[ISN] Group Test - Firewalls - Make Your Network Safer

From: mea culpa (jerichoat_private)
Date: Sat Nov 21 1998 - 12:59:42 PST

  • Next message: mea culpa: "[ISN] Survey Finds Net Security Full of Holes"

    Forwarded From: Nicholas Charles Brawn <ncb05at_private>
    Jan Guldentops puts some leading commercial firewalls through their paces
    to see just how well they really perform. 
    As a medium for communications and information exchange, the Internet made
    a remarkable breakthrough in the past two years.  It would be difficult to
    find a serious company today that does not have an online presence. If
    such a company exists, it is at least considering such a connection. The
    cost of getting connected has never been lower, and it offers all sorts of
    communication possibilities, such as email, web sites, file transferring
    and even video-conferencing. 
    The Net's tremendous success has only increased the risks involved in
    connecting your organisation's local or wide area network to it. When
    companies do not take the necessary precautions, not only do all staff
    users get unrestricted access to the Net, but the lack of security allows
    malevolent web surfers the opportunity to access companies' own networks,
    with all its machines and confidential data at their mercy. 
    Just imagine the consequences of an outsider accessing critical
    information or shutting down an important server or router just for the
    fun of it!  There are plenty of horror stories about the dire consequences
    of unsafe networks. A few months ago, I read an advertisement for a small
    US software company in a newsgroup. Out of boredom, I decided to have a
    peek at their network structure over the Internet. While fiddling about, I
    found that I could influence Windows file and printer sharing with the aid
    of a small program. I would have loved to have seen the face of the
    company's systems administrator when he found a letter printed by me. 
    Here's another example: there is still is a large system integrator -
    active on the European mainland - which uses brand names as an obvious
    password on the routers it installs. This means that everywhere along the
    information highway there are still lots of unsafe places to be found. 
    The key to a safe network
    If we are to believe advertisements, a firewall is the cornerstone of
    network security. A firewall is, in fact, a kind of gatekeeper that stands
    guard on the outside of your network. It is little more then a computer
    equipped with two or more network adaptors. On that computer, a piece of
    software determines which forms of network traffic are allowed between
    these adaptors. This software, in effect, functions as a wall with small
    holes in it that allow only certain items to pass through unrestricted. 
    Firewall filters contents
    Two types of firewalls exist: the first is the so-called filtering
    This is the most basic type. It looks at the header of each TCP/IP packet
    that enters the system, and based on its contents, determines if it will
    pass or be discarded. It does this based on the Internet protocol (IP) 
    address found in the header and the port-number specific for various types
    of network traffic. 
    For example, SMTP mail uses port 23, HTTP requests use port 80, and Lotus
    Notes uses port 1394 to initiate a replication process. Filtering can be
    achieved on most routers. 
    Proxy server scans traffic
    The second type of firewall is the application firewall or proxy. In this
    type of firewall, no direct traffic between two or more networks is
    allowed. Instead, all communications are routed through specific
    applications running on the firewall, called proxy servers. When someone
    on the network wants to set up a Telnet session, their client makes a
    connection to the Telnet proxy server on the firewall, which then connects
    to the Telnet host that was requested. The main advantage of a proxy or
    filtering firewall is the possibility to scan the contents of incoming
    traffic. This can, for example, be used to filter out viruses in email
    A special form of a proxy server is Network Address Translation (Nat). 
    This translates IP-numbers of machines on the internal network to that of
    the firewall. This not only helps keeping down the number of IP-addresses
    - that are becoming more and more scarce - but also ensures that your
    network only has one official IP-address while internally having a private
    IP structure. 
    Theoretically, a pure application firewall is a lot safer than a filtering
    firewall. After all, there's no direct traffic between the Internet and
    your private network. Nevertheless, most firewalls use a combination of
    both types. Nowadays, there are many new techniques and ideas about
    Not only is the information contained in headers used to filter packets,
    but it is also used to analyse and trap suspect situations such as
    This is when the sender-address has been deliberately altered so the
    firewall will identify as friendly. 
    Firewalls come in all shapes and sizes. Most run on standard hardware
    platforms, such as Intel, PowerPC or Sparc. In the early days, most
    firewalls were made only for Unix. Today, more and more NT-based firewalls
    are being developed. This poses an intriguing phenomenon for security
    consultants, as NT is not renowned for its security. Apart from purely
    software-based solutions, some systems come with proprietary hardware. 
    A whole new job description
    Today, firewalls are a lot more than just simple gatekeepers that guard
    the entrance to your network. These icons of the security world are being
    used for a host of new purposes. The main reason for this is the explosive
    growth of the Internet, in particular, the use of the Net as an extranet -
    an extension of the private wide area network to facilitate remote access. 
