Forwarded From: Nicholas Charles Brawn <ncb05at_private> 19Nov98 UK: TECHNIQUE - GROUP TEST - FIREWALLS - MAKE YOUR NETWORK SAFER WITH FIREPOWER. Jan Guldentops puts some leading commercial firewalls through their paces to see just how well they really perform. As a medium for communications and information exchange, the Internet made a remarkable breakthrough in the past two years. It would be difficult to find a serious company today that does not have an online presence. If such a company exists, it is at least considering such a connection. The cost of getting connected has never been lower, and it offers all sorts of communication possibilities, such as email, web sites, file transferring and even video-conferencing. The Net's tremendous success has only increased the risks involved in connecting your organisation's local or wide area network to it. When companies do not take the necessary precautions, not only do all staff users get unrestricted access to the Net, but the lack of security allows malevolent web surfers the opportunity to access companies' own networks, with all its machines and confidential data at their mercy. Just imagine the consequences of an outsider accessing critical information or shutting down an important server or router just for the fun of it! There are plenty of horror stories about the dire consequences of unsafe networks. A few months ago, I read an advertisement for a small US software company in a newsgroup. Out of boredom, I decided to have a peek at their network structure over the Internet. While fiddling about, I found that I could influence Windows file and printer sharing with the aid of a small program. I would have loved to have seen the face of the company's systems administrator when he found a letter printed by me. Here's another example: there is still is a large system integrator - active on the European mainland - which uses brand names as an obvious password on the routers it installs. This means that everywhere along the information highway there are still lots of unsafe places to be found. The key to a safe network If we are to believe advertisements, a firewall is the cornerstone of network security. A firewall is, in fact, a kind of gatekeeper that stands guard on the outside of your network. It is little more then a computer equipped with two or more network adaptors. On that computer, a piece of software determines which forms of network traffic are allowed between these adaptors. This software, in effect, functions as a wall with small holes in it that allow only certain items to pass through unrestricted. Firewall filters contents Two types of firewalls exist: the first is the so-called filtering firewall. This is the most basic type. It looks at the header of each TCP/IP packet that enters the system, and based on its contents, determines if it will pass or be discarded. It does this based on the Internet protocol (IP) address found in the header and the port-number specific for various types of network traffic. For example, SMTP mail uses port 23, HTTP requests use port 80, and Lotus Notes uses port 1394 to initiate a replication process. Filtering can be achieved on most routers. Proxy server scans traffic The second type of firewall is the application firewall or proxy. In this type of firewall, no direct traffic between two or more networks is allowed. Instead, all communications are routed through specific applications running on the firewall, called proxy servers. When someone on the network wants to set up a Telnet session, their client makes a connection to the Telnet proxy server on the firewall, which then connects to the Telnet host that was requested. The main advantage of a proxy or filtering firewall is the possibility to scan the contents of incoming traffic. This can, for example, be used to filter out viruses in email attachments. A special form of a proxy server is Network Address Translation (Nat). This translates IP-numbers of machines on the internal network to that of the firewall. This not only helps keeping down the number of IP-addresses - that are becoming more and more scarce - but also ensures that your network only has one official IP-address while internally having a private IP structure. Theoretically, a pure application firewall is a lot safer than a filtering firewall. After all, there's no direct traffic between the Internet and your private network. Nevertheless, most firewalls use a combination of both types. Nowadays, there are many new techniques and ideas about firewalling. Not only is the information contained in headers used to filter packets, but it is also used to analyse and trap suspect situations such as spoofing. This is when the sender-address has been deliberately altered so the firewall will identify as friendly. Firewalls come in all shapes and sizes. Most run on standard hardware platforms, such as Intel, PowerPC or Sparc. In the early days, most firewalls were made only for Unix. Today, more and more NT-based firewalls are being developed. This poses an intriguing phenomenon for security consultants, as NT is not renowned for its security. Apart from purely software-based solutions, some systems come with proprietary hardware. A whole new job description Today, firewalls are a lot more than just simple gatekeepers that guard the entrance to your network. These icons of the security world are being used for a host of new purposes. The main reason for this is the explosive growth of the Internet, in particular, the use of the Net as an extranet - an extension of the private wide area network to facilitate remote access. Extranet applications require additional security measures. First, users have to identify themselves if they want access. Traditionally, this is done by entering a user name and a password, but more refined methods exist. The use of smartcards or other forms of tokens, such as the Security Dynamics token, are becoming widely-used. It is therefore a good idea to make sure your future firewall supports these authentication systems. The Internet is an open network where anybody can intercept, and therefore, read information. That means all connections to the firewall and the network behind it need to be encrypted using a safe encryption algorithm, creating a so-called virtual private network (VPN). Keep in mind that a VPN application puts a heavy load on the firewall's processor. When a firewall has to maintain many simultaneous VPN connections, a heavier server or maybe even multiple servers may be required. What to look for in a firewall The differences in price and performance are so enormous that it takes a great deal of time to come to a good decision when buying a firewall. The next list of hints and questions will help you select a firewall that fits your specific need. What is the reliability, and is the firewall secure enough for the systems administrator to sleep well every night? Although none of the firewalls we tested was easy to circumvent, there are numerous differences in how each application approaches the problem. Some products use outdated technologies such as socks proxying, making the firewall perform below par. A good quality insurance is the International Computer Security Association certificate that is only awarded after thorough testing. Do you have your own IP-addressing system? If so, the firewall will need to be capable of network address translation. Maybe you host various Internet servers? In that case, you will need a demilitarised zone (DMZ), an open area with secure gateways for email, and web traffic. If your organisation uses teleworkers, you will want good VPN facilities and authentication procedures. The right price equals hardware, software and support. Always calculate the right price for your entire firewall setup. Take into account not only the device, but also software - both the operating system and the firewall software - and support. Support consists of consultancy and maintenance. In most cases, you will need powerful server hardware, an NT server licence and firewall software. Some firewalls come with one software charge, whereas others may charge per simultaneous user. Logging and alarming is important - a firewall has to keep track of odd incidents and inform you of suspicious network traffic. Keep an open eye for logging and alarm features. Some firewalls provide warnings by email, beepers or even cellular telephone. Manageability is an important factor in the cost of ownership of a firewall. In the past, a firewall was configured by editing a configuration file crammed with cryptic commands. Most firewalls today offer a graphic interface and a configuration-client that can usually be activated over the network. Raptor Eagle Version 5.02 for NT Together with Firewall-1, the Raptor Eagle is one of the veterans of the firewall market. The Raptor consists of two types of product: the Eagle, a firewall that installs on an NT-based machine, and the Hawk, which is a configuration utility that can run both on the firewall itself or from a remote computer. It's remarkable to see how little the Raptor has changed over the years. In fact, it is still the same dull thing I last tested two years ago. The the product boasts awards which still show 1996 credits. This in terms of security, is terminally old. It may be dull, but that doesn't mean it's inefficient. I found this to be one of the easiest Firewalls to configure. The Hawk module allows you to fine-tune every detail of the configuration. The Eagle was originally designed for Unix and still boasts an X-Windows-like interface. Unix addicts will love it, but for NT administrators this interface could be awkward to adapt to. The Raptor does everything a good firewall needs to do. It offers secure servers for SMTP and web traffic, a good web proxy for internal users, Nat, filtering and every type of monitoring and alarming you could need. Raptor's VPN software has evolved well over the years. It used to be possible to set-up VPN tunnels only between two Raptors, but thanks to the Eagle Mobile, this can now be done between an NT client and the firewall. Secure connections are encrypted using 56-bit Data Encryption Standard (Des), and for authentication you can use a simple user ID and password, or more advanced methods such as S/Key, Security Dynamics or a Cryptocard. Raptor is owned by Axent, a company that sells all sorts of security products. It forms an excellent addition to their product range of sniffer, VPN and encryption software. In our tests, the Raptor had no problems. The logfiles clearly showed all the nasty Interactive Selling System tricks we attempted, and the alarm happily beeped its virtual lungs out. None of our Denial of Service attacks had any effect, so you could say that the Eagle passed its flying exam with honours. However, the Raptor has been around for a long time and it shows. It's a dull device that doesn't have much of a reputation and lacks proper marketing. Let's hope Axent can change all that because despite the rusty image, the Raptor is still a solid