where a network is connected to the internet through a router, access control lists (ACL) can be defined on the router to protect from potential hackers. Often, a train of several consecutive firewalls is used to provide additional security. Such ensembles obviously need to be managed in a way that allows their components to co-operate with each other.
Last, but not least, firewall manufacturers have realised they cannot take on all aspects of network security and so allow the addition of third-party products to their systems. For example, the Checkpoint plug-in scans email attachments for viruses using OPSEC (open platform for secure enterprise connectivity), and the content adviser plug-in allows an administrator to filter out certain requests by users, based on a list of sites with unwanted content.
Digital: Altavista Firewall & Tunnell 98
Digital not only uses the brand name Altavista for its popular search engine, but also for a host of internet-related products, one of which is Firewall 98.
Despite the manufacturer's claim that it is 'the easiest firewall to install', we had quite a bit of trouble getting it going. Instead of running a normal set-up procedure, a network service has to be added from within the Windows control panel.
Once installed, Firewall 98 behaves impeccably. The software does, however, use each and every NT Service Pack and even renames the administrator account during installation. The first thing to do is assign colour-coded network adapters: red for the internet, blue for the DMZ and green for the internal network.
The idea of colour coding the security status of the interface is an original one, which is reflected on the desktop. After that, Altavista immediately installs Tunnell, a VPN application.
The system supports a broad range of authentication systems, including Racal WatchWord keys, Cryotocard, S/Key, Security Dynamics and NT Domain Controller. Configuration is achieved through a Web interface, which is a lot less user friendly and aesthetically pleasing than a traditional Windows interface.
As for VPN, Altavista uses a module known as Tunnell. In the US, Tunnell can be used with 512-bit and 1,024-bit encryption keys, but because of the export limitations imposed on RSA encryption, this option is not available in Europe.
Another benefit of Altavista Tunnell is the availability of a VPN client for both the Macintosh and Windows 95, 98 and NT.
Tunnell seamlessly integrates into the underlying operating system and offers all sorts of nifty extras. It can handle various authentication systems and passed all security tests with flying colours.
Although Altavista is a bit too optimistic in its claims regarding ease of installation and user-friendliness, this is a very powerful firewall offering a variety of features.
IBM: eNetwork Firewall Version 3.2.1.1
The first notable feature about this package is its manual. Apart from providing information on the ins and outs of eNetwork, it is an excellent introduction to firewalling and the various types of attacks.
The NT version tested is one of the latest additions to Big Blue's firewall range and it is immediately clear that this product was first developed for Unix.
The development team has, however, done its best to familiarise itself with all of those NT idiosyncrasies. The installation program meticulously checks NT's set-up for any possible problems. One such check makes sure all the necessary Service Packs have been installed and all potentially dangerous services are turned off, including Alerter, Directory Replication and NT's Computer Browser. The actual firewall functions are performed by the IBM Intermediate Support Driver, installed alongside TCP/IP as a network protocol. It takes control of all TCP/IP traffic.
A Java browser connected to port 1014 on the firewall performs maintenance functions. It provides a complete GUI which allows the user to define the various network components (routers and hosts) and the firewall rules which apply to them. Because of the use of Java, eNetwork can be managed remotely. The connection is then encrypted using SSL, which isn't exactly Fort Knox, but adequate nevertheless.
Part of the package is Safemail, a secure mail gateway which checks and handles all incoming and outgoing mail. An FTP gateway also exists, but unfortunately no such device can be found for secure HTTP connections. Technically speaking, the eNetwork is a filtering firewall that also offers a number of specific socks proxy servers. Socks is an old standard allowing users on the inside of a firewall to access all sorts of internet services - mail, FTP, Telnet and so on - through a socks proxy.
The big disadvantage of this system is that a socks-compatible client is needed to use it. A socks proxy secured by user authentication can also be used to allow entrance to outside users. User access to the internet is possible through a Web proxy, which can also be secured with identifications and passwords.
