This section provides you with a technical overview of the main firewall products available on the market as of Summer of 1997. I made sure to include a vast and extensive selection of all the major players and architecture so you can have a chance to evaluate each one of them before deciding which firewall best suite your needs.
This selection includes many different firewall architectures, from application proxy and circuit relay ones, such as Raptor’s EagleNT, Ukiah’s NetRoad and Secure Computing’s Borderware firewall, to stateful inspection and packet filter ones, such as WatchGuard Technologies’s WatchGuard, Sun’s SunScreen, Check Point’s Firewall-1 and Cycon’s Labyrinth ones.
Evidently, I’m not in the position of recommending any of these products as the needs and features of a firewall product will change depending of your environment. Although I may have my preferences, it probably would be a biased one, which would be directly related to the environment I work with. Thus, all the information you find in this section was totally provided by the vendor of each firewall outlined here. Some provided more information then others, as others provided more graphics and figures. By no means you should opt for any of these firewalls based on the amount of pages or details here provided. Most of the vendors listed here also provided demo and/or evaluation copies of their products in the CD that accompanies this book.
In order to make an informative decision when selecting a firewall that best suites your needs, I strongly encourage you to carefully read this chapter, and summarize on a table all the features you are looking for, or need, in a firewall for your organization. Then, I suggest you to check the CD and install the firewall(s) you selected and run a complete "dry-run" on them before you can really make a decision. Also, don’t forget to contact the vendor directly, as these products are always being upgraded and new features incorporated to them, which could make a difference in your decision. Contact information and a brief background about the vendor is provided at the beginning of every section of the product covered.
Check Points’ Firewall-1 Firewall - Stateful Inspection Technology
Check Point FireWall-1, developed by Check Point Software Technologies (http://www.checkpoint.com), is based upon Stateful Inspection architecture, the new generation of firewall technology invented by CheckPoint. Stateful Inspection Technology delivers full firewall capabilities, assuring the highest level of network security. FireWall-1’s powerful Inspection Module analyzes all packet communication layers, and extracts the relevant communication and application state information. The Inspection Module understands and can learn any protocol and application. Figure 14.1 shows a screenshot of Check Points site.
For more information, contact Check Point Software Technologies, Redwood City, CA, (415) 562-0400 or at their Web site at URL http://www.checkpoint.com
FireWall-1 Inspection Module
The FireWall-1 Inspection Module resides in the operating system kernel, below the Network layer, at the lowest software level. By inspecting communications at this level, FireWall-1 can intercept and analyze all packets before they reach the operating systems. No packet is processed by any of the higher protocol layers unless FireWall-1 verifies that it complies with the enterprise security policy.
Full State Awareness
The Inspection Module has access to the "raw message," and can examine data from all packet layers. In addition, FireWall-1 analyzes state information from previous communications and other applications. The Inspection Module examines IP addresses, port numbers, and any other information required in order to determine whether packets comply with the enterprise security policy. It also stores and updates state and context information in dynamic connections tables. These tables are continually updated, providing cumulative data against which FireWall-1 checks subsequent communications. FireWall-1 follows the security principle of "All communications are denied unless expressly permitted." By default, FireWall-1 drops traffic that is not explicitly allowed by the security policy and generates real-time security alerts, providing the system manager with complete network status.
Securing "Stateless" Protocols
The FireWall-1 Inspection Module understands the internal structures of the IP protocol family and applications built on top of them. For stateless protocols such as UDP and RPC, the Inspection Module extracts data from a packet’s application content and stores it in the state connections tables, providing context in cases where the application does not provide it. In addition, it can dynamically allow or disallow connections as necessary. These capabilities provide the highest level of security for complex protocols.
The INSPECT Language
Using Check Point’s INSPECT language, FireWall-1 incorporates security rules, application knowledge, context information, and communication data into a powerful security system. INSPECT is an object-oriented, high-level script language that provides the Inspection Module with the enterprise security rules.
In most cases, the security policy is defined using FireWall-1’s graphical interface. From the security policy, FireWall-1 generates an Inspection Script, written in INSPECT. Inspection Code is compiled from the script and loaded on to the FireWalled enforcement points, where the Inspection Module resides. Inspection Scripts are ASCII files, and can be edited to facilitate debugging or meet specialized security requirements.
INSPECT provides system extensibility, allowing enterprises to incorporate new applications, services, and protocols simply by modifying one of FireWall-1’s built-in script templates using the graphical user interface. Figure 14.2 shows a diagram of the Stateful Inspection technology.