    Extranet applications require additional security measures. First, users
    have to identify themselves if they want access. Traditionally, this is
    done by entering a user name and a password, but more refined methods
    exist. The use of smartcards or other forms of tokens, such as the
    Security Dynamics token, are becoming widely-used. It is therefore a good
    idea to make sure your future firewall supports these authentication
    The Internet is an open network where anybody can intercept, and
    therefore, read information. That means all connections to the firewall
    and the network behind it need to be encrypted using a safe encryption
    algorithm, creating a so-called virtual private network (VPN). Keep in
    mind that a VPN application puts a heavy load on the firewall's processor.
    When a firewall has to maintain many simultaneous VPN connections, a
    heavier server or maybe even multiple servers may be required. 
    What to look for in a firewall
    The differences in price and performance are so enormous that it takes a
    great deal of time to come to a good decision when buying a firewall.  The
    next list of hints and questions will help you select a firewall that fits
    your specific need. 
    What is the reliability, and is the firewall secure enough for the systems
    administrator to sleep well every night? Although none of the firewalls we
    tested was easy to circumvent, there are numerous differences in how each
    application approaches the problem. Some products use outdated
    technologies such as socks proxying, making the firewall perform below
    par. A good quality insurance is the International Computer Security
    Association certificate that is only awarded after thorough testing. 
    Do you have your own IP-addressing system? If so, the firewall will need
    to be capable of network address translation. Maybe you host various
    Internet servers? In that case, you will need a demilitarised zone (DMZ),
    an open area with secure gateways for email, and web traffic. If your
    organisation uses teleworkers, you will want good VPN facilities and
    authentication procedures. 
    The right price equals hardware, software and support. Always calculate
    the right price for your entire firewall setup. Take into account not only
    the device, but also software - both the operating system and the firewall
    software - and support. Support consists of consultancy and maintenance. 
    In most cases, you will need powerful server hardware, an NT server
    licence and firewall software. Some firewalls come with one software
    charge, whereas others may charge per simultaneous user. 
    Logging and alarming is important - a firewall has to keep track of odd
    incidents and inform you of suspicious network traffic. Keep an open eye
    for logging and alarm features. Some firewalls provide warnings by email,
    beepers or even cellular telephone. 
    Manageability is an important factor in the cost of ownership of a
    In the past, a firewall was configured by editing a configuration file
    crammed with cryptic commands. Most firewalls today offer a graphic
    interface and a configuration-client that can usually be activated over
    the network. 
    Raptor Eagle Version 5.02 for NT
    Together with Firewall-1, the Raptor Eagle is one of the veterans of the
    firewall market. The Raptor consists of two types of product: the Eagle, a
    firewall that installs on an NT-based machine, and the Hawk, which is a
    configuration utility that can run both on the firewall itself or from a
    remote computer. 
    It's remarkable to see how little the Raptor has changed over the years. 
    In fact, it is still the same dull thing I last tested two years ago.  The
    the product boasts awards which still show 1996 credits. This in terms of
    security, is terminally old. 
    It may be dull, but that doesn't mean it's inefficient. I found this to be
    one of the easiest Firewalls to configure. The Hawk module allows you to
    fine-tune every detail of the configuration. The Eagle was originally
    designed for Unix and still boasts an X-Windows-like interface. Unix
    addicts will love it, but for NT administrators this interface could be
    awkward to adapt to. 
    The Raptor does everything a good firewall needs to do. It offers secure
    servers for SMTP and web traffic, a good web proxy for internal users,
    Nat, filtering and every type of monitoring and alarming you could need. 
    Raptor's VPN software has evolved well over the years. It used to be
    possible to set-up VPN tunnels only between two Raptors, but thanks to the
    Eagle Mobile, this can now be done between an NT client and the firewall. 
    Secure connections are encrypted using 56-bit Data Encryption Standard
    (Des), and for authentication you can use a simple user ID and password,
    or more advanced methods such as S/Key, Security Dynamics or a Cryptocard. 
    Raptor is owned by Axent, a company that sells all sorts of security
    products. It forms an excellent addition to their product range of
    sniffer, VPN and encryption software. 
    In our tests, the Raptor had no problems. The logfiles clearly showed all
    the nasty Interactive Selling System tricks we attempted, and the alarm
    happily beeped its virtual lungs out. None of our Denial of Service
    attacks had any effect, so you could say that the Eagle passed its flying
    exam with honours. 
    However, the Raptor has been around for a long time and it shows. It's a
    dull device that doesn't have much of a reputation and lacks proper
    marketing. Let's hope Axent can change all that because despite the rusty
    image, the Raptor is still a solid product. 