Unfortunately, eNetwork does not support NAT, which means official IP addresses are needed throughout the local network, or all users will need to use the HTTP proxy and socks gateway. All socks proxies as well as the Web proxy can be secured with user ID and a password. This form of authentication can come from IBM's own password system and also from an NT Domain Controller or Security Dynamics' Ace Server.
This firewall does a good job of logging and alarming. Everything appears in the logs, and alarms can be sent using email or by modem.
The eNetwork is a somewhat worn-out firewall which uses old technology.
The absence of NAT makes it a lot more difficult to provide internal users with the necessary internet functions, although it passed all security tests without problems.
LanOptics: Guardian Version 3
The Guardian is one of the few firewalls on test originally written for Windows NT - most are NT versions of Unix firewalls.
During installation, the Guardian gave us no trouble about the absence of Service Pack 3 and the most recent 'hotfixes' on our machine.
This is a serious oversight, since without these the system is bound to be a lot more vulnerable to denial of service attacks.
The firewall can be managed using the Guardian Manager, a security policy editor which first configures network objects and then sets up rules for them. The Manager requires the user to give each strategy a name and asks for the name of the author. This is a good idea, since it allows users to check who was responsible for certain security strategies.
The Guardian has all the features one might expect and is capable of NAT in both a static and dynamic form. With static NAT, the internal address of one machine is translated to a fixed IP address, whereas dynamic NAT can work with a whole range of internal addresses.
Bandwidths can be defined, allowing users to reserve, for example, 75 per cent of the available bandwidth for Web traffic, leaving some room for incoming email.
Monitoring and logging are excellent, using an Agent to keep track of all sorts of things. Log files can be stored in various formats and can also be sent to an SQL database using ODBC for further processing. As for alarming, the program can be given various email addresses to send messages to.
The absence of secure gateways for email and Web traffic is a pity. However, for smaller companies which don't do any hosting and only want to secure their connection to the internet, this shouldn't be any problem.
During testing, the Guardian immediately ran into trouble. During a simple portscan it crashed with an FMW32.EXE error. After that, the scan stopped, since the firewall could no longer be reached - we had, in fact, performed a denial of service attack without actually wanting to do so. We suspected this was caused by our negligence to install SP3 and the hotfixes, which indeed proved to be the case. After we corrected the situation, the scan no longer crashed the system.
All things considered, the Guardian is an adequate NT firewall. In spite of the absence of a secure gateway for mail and Web traffic, it offers the ideal system to shield a small to medium-sized network.
Checkpoint Firewall-1 3.0b
What Microsoft is for just about every other part of the software industry, Checkpoint is for the firewall market. With Firewall-1 3.0b and its family, the company has once again proven to be the undisputed market leader.
With its support for Sun Solaris, RS6000, HP-UX and NT, Firewall-1 has captured more than 50 per cent of the market.
The key to this success is without doubt the quality of Checkpoint's products. Firewall-1 not only offers filtering and application firewalling, but is particularly successful thanks to its Statefull Inspection feature.
This is an advanced form of filtering whereby all sorts of additional, context-sensitive information on network packets is collected.
Checkpoint's firewalls also offer secure server gateways for SMTP, WWW and FTP. Furthermore, they can deal with just about any authentication system. Thanks to OPSEC, all sorts of external applications can be hooked in to Firewall-1. This third-party software can be used for virus scanning, logging and monitoring network traffic or communicating with new or exotic authentication systems.
Firewall-1 is becoming more of an integrated security suite. From within the Firewall-1 GUI - available in Microsoft Windows and X Windows flavour - Cisco, 3Com or Bay products can be configured and managed, eliminating the need for lots of different log files and configuration utilities.
Checkpoint offers a wide range of other security products, such as Floodgate, to manage bandwidth, and VPN-1 for virtual private networks. VPN-1 features SecuRemote, a secure VPN connection to be set up from an ordinary Windows 95 or NT PC to Firewall-1 and the network behind it.