product. Security is an ongoing process When it comes to a firewall's main task, which is protecting your network, all of the products performed well. The testing, however, did uncover some major differences in features. We tested some comprehensive products such as Firewall 1 and Watchguard that really offer everything you might wish for in a firewall. But the question is whether such versatility is required in each and every situation. Perhaps you just want to connect your Lan to the Internet to allow websurfing. In that case, you do not need VPN or load-balancing features. In such a case, Guardian came out on top as the no-nonsense solution. Some of the products tested will cost you their weight in gold, and those prices are to be mostly attributed to reputation. Checkpoint can afford to ask prices well above the market average just because the company's so well known. Smaller companies cannot afford such prices, which explains the popularity of the Watchguard or some of the other products tested. What was quite remarkable was the sloppy condition in which we received many of the products. We received a lot of CD-Roms without as much as a label on, and more often than not, we had to download files from the Internet. Even a decent manual for what are essentially complex pieces of programming were hard to come by. Finding a firewall that best fits your organisation is an art in itself. It is wise perhaps to seek advice from an independent security consultant or integrator, but do make sure this person is indeed neutral. Safeguarding your network does not end with buying and installing a firewall. It's an ongoing process. The firewall and all entry points to the network will need to be monitored regularly and software has to be updated frequently. It's the price you pay for safety. Begin at the beginning Smooth-talking salespeople claim that a firewall is the one and only solution to all security problems. Selling firewalls has after all become big business and everybody wants a slice of the pie. All of the big names have added firewalls to their product ranges. Cisco, Network Associates, IBM and Digital have products in this market, and even Novell (Border Manager) and Microsoft (MS Proxy) have their eyes on it. This abundance of products does not necessarily guarantee good security for your network and the rest of your information infrastructure. I believe that security is something outside technology. It has to do with a proper dose of common sense, and looking before you leap. Don't start messing about with trendy ideas such as authentication systems, VPN or encryption. It's more important to come up with a sound general security policy first. The best way to do this is to forget everything you ever know about security. Starting with a clean slate allows you to picture your situation based on a few simple questions. Questions to ask Do you run a standard Novell IPX-network with all important information residing on servers, or do you run TCP/IP with information scattered around? The latter requires a completely different approach, as the protocol barrier makes it impossible to get access to information on the IPX server. From whom do you want to protect your information? Your first guess will probably be the 'world outside', but you may well find you also wish to restrict interdepartmental access. Security systems also allow you to define periods of access. You can, for example, allow internal users only to have access to certain parts of the Internet - such as News or IRC - during the afternoon break. The next step is to determine how someone can have access to your network. This can be done in more ways than you might imagine. Often, the Internet is not the only entrance, and the problem can be more complex than you think. Companies with multiple branches and people working from the home office often like to give their employees access to the network through an ISDN dial-up account. Despite password-protection, such a dial-up Wan-link is usually a weak point that someone can abuse to enter your system. You can prevent this by using CallerID, a system that identifies the incoming ISDN call. Even safer is the use of a dial-back system. More dangers still ... Unfortunately, there are yet more dangers. How many users on your network have a modem connected directly to their PC? Such modems are often used somewhat clandestinely to get free Internet access through callback. However, you don't have any guarantee that this dial-up connection has been configured safely. Finally, we must consider a company's security procedures. Who's responsible for them, in particular, for a correct configuration of crucial components such as the firewall? Many makers of firewalls advertise their product's ease of configuration, but that's something of a poisoned pawn, as chess players would say. After all, it's very dangerous when unauthorised people - and that may well be an IT manager - start tampering with your system. A poorly configured firewall is more dangerous than no firewall at all, because it gives you a false sense of security. It is important to check everything on a regular basis for all possible breaches. This is done preferably by someone neutral who might provide you with a fresh perspective. Should you wish to spend a fair amount of money on this, it's even possible to hire so-called 'tiger teams' or 'white hot' hacker groups. They are willing - and usually able - to try their best in finding holes in your system. You'll also want to determine in advance who