    Security is an ongoing process
    When it comes to a firewall's main task, which is protecting your network,
    all of the products performed well. The testing, however, did uncover some
    major differences in features. 
    We tested some comprehensive products such as Firewall 1 and Watchguard
    that really offer everything you might wish for in a firewall. But the
    question is whether such versatility is required in each and every
    Perhaps you just want to connect your Lan to the Internet to allow
    In that case, you do not need VPN or load-balancing features. In such a
    case, Guardian came out on top as the no-nonsense solution.  Some of the
    products tested will cost you their weight in gold, and those prices are
    to be mostly attributed to reputation. Checkpoint can afford to ask prices
    well above the market average just because the company's so well known.
    Smaller companies cannot afford such prices, which explains the popularity
    of the Watchguard or some of the other products tested. 
    What was quite remarkable was the sloppy condition in which we received
    many of the products. We received a lot of CD-Roms without as much as a
    label on, and more often than not, we had to download files from the
    Internet. Even a decent manual for what are essentially complex pieces of
    programming were hard to come by. 
    Finding a firewall that best fits your organisation is an art in itself. 
    It is wise perhaps to seek advice from an independent security consultant
    or integrator, but do make sure this person is indeed neutral. 
    Safeguarding your network does not end with buying and installing a
    firewall. It's an ongoing process. The firewall and all entry points to
    the network will need to be monitored regularly and software has to be
    updated frequently. It's the price you pay for safety. 
    Begin at the beginning
    Smooth-talking salespeople claim that a firewall is the one and only
    solution to all security problems. Selling firewalls has after all become
    big business and everybody wants a slice of the pie. All of the big names
    have added firewalls to their product ranges. Cisco, Network Associates,
    IBM and Digital have products in this market, and even Novell (Border
    Manager) and Microsoft (MS Proxy) have their eyes on it. 
    This abundance of products does not necessarily guarantee good security
    for your network and the rest of your information infrastructure. I
    believe that security is something outside technology. It has to do with a
    proper dose of common sense, and looking before you leap. Don't start
    messing about with trendy ideas such as authentication systems, VPN or
    encryption.  It's more important to come up with a sound general security
    policy first.  The best way to do this is to forget everything you ever
    know about security. 
    Starting with a clean slate allows you to picture your situation based on a
    few simple questions.
    Questions to ask
    Do you run a standard Novell IPX-network with all important information
    residing on servers, or do you run TCP/IP with information scattered
    The latter requires a completely different approach, as the protocol
    barrier makes it impossible to get access to information on the IPX
    server.  From whom do you want to protect your information? Your first
    guess will probably be the 'world outside', but you may well find you also
    wish to restrict interdepartmental access. Security systems also allow you
    to define periods of access. You can, for example, allow internal users
    only to have access to certain parts of the Internet - such as News or IRC
    - during the afternoon break. 
    The next step is to determine how someone can have access to your network. 
    This can be done in more ways than you might imagine. Often, the Internet
    is not the only entrance, and the problem can be more complex than you
    Companies with multiple branches and people working from the home office
    often like to give their employees access to the network through an ISDN
    dial-up account. Despite password-protection, such a dial-up Wan-link is
    usually a weak point that someone can abuse to enter your system. You can
    prevent this by using CallerID, a system that identifies the incoming ISDN
    call. Even safer is the use of a dial-back system. 
    More dangers still ... 
    Unfortunately, there are yet more dangers. How many users on your network
    have a modem connected directly to their PC? Such modems are often used
    somewhat clandestinely to get free Internet access through callback. 
    However, you don't have any guarantee that this dial-up connection has
    been configured safely. 
    Finally, we must consider a company's security procedures. Who's
    responsible for them, in particular, for a correct configuration of
    crucial components such as the firewall? Many makers of firewalls
    advertise their product's ease of configuration, but that's something of a
    poisoned pawn, as chess players would say. After all, it's very dangerous
    when unauthorised people - and that may well be an IT manager - start
    tampering with your system. 
    A poorly configured firewall is more dangerous than no firewall at all,
    because it gives you a false sense of security. 
    It is important to check everything on a regular basis for all possible
    breaches. This is done preferably by someone neutral who might provide you
    with a fresh perspective. Should you wish to spend a fair amount of money
    on this, it's even possible to hire so-called 'tiger teams' or 'white hot'
    hacker groups. They are willing - and usually able - to try their best in
    finding holes in your system. 
    You'll also want to determine in advance who checks firewall logs for
    traces of illegal entry. A comprehensive security policy clearly defines
    what needs to be done in case of such an occurance. 