The main drawbacks with Firewall-1 are its complexity and price, the latter being true of all Checkpoint products, which are usually priced on a simultaneous-user basis. With a 50-user licence, the firewall checks how many Mac addresses it can see. If users want to save money by adding a NAT-capable router between the network and the firewall, Firewall-1 is capable of handling 50 simultaneous connections.
Having such a good reputation allows Checkpoint to keep prices high, which corporate users seem willing to pay. For example, a Firewall-1 installation on a Unix system such as a Solaris or an AIX will cost approximately #17,000, including hardware, software and consultancy.
Unfortunately, we couldn't obtain a version 4 of Firewall-1 with its further enhancements in time for this article, but this version survived all our attacks without problems.
In short, this is an excellent choice when you want to play it safe - no security manager has ever been fired for choosing a Firewall-1.
Watchguard Technologies Firebox II
The Firebox product family consists of firewall systems which integrate hardware and software in a bright red box equipped with some flickering LEDs. Besides good looks, these products also offer excellent features.
The original Watchguards were loosely based the on freeware operating system Linux, but the manufacturers claim there's now more distance between Watchguard and the Linux kernel.
Originally, only one model existed. Hardware-wise, this consisted of a PC motherboard equipped with an AMD processor and three 10/100 3Com network adapters. It also contained a disk drive for reading the configuration disk or rebooting the system.
Firebox II runs the same software as the original, but is made up of different hardware. The model II is a lot smaller than its predecessor and has a trendy display. It is also equipped with more memory and a heavier processor, which gives an increase in performance to allow for multiple simultaneous VPN sessions. After all, encryption puts more strain on the CPU than regular network traffic.
On the software side, Watchguard really comes into its own. Not only is Firebox II a very complete firewall with features such as filtering, proxies, NAT, alarming and logging, it also has a graphical monitor and can generate historical reports. Management can be done over the network or through a serial cable. The interface runs on any Windows platform or on Linux X Windows for the fanatics. The remarkable Web-blocker function allows users to filter out Websites with undesirable content.
The VPN feature is new to Firebox. Not only does this allow users to connect Fireboxes to networks, it also lets remote users connect to the corporate network using the included client software.
The VPN software is IPSEC compliant and uses the RSA RC4 algorithm with 40 or 128-bit keys for encryption. Firebox is now also targeted at the enterprise market, and in addition to the SMS management tool, it offers Global Console Software, allowing easy configuration of multiple fireboxes within an organisation.
Secure Computing: Securezone
The Securezone manual says this product combines Borderware and Sidewinder Security Systems technology. It installed like a true Unix operating system, but still managed to detect all the hardware on the Netfinity PC server we used in our tests without problems.
During boot-up, the program said it had BSD and Apache code running through its virtual veins. After that, you enter a Linux, BSD or Netware-like environment in which the rest of the installation is fairly straightforward.
The actual firewall comes with the usual bells and whistles. Configuration can be done using a GUI client, available for both MS and X Windows. A fairly unique feature is the back-up option, which allows you to store all your set-up data on floppy disk. In case of a crash, this can be used to quickly install the firewall on another machine.
Another nice feature is StrikeBack - a kind of 'hack the hacker'. When under attack, StrikeBack automatically performs a host name look-up and a 'Who is' call to find out who's responsible for the attack. It also has support for UPS alarm calls, allowing you or your client to safely shut down the system in case of a power failure. All of these are excellent extras that should ensure reliable operation.
If you are looking for a mature Unix-based firewall but do not have the money for an Ultrasparc with Solaris and Firewall-1 or Raptor, this is your product. The Securezone has all the qualities of the Borderware firewall without the hardware demands.
Cisco: Cisco Pix
For several years now, Cisco has been the absolute market leader when it comes to routers. No wonder, then, that the vendor is also trying to get a piece of the action in the lucrative firewall sector.
The Cisco Pix is a proprietary piece of kit built into a 19in rack and looks quite impressive. It is managed from an NT Server by connecting to a Web server running on port 8080 on the firewall. The system can be configured using Telnet or through a terminal connection using a serial cable, just as you would configure any Cisco router. Anyone who has used Cisco's IOS will be immediately familiar with the interface.