Stateful Inspection: Under the hood
As discussed throughout this book, in order for you to have a robust security at your company you should have a firewall. But this firewall must be able to track and control the flow of communication passing through it. To reach control decisions for TCP/IP based services, such as whether to accept, reject, authenticate, encrypt and/or log communication attempts, a firewall must obtain, store, retrieve and manipulate information derived from all communication layers and from other applications.
It is not sufficient to examine packets in isolation. State information, which is derived from past communications and other applications, is an essential factor in making the control decision for new communication attempts. Depending upon the communication attempt, both the communication state, derived from past communications, and the application state, derived from other applications, may be critical in the control decision.
Thus, to ensure the highest level of security, a firewall must be capable of accessing, analyzing and utilizing the following:
- Communication Information - information from all seven layers in the packet
- Communication-derived State - the state derived from previous communications. For example, the outgoing PORT command of an FTP session could be saved so that an incoming FTP data connection can be verified against it.
- Application-derived State - the state information derived from other applications. For example, a previously authenticated user would be allowed access through the firewall for authorized services only.
- Information Manipulation - the evaluation of flexible expressions based on all the above factors.
Check Point’s Stateful Inspection is able to meet all the security requirements defined above. Traditional firewall technologies, such as packet filters and application-layer gateways, each fall short in some areas, as shown on Table I.
Table I: Comparison of capabilities for three main firewall architectures
If you take packet filters, for example, historically they are implemented on routers, are filters on user defined content, such as IP addresses. As discussed on chapter 7, "What is an Internet/Intranet Firewall After All?," packet filters examine a packet at the network layer and are application independent, which allows them to deliver good performance and scaleability. However, they are the least secure type of firewall, especially when filtering services such as FTP, which was vastly discussed on chapter 8, "How Vulnerable Are Internet Services." The reason is that they are not application aware-that is, they cannot understand the context of a given communication, making them easier for hackers to break. Figure 14.3 illustrates it.
If we look into FTP filtering, packet filters have two choices with regard to the outbound FTP connections. They can either leave the entire upper range (greater than 1023) of ports open which allows the file transfer session to take place over the dynamically allocated port, but exposes the internal network, or they can shut down the entire upper range of ports to secure the internal network which blocks other services, as shown on figure 14.4. This trade-off between application support and security is not acceptable to users today.
As with application gateways, as shown on figure 14.5, the security is improved by examining all application layers, bringing context information into the decision process. However, they do this by breaking the client/server model. Every client/server communication requires two connections: one from the client to the firewall and one from the firewall to the server. In addition, each proxy requires a different application process, or daemon, making scaleability and support for new applications a problem.
For instance, in using an FTP proxy, the application gateway duplicates the number of sessions, acting as a proxied broker between the client and the server (see figure 14.6). Although this approach overcomes the limitation of IP filtering by bringing application-layer awareness to the decision process, it does so with an unacceptable performance penalty. In addition, each service needs its own proxy, so the number of available services and their scaleability is limited. Further, this approach exposes the operating system to external threats.
The Stateful Inspection introduced by Check Point overcomes the limitations of the previous two approaches by providing full application-layer awareness without breaking the client/server model. With Stateful Inspection, the packet is intercepted at the network layer, but then the INSPECT Engine takes over, as shown on figure 14.7. It extracts state-related information required for the security decision from all application layers and maintains this information in dynamic state tables for evaluating subsequent connection attempts. This provides a solution which is highly secure and offers maximum performance, scaleability, and extensibility.
The Stateful Inspection tracks the FTP session, as shown on figure 14.8, examining FTP application-layer data. When the client requests that the server generate the back-connection (an FTP PORT command), FireWall-1 extracts the port number from the request. Both client and server IP addresses and both port numbers are recorded in an FTP-data pending request list. When the FTP data connection is attempted, FireWall-1 examines the list and verifies that the attempt is in response to a valid request. The list of connections is maintained dynamically, so that only the required FTP ports are opened. As soon as the session is closed the ports are locked, ensuring maximum security.
Extensible Stateful Inspection
Check Point FireWall-1’s Stateful Inspection architecture utilizes a unique, patented INSPECT Engine which enforces the security policy on the gateway on which it resides. The INSPECT Engine looks at all communication layers and extracts only the relevant data, enabling highly efficient operation, support for a large number of protocols and applications, and easy extensibility to new applications and services.
The INSPECT Engine is programmable using Check Point’s powerful INSPECT Language. This provides important system extensibility, allowing Check Point, as well as its technology partners and end-users, to incorporate new applications, services, and protocols, without requiring new software to be loaded. For most new applications, including most custom applications developed by end users, the communication-related behavior of the new application can be incorporated simply by modifying one of FireWall-1’s built-in script templates via the graphical user interface. Even the most complex applications can be added quickly and easily via the INSPECT Language.