    When a hacker has breached your network, there's no time to call a meeting
    to discuss a plan. In such an event, your system administrator has to know
    exactly what the next step is. This is probably closing down the network,
    assessing the damage and collecting evidence to prosecute the perpetrator. 
    As we said before, security has its price, and maybe a lot higher than the
    cost of equipment and consultancy. The key costs involved with security
    are caused by a loss in performance. Installing security measures
    automatically implies reducing the number of network features your staff
    can use. 
    It also means they face other restrictions. A user doesn't have the
    freedom to choose just any password. It has to be composed of a minimum
    number of characters and be changed regularly. This causes your systems
    administrator a lot of extra work because users tend to forget their
    password. In large companies, simple things such as that cost a bundle. 
    With Firewall-1 3.0b and its brothers and sisters, Checkpoint has once
    again proven to be the undisputed trendsetter and market leader. With its
    support for Solaris, Aix, HP-UX and NT, Firewall-1 has more than half of
    the market. The key to this success is quality. Firewall-1 offers
    filtering and application firewalling and is particularly successful by
    using Statefull Inspection. This is nothing more than an advanced form of
    filtering whereby all sorts of additional, context-sensitive information
    on network packets are being collected. This simplifies the task of
    seeking out danger. Checkpoint's firewalls offer excellent secure server
    gateways for SMTP, the web and FTP. Furthermore, Checkpoint can deal with
    just about any authentication system in use. Thanks to Open Platform for
    Secure Enterprise Connectivity (Opsec), all sorts of external applications
    can be hooked into Firewall-1. 
    This third-party software can be used for things such as virus scanning,
    logging and monitoring network traffic or communicating with new
    authentication systems. Opsec means a first step towards integrated
    management of the various components of network security. Firewall-1 is
    becoming more and more of an integrated security suite. From within the
    Firewall-1 graphical user interface - available in an MS-Windows and
    Xwindows flavour - you can not only manage and configure Firewall-1, but
    also Cisco, 3Com or Bay products. This allows you to manage and monitor
    all aspects of your network security, and eliminates the need to work with
    lots of different logfiles and configuration utilities.  Checkpoint offers
    a wide range of other security products, such as Floodgate, which manages
    bandwidth and VPN-1 for virtual private networks. 
    VPN-1 has a feature called Securemote, which allows you to set-up a secure
    VPN connection from and ordinary Windows 95 or NT-based PC to Firewall-1
    and the network behind it. Firewall-1's major drawbacks are its complexity
    and price, the latter being true of all Checkpoint products. They are
    usually priced on a simultaneous user-basis. In case of a 50 user license,
    the firewall checks how many addresses - and thus connected machines - it
    can see. If you want to save money by adding an Nat-capable router between
    your network and the firewall, then the Firewall-1 is capable of handling
    50 simultaneous connections. Having a good reputation allows Checkpoint to
    ask outrageous prices in the knowledge that corporate users will keep on
    paying them. A Firewall-1 installation on a Unix system such as a Solaris
    or an AIX will cost you around #17,000, including hardware, software and
    consultancy. Firewall-1 survived all our attacks without problems,
    reinforcing the belief that it is an exceptionally good product. 
    It may be expensive, but no security manager has ever been fired for
    choosing Firewall-1. In short, it is an excellent choice if you want to
    play it safe. 
    The Guardian is one of the few firewalls we tested that was originally
    written for Windows NT. Most of the products on test are NT versions of
    Unix firewalls. During installation, however, Guardian did not complain
    about Service Pack 3 and most recent 'hot fixes' not being installed on
    the test machine. A serious oversight, because without these, the system
    is bound to be more vulnerable to all sorts of Denial of Service attacks. 
    The firewall can be managed using the Guardian Manager, a security policy
    editor that first configures network objects and then sets up rules for
    them. The Manager asks you to give each strategy a name and the name of
    the author. This allows you to check who was responsible for security
    strategies. The Guardian is also capable of Nat in both a static and
    dynamic form. With static Nat, the internal address of one machine is
    translated to a fixed IP-address. Dynamic Nat can work with a range of
    internal addresses. Monitoring and logging are excellent. 