checks firewall logs for traces of illegal entry. A comprehensive security policy clearly defines what needs to be done in case of such an occurance. When a hacker has breached your network, there's no time to call a meeting to discuss a plan. In such an event, your system administrator has to know exactly what the next step is. This is probably closing down the network, assessing the damage and collecting evidence to prosecute the perpetrator. As we said before, security has its price, and maybe a lot higher than the cost of equipment and consultancy. The key costs involved with security are caused by a loss in performance. Installing security measures automatically implies reducing the number of network features your staff can use. It also means they face other restrictions. A user doesn't have the freedom to choose just any password. It has to be composed of a minimum number of characters and be changed regularly. This causes your systems administrator a lot of extra work because users tend to forget their password. In large companies, simple things such as that cost a bundle. CHECKPOINT FIREWALL-1 3.0B With Firewall-1 3.0b and its brothers and sisters, Checkpoint has once again proven to be the undisputed trendsetter and market leader. With its support for Solaris, Aix, HP-UX and NT, Firewall-1 has more than half of the market. The key to this success is quality. Firewall-1 offers filtering and application firewalling and is particularly successful by using Statefull Inspection. This is nothing more than an advanced form of filtering whereby all sorts of additional, context-sensitive information on network packets are being collected. This simplifies the task of seeking out danger. Checkpoint's firewalls offer excellent secure server gateways for SMTP, the web and FTP. Furthermore, Checkpoint can deal with just about any authentication system in use. Thanks to Open Platform for Secure Enterprise Connectivity (Opsec), all sorts of external applications can be hooked into Firewall-1. This third-party software can be used for things such as virus scanning, logging and monitoring network traffic or communicating with new authentication systems. Opsec means a first step towards integrated management of the various components of network security. Firewall-1 is becoming more and more of an integrated security suite. From within the Firewall-1 graphical user interface - available in an MS-Windows and Xwindows flavour - you can not only manage and configure Firewall-1, but also Cisco, 3Com or Bay products. This allows you to manage and monitor all aspects of your network security, and eliminates the need to work with lots of different logfiles and configuration utilities. Checkpoint offers a wide range of other security products, such as Floodgate, which manages bandwidth and VPN-1 for virtual private networks. VPN-1 has a feature called Securemote, which allows you to set-up a secure VPN connection from and ordinary Windows 95 or NT-based PC to Firewall-1 and the network behind it. Firewall-1's major drawbacks are its complexity and price, the latter being true of all Checkpoint products. They are usually priced on a simultaneous user-basis. In case of a 50 user license, the firewall checks how many addresses - and thus connected machines - it can see. If you want to save money by adding an Nat-capable router between your network and the firewall, then the Firewall-1 is capable of handling 50 simultaneous connections. Having a good reputation allows Checkpoint to ask outrageous prices in the knowledge that corporate users will keep on paying them. A Firewall-1 installation on a Unix system such as a Solaris or an AIX will cost you around #17,000, including hardware, software and consultancy. Firewall-1 survived all our attacks without problems, reinforcing the belief that it is an exceptionally good product. It may be expensive, but no security manager has ever been fired for choosing Firewall-1. In short, it is an excellent choice if you want to play it safe. GUARDIAN VERSION 3.0 The Guardian is one of the few firewalls we tested that was originally written for Windows NT. Most of the products on test are NT versions of Unix firewalls. During installation, however, Guardian did not complain about Service Pack 3 and most recent 'hot fixes' not being installed on the test machine. A serious oversight, because without these, the system is bound to be more vulnerable to all sorts of Denial of Service attacks. The firewall can be managed using the Guardian Manager, a security policy editor that first configures network objects and then sets up rules for them. The Manager asks you to give each strategy a name and the name of the author. This allows you to check who was responsible for security strategies. The Guardian is also capable of Nat in both a static and dynamic form. With static Nat, the internal address of one machine is translated to a fixed IP-address. Dynamic Nat can work with a range of internal addresses. Monitoring and logging are excellent. By using an agent it's easy to keep track of all sorts of things. The log files can be stored in various formats, but can also be sent to an SQL database using ODBC for further processing. As for alarming, you can give the program various email addresses where to send messages. It is a shame there are no secure gateways for email and web traffic. Those parts of your Net activity will have to do without the extra safety. For smaller companies which do not do any hosting and only want to secure their connection to