The Pix is meant for larger organisations with multiple firewalls and lots of network traffic. Cisco claims the benefits of the Pix are its performance and scalability. The first is certainly true. Independent tests show the Pix is capable of handling 179Mb of data per second and can facilitate more than 6,500 simultaneous connections.
As for features, users are less well off with the Pix, but it does support NAT and Ipsec-compliant VPN. For authentication, the Pix only supports Tacacs+.
The latest software release we downloaded - 4.4.2 - withstood all our tests without problems. In the recent past, security bugs were found in the Pix system and widely reported in the IT press. However, it all turned out to be much ado about nothing and Cisco has fixed the situation perfectly.
The Cisco Pix is the ideal firewall for people who work with routers all day long, and they will certainly appreciate the Pix's router-like approach.
Cisco's firewall is of the same high quality as its other products. Unfortunately, the same has to be said about the price.
In conclusion
Is there is an alternative to buying an expensive firewall? Dealers that know what they are doing with routers can protect their clients' network against intruders to a certain extent. Most routers support filtering and NAT. In some cases, as with the Cisco IOS, users will need to buy some additional software and perhaps install a little more memory.
Installing filtering rules or Access Control Lists can be done by anyone with access to, and a working knowledge of, routers. The main drawbacks are the absence of a GUI and an easy procedure to define security policies.
Another approach is to use a PC which is equipped with two network adapters and an operating system - for example, Unix - capable of controlling the traffic between them.
Let's take Linux as a case in point. Linux, being freeware, comes complete with source code. The kernel contains the necessary modules for firewall applications and there's also software for NAT. Once the Linux kernel is recomplied with the options required, users can start entering firewall rules using the ipfwadm command.
The key advantage of a Linux-based firewall is, of course, its low price.
Linux itself is free and it can even run on a redundant 486 PC. The main disadvantage is the amount of knowledge required - an ace Unix administrator will be required to ensure such a system is up and running. However, there are quite a few companies that use a Linux-based firewall and are quite happy with it.
A properly configured router or Linux firewall can give a fair amount of security. The only problem is, users need to know exactly what they are doing with it - there's no GUI and no easy way to define security policies.
This means that the Linux system is only suitable for organisations that are a bit short on money at the moment or for those that want an additional cheap second firewall.
WHAT MAKES A FIREWALL HOT?
Reliability Although none of the firewalls on test were easy to circumvent, there were a lot of different approaches. Some products use outdated technologies such as socks proxying, making the firewall perform below par.
A good-quality insurance is the International Computer Security Association certificate, which is only awarded after thorough testing.
Suitability Make a list of clients' requirements from their firewall.
If they have their own IP addressing system, the firewall will need to be capable of NAT. If they host various internet servers, a DMZ with secure gateways for email and Web traffic will be high on their wish list. If many employees have a home office, good VPN facilities and even better authentication procedures should be recommended.
Logging and alarming A firewall has to keep track of odd incidents and alarm clients of suspicious network traffic. Some firewalls provide warnings by email, beeper or cellular phone.
Manageability An important factor in the cost of ownership of a firewall is its management. Most firewalls offer a GUI and a configuration client which can be activated over the network.
FIREWALLS: FEELING THE HEAT
VNU Labs created a test set-up consisting of a corporate network connected to the internet. The Demilitarised Zone (DMZ) contained a Qmail SMTP server and a Domino Web server, both of which needed to be accessible from the corporate network and the internet. On the internal network, several users had complete access to the network and the internet.
In case any of the firewalls on test did not come supplied with hardware, an IBM Netfinity 3000 PC server with three network adapters was used, with a built-in IBM Ethernet processor and two 3Com Fast Etherlink XL 10/100 PCI adapters.