Check Point provides an open application programming interface (API) for third-party developers and regularly posts INSPECT Scripts to support new applications on the Check Point Web site at http://www.checkpoint.com.
The INSPECT Engine
When installed on a gateway, the FireWall-1 INSPECT Engine controls traffic passing between networks. The INSPECT Engine is dynamically loaded into the operating system kernel, between the Data Link and the Network layers (layers 2 and 3). Since the data link is the actual network interface card (NIC) and the network link is the first layer of the protocol stack (for example, IP), FireWall-1 is positioned at the lowest software layer. By inspecting at this layer, FireWall-1 ensures that the INSPECT Engine intercepts and inspects all inbound and outbound packets on all interfaces. No packet is processed by any of the higher protocol stack layers, no matter what protocol or application the packet uses, unless the INSPECT Engine first verifies that the packet complies with the security policy.
As discussed earlier, because the INSPECT Engine has access to the "raw message", it can inspect all the information in the message, including information relating to all the higher communication layers, as well as the message data itself (the communication- and application-derived state and context). The INSPECT Engine examines IP addresses, port numbers, and any other information required in order to determine whether packets should be accepted, in accordance with the defined security policy.
The INSPECT Engine understands the internal structures of the IP protocol family and applications built on top of them. For stateless protocols such as UDP and RPC, the INSPECT Engine creates and stores context data, maintaining a virtual connection on top of the UDP communication. The INSPECT Engine is able to extract data from the packet’s application content and store it to provide context in those cases where the application does not provide it. Moreover, the INSPECT Engine is able to dynamically allow and disallow connections as necessary. These dynamic capabilities are designed to provide the highest level of security for complex protocols, but the user may disable them if they are not required.
The INSPECT Engine’s ability to look inside a packet enables it to allow certain commands within an application while disallowing others. For example, the INSPECT Engine can allow an ICMP ping while disallowing redirects, or allow SNMP gets while disallowing sets, and so on. The INSPECT Engine can store and retrieve values in tables (providing dynamic context) and perform logical or arithmetic operations on data in any part of the packet. In addition to the operations compiled from the security policy, the user can write his or her own expressions.
Unlike other security solutions, FireWall-1’s Stateful Inspection architecture intercepts, analyzes, and takes action on all communications before they enter the operating system of the gateway machine, ensuring the full security and integrity of the network. Cumulative data from the communication and application states, network configuration and security rules, are used to generate an appropriate action, either accepting, rejecting, authenticating, or encrypting the communication. Any traffic not explicitly allowed by the security rules is dropped by default and real-time security alerts and logs are generated, providing the system manager with complete network status.
The Stateful Inspection implementation supports hundreds of pre-defined applications, services, and protocols, more than any other firewall vendor. Support is provided for all major Internet services, including secure Web browsers, the traditional set of Internet applications (e.g. mail, FTP, Telnet, etc.), the entire TCP family, and connectionless protocols such as RPC and UDP-based applications. In addition, only FireWall-1’s Stateful Inspection offers support for critical business applications such as Oracle SQL*Net database access and emerging multimedia applications such as RealAudio, VDOLive, and Internet Phone.
Securing Connectionless Protocols such as UDP
UDP (User Datagram Protocol)-based applications (DNS, WAIS, Archie, etc.) are difficult to filter with simplistic packet-filtering techniques because in UDP, there is no distinction between a request and a response. In the past, the choice has been to either eliminate UDP sessions entirely or to open a large portion of the UDP range to bi-directional communication, and thus to expose the internal network.
Stateful Inspection implementation secures UDP-based applications by maintaining a virtual connection on top of UDP communications. The FireWall-1’s INSPECT Engine maintains state information for each session through the gateway. Each UDP request packet permitted to cross the firewall is recorded, and UDP packets traveling in the opposite direction are verified against the list of pending sessions to ensure that each UDP packet is in an authorized context. A packet that is a genuine response to a request is delivered and all others are dropped. If a response does not arrive within the specified time period, the connection times out. In this way, all attacks are blocked, while UDP applications can be utilized securely.
Securing Dynamically Allocated Port Connections
Simple tracking of port numbers fails for RPC (Remote Procedure Call) because RPC-based services (NFS, NIS) do not use pre-defined port numbers. Port allocation is dynamic and often changes over time. This is another feature of the INSPECT Engine of Firewall-1, which dynamically and transparently tracks RPC port numbers using the port mappers in the system. The INSPECT Engine tracks initial portmapper requests and maintains a cache that maps RPC program numbers to their associated port numbers and servers.