the Net, this is not a problem. During our test, the Guardian immediately ran into trouble. During a simple port-scan it crashed. The scan then stopped because the firewall could no longer be reached. In fact, we had performed a Denial of Service attack without wanting to do so. We suspected this was caused by our failure to install SP3 and the hot fixes, which turned out to be the case. After we corrected the situation, the scan no longer crashed the system. All things considered, the Guardian is an excellent NT-firewall. Despite the absence of a secure gateway for mail and web-traffic, it offers the ideal solution to shield a small to mid-sized network from any not-trusted network. ALTAVISTA FIREWALL AND TUNNEL 98 Compaq not only uses the brand name Altavista for its popular Internet search engine, but also for a host of Internet-related products, one of which is Firewall 98. An evaluation copy of this product can be found on Digital's web site. In spite of the manufacturer's claim it is the 'easiest to install', we had quite a bit of trouble getting it online. Instead of running a normal set-up procedure, you have to add a network service from within the Windows control panel, something that did not appear to be documented. Once installed, the Firewall 98 behaves well. The software does, however, use each and every NT Service Pack and even renames the administrator account during installation. The first thing to do is assign colour-coded network adaptors. Red is for the Internet, blue for the DMZ and green for the internal network. After that, Altavista immediately installs the Tunnel or VPN application. The Altavista firewall is a real high-flier. The system supports a broad range of authentication systems from Racal Watchword keys, Cryptocard, S/Key and Security Dynamics to NT Domain Controller. The latter, of course, only applies when you run the firewall on an NT-based system. Configuration is achieved through a web interface. That may be fashionable but it's not ideal. It makes configuration less user-friendly and pleasing to the eye than with the use of a traditional Windows interface. However, the idea of colour-coding the security status of the interface is useful, and even the desktop reflects this concept. As for VPN, Altavista uses a module called Tunnel. This is installed together with the firewall software. In the US, Tunnel can be used with 512-bit and 1024-bit encryption keys, but due to export limitations imposed on RSA encryption, this level of encryption is not available in the UK. A good thing about Altavista Tunnel is the availability of a VPN client for both the Apple Mac and the various 32-bit Windows platforms. Tunnel seamlessly integrates into the underlying operating system and offers all sorts of nifty extras. Tunnel can handle various authentication systems. As for security, it passed our test with flying colours. Although Altavista is too optimistic in its claims about ease of installation and user-friendliness, it offers a very powerful firewall with loads of features. WATCHGUARD TECHNOLOGIES FIREBOX I AND II The Watchguard firewalls look very spectacular. The Firebox product family consists of hardware and software solutions, bundled together in a bright red box, equipped with flickering LEDs. In addition to its good looks, this product combination offers excellent features. As for software, the original Watchguards were loosely based upon the freeware operating system Linux, but today there's more distance between Watchguard and the Linux kernel. Originally, only one model existed: the Firebox Model 100. This machine consists of a PC motherboard equipped with an AMD-processor and three 10/100 3Com network adaptors. The Firebox 100 also contains a disk-drive for reading the configuration disk or rebooting the system. For the last few years, the Firebox has been quite successful, and is even threatening the position of Checkpoint, especially in the small-business segment. Firebox II runs the same software, but is made up of different hardware. The model II is smaller than its predecessor and has a stylish display. Furthermore, it's equipped with more memory and a heavier processor. This increase in performance is to allow for multiple simultaneous VPN sessions. After all, encryption puts more strain on the processor than regular network traffic. On the software side, Watchguard really comes into its own. Not only is the Firebox a very complete firewall with features such as filtering, proxies, Nat, alarming and logging, it also has a graphical monitor and can generate historical reports. Management can be done over the network or through a serial cable. The interface runs on any Windows platform or on Linux X-Windows for the fanatics. A Webblocker allows you to filter out web sites with a certain content, such as porn or anything else that has nothing to do with everyday business. A new feature is VPN. Not only does this allow you to connect Fireboxes to networks, but also lets remote users connect to the corporate network using the included client software. This VPN software is Opsec-compliant and uses the RSA RC4 algorithm with 40-bit or 128-bit keys for encryption. It's hard not to call the Firebox a bargain; for around #3,500 to #5,000 you can become the owner of a complete firewall, including hardware and software. The Firebox is of excellent quality and among the best available, alongside Firewall-1 and Altavista's Firewall 98. COMPUTING 19/11/1998 P60 -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:12:15 PDT