The firewall was required to completely shield all internal machines in the DMZ from the internet. All outbound network traffic had to be given the source address of the firewall using NAT. Inbound traffic was prohibited unless it was a connection to the Web or SMTP server in the DMZ or a connection for remote firewall management.
As for VPN, we attempted to set up a secure connection from that same address to a Unix machine behind the firewall. Servers inside the DMZ were shielded from the outside world as much as possible using a secure gateway application.
When this set-up had been established the following tests were performed: First, a number of hacker attacks were simulated to test how safe the firewall was. The software used for this was Safesuite Internet Scanner by ISS Software. With this program, a wide range of possible infringements can be directed at multiple servers.
We tested if the firewall refrained from sending packets to the secure network under all circumstances by (among others) sending false ICMP (Ping) packets to it. Sometimes a firewall can be fooled by sending a false routing protocol (RIP), creating a route to machines behind the firewall.
Denial of Service attacks are used to crash a firewall altogether. Usually such an attack is based on known weaknesses in the system.
Server Exploits are hacking techniques which try to make use of weaknesses in the SMTP (Simple Mail Transfer) protocol, FTP(File Transfer) protocol, WWW, DNS (Distributed Name Services), X-Window or Netbios (Windows networking) servers, to gain information on the underlying network and even to enter it.
The firewalls' logging and alarming functions were also tested. When a system is under attack, it is important to collect as much information as possible to track down the attacker. A simple portscan to systematically find out which services are running on a firewall is usually easily detected.
However, there are portscanning methods which do not finish the handshaking procedure while connecting, and so leave no trace in the logs.
We also looked at how easy is it to set up a VPN connection from an ordinary client machine. Do users on the internal network have access to all internet features? Some firewalls have trouble with some streaming applications, such as RealAudio and video.
Finally, we checked how well the firewall shielded mail and Web servers in the DMZ.
We tried a lot of tricks but undoubtedly there are more ways to catch a system off-guard. One of the biggest problems remains the vulnerability of the underlying operating system itself.
ANOTHER BRICK IN THE FIREWALL
Smooth-talking salespeople claim that a firewall is the one and only answer to all security problems. Selling firewalls has become big business - all of the big names have added firewalls to their product ranges, including Cisco, McAfee, IBM and Digital, and even Novell (with Border Manager) and Microsoft (with MS Proxy) have their eyes on it.
Rather than latching on to trendy ideas such as authentication systems, VPN and encryption, it's more important to come up with a sound general security policy. The best way is to tell clients to forget everything they ever learned about security. Starting with a clean slate allows their situation to be assessed on a few simple questions.
Exactly what information do they want protected? Do they run a standard Novell IPX network with all their important information residing on servers, or TCP/IP with information scattered in various locations? The latter requires a completely different approach than the former, as the protocol barrier makes it impossible to get access to information on the IPX server.
Another important question is from whom do they want their information protected? Their first answer will probably be 'the world outside', but they may also wish to restrict interdepartmental access. Some security systems take this a step further and allow the definition of periods of access. For instance, internal users only can be allowed to have access to certain parts of the internet, such as news or IRC, during their afternoon break.
The next step is to determine how potential invaders could access the client's network. Often the internet isn't the only entrance and therefore the problem can be more complex than at first thought. Companies with multiple branches and people working from home may want to give their employees access to the network through an ISDN dial-up account. Despite password protection, this kind of dial-up Wan link is a weakness that could be exploited to allow entry to the system. This can be prevented using CallerID, a system that identifies the incoming ISDN call.
Even safer is the use of a dial-back system.
It is important to check everything with regard to security on a regular basis for all possible breaches. This can be done and charged for by the reseller. Should the client wish to spend a fair amount of money on this, so-called Tiger Teams or hacker groups can also be hired.
Resellers will also want to determine in advance who checks firewall logs for traces of illegal entry. A comprehensive security policy clearly defines what needs to be done in case of such an occurance.
When a hacker has breached the network there's no time to call a meeting to discuss a plan - the system administrator has to know exactly what the next step is. This is probably closing down the network, assessing the damage and collecting evidence.