    By using an agent it's easy to keep track of all sorts of things. The log
    files can be stored in various formats, but can also be sent to an SQL
    database using ODBC for further processing. As for alarming, you can give
    the program various email addresses where to send messages. It is a shame
    there are no secure gateways for email and web traffic. Those parts of
    your Net activity will have to do without the extra safety. For smaller
    companies which do not do any hosting and only want to secure their
    connection to the Net, this is not a problem. During our test, the
    Guardian immediately ran into trouble. During a simple port-scan it
    The scan then stopped because the firewall could no longer be reached.  In
    fact, we had performed a Denial of Service attack without wanting to do
    so. We suspected this was caused by our failure to install SP3 and the hot
    fixes, which turned out to be the case. After we corrected the situation,
    the scan no longer crashed the system. All things considered, the Guardian
    is an excellent NT-firewall. Despite the absence of a secure gateway for
    mail and web-traffic, it offers the ideal solution to shield a small to
    mid-sized network from any not-trusted network. 
    Compaq not only uses the brand name Altavista for its popular Internet
    search engine, but also for a host of Internet-related products, one of
    which is Firewall 98. An evaluation copy of this product can be found on
    Digital's web site. In spite of the manufacturer's claim it is the
    'easiest to install', we had quite a bit of trouble getting it online.
    Instead of running a normal set-up procedure, you have to add a network
    service from within the Windows control panel, something that did not
    appear to be documented. Once installed, the Firewall 98 behaves well. The
    software does, however, use each and every NT Service Pack and even
    renames the administrator account during installation. The first thing to
    do is assign colour-coded network adaptors. 
    Red is for the Internet, blue for the DMZ and green for the internal
    network.  After that, Altavista immediately installs the Tunnel or VPN
    application.  The Altavista firewall is a real high-flier.  The system
    supports a broad range of authentication systems from Racal Watchword
    keys, Cryptocard, S/Key and Security Dynamics to NT Domain Controller. 
    The latter, of course, only applies when you run the firewall on an
    NT-based system. 
    Configuration is achieved through a web interface. That may be fashionable
    but it's not ideal. It makes configuration less user-friendly and pleasing
    to the eye than with the use of a traditional Windows interface. However,
    the idea of colour-coding the security status of the interface is useful,
    and even the desktop reflects this concept. 
    As for VPN, Altavista uses a module called Tunnel. This is installed
    together with the firewall software. In the US, Tunnel can be used with
    512-bit and 1024-bit encryption keys, but due to export limitations
    imposed on RSA encryption, this level of encryption is not available in
    the UK.  A good thing about Altavista Tunnel is the availability of a VPN
    client for both the Apple Mac and the various 32-bit Windows platforms.
    Tunnel seamlessly integrates into the underlying operating system and
    offers all sorts of nifty extras. 
    Tunnel can handle various authentication systems. As for security, it
    passed our test with flying colours.  Although Altavista is too optimistic
    in its claims about ease of installation and user-friendliness, it offers
    a very powerful firewall with loads of features. 
    The Watchguard firewalls look very spectacular. The Firebox product family
    consists of hardware and software solutions, bundled together in a bright
    red box, equipped with flickering LEDs. In addition to its good looks,
    this product combination offers excellent features. As for software, the
    original Watchguards were loosely based upon the freeware operating system
    Linux, but today there's more distance between Watchguard and the Linux
    kernel. Originally, only one model existed: the Firebox Model 100. This
    machine consists of a PC motherboard equipped with an AMD-processor and
    three 10/100 3Com network adaptors. The Firebox 100 also contains a
    disk-drive for reading the configuration disk or rebooting the system. For
    the last few years, the Firebox has been quite successful, and is even
    threatening the position of Checkpoint, especially in the small-business
    segment. Firebox II runs the same software, but is made up of different
    hardware. The model II is smaller than its predecessor and has a stylish
    display. Furthermore, it's equipped with more memory and a heavier
    This increase in performance is to allow for multiple simultaneous VPN
    sessions. After all, encryption puts more strain on the processor than
    regular network traffic. On the software side, Watchguard really comes
    into its own. Not only is the Firebox a very complete firewall with
    features such as filtering, proxies, Nat, alarming and logging, it also
    has a graphical monitor and can generate historical reports. Management
    can be done over the network or through a serial cable. The interface runs
    on any Windows platform or on Linux X-Windows for the fanatics. A
    Webblocker allows you to filter out web sites with a certain content, such
    as porn or anything else that has nothing to do with everyday business. A
    new feature is VPN. Not only does this allow you to connect Fireboxes to
    networks, but also lets remote users connect to the corporate network
    using the included client software. This VPN software is Opsec-compliant
    and uses the RSA RC4 algorithm with 40-bit or 128-bit keys for encryption.
    It's hard not to call the Firebox a bargain; for around #3,500 to #5,000
    you can become the owner of a complete firewall, including hardware and
    software. The Firebox is of excellent quality and among the best
    available, alongside Firewall-1 and Altavista's Firewall 98. 
    COMPUTING 19/11/1998 P60 
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:12:15 PDT