Whenever the INSPECT Engine examines a rule in which an RPC-based service is involved, it consults the cache, comparing the port numbers in the packet and cache and verifying that the program number bound to the port is the one specified in the rule. If the port number in the packet is not in the cache (this can occur when an application relies on prior knowledge of port numbers and initiates communication without first issuing a portmapper request) the INSPECT Engine issues its own request to portmapper and verifies the program number found to the port, as shown on figure 14.9.
The following are the major performance strength of Firewall on through its INSPECT Engine:
- Runs inside the operating-system kernel, which imposes negligible overhead in processing. Also, no context switching is required, and low-latency operation is achieved.
- Uses of advanced memory management techniques, such as caching and hash tables, which are used to unify multiple object instances and to efficiently access data.
- Its generic and simple inspection mechanisms are combined with a packet inspection optimizer, which ensure optimal utilization of modern CPU and OS designs.
According to independent test results (http://www.checkpoint.com/products/fproduct.html) and an article on Data Communication magazine of March 97, the network performance degradation when using Firewall-1 is too small to measure when operating at full LAN speed (10 Mbps) on the lowest-end SPARCstation. FireWall-1 supports high-speed networking such as 100 Mbps Ethernet and OC-3 ATM with the same high level of performance.
As far as certified benchmark, KeyLabs Inc. (http://www.keylabs.com) conducted extensive testing of the Solaris and Windows NT versions of FireWall-1 to document firewall performance under various configurations. The test methodology was carefully designed to simulate actual network conditions and test automation applications were employed to ensure accurate results.
Several FireWall-1 configurations were tested to determine whether performance is impacted by encryption, address translation, logging and rule base size. In addition, FireWall-1 was stressed to determine the maximum number of concurrent connections that can be supported. The Fastpath option was enabled on FireWall-1 for several configurations to maximize performance. Fastpath is a widely used FireWall-1 feature that optimizes performance without compromising security.
FireWall-1 was configured with two network interfaces: internal and external. Each interface utilized two Fast Ethernet connections to maximize throughput and ensure that FireWall-1 was thoroughly stressed. Multiple clients on the internal network made HTTP and FTP requests to multiple servers on the external side of FireWall-1. Clients generated approximately 5 Mbps of traffic each and were added incrementally to increase the traffic level through FireWall-1.
During this test, 75% of the connections were of HTTP (75 kbytes) 75%, and the remain 25% were FTP (1 Mbyte) connections.
To determine the maximum number of concurrent connections that FireWall-1 can support, multiple clients made HTTP requests to servers on the external FireWall-1 interface. Each client was capable of establishing and maintaining 500 total connections, as shown on figure 14.10.
The results? When running on Solaris, as shown on figure 14.11, FireWall-1 supports approximately 85 Mbps with Fastpath enabled (top line) and 53 Mbps with Fastpath disabled (second line from top). This is sufficient to support both T3 (45 Mbps) and effective Fast Ethernet data rates.
For Windows NT, as shown on figure 14.12, 25 Mbps can be maintained with Fastpath enabled, and approximately 20 Mbps is supported without Fastpath. This is seen in the bottom two lines of the graph. The test results show that both T1 (1.544 Mbps) and Ethernet data rates are supported by the Windows NT version of FireWall-1. With this level of performance across multiple platforms, FireWall-1 is well-suited for high-speed Internet and Intranet environments.
For more information, check Keylabs Inc. Site, as listed above or Check Point’s site. There you will find a comprehensive result of Firewall-1 performance in many other environment and situations.
The FireWall-1 system requirements is the following:
- Platforms supported : Sun SPARC, HP-PA-RISC 700/800, Intel x86 or Pentium
- Operating systems: Windows NT 3.51 and 4.0, SunOS 4.1.3 and 4.1.4, Solaris 2.3, 2.4, and 2.5, HP-UX 9 and 10 and IBM AIX
- Window systems: Windows 95, Windows NT, X/Motif and Open Look
- Disk space: 20 MB
- Memory: 16-32 MB
- Network interface: All interfaces supported by the operating system
- Routers management (optional): Cisco Systems IOS version 9, 10, 11 Bay Networks version 8, 9
- Media: CD-ROM
CYCON’s Labyrinth Firewall - The "Labyrinth-like" System
The CYCON Labyrinth firewall is the world’s first "labyrinth-like" system incorporating true bi-directional network address translation with a powerful, intelligent connection tracking (ICT) firewall to create an integrated security and network management device. CYCON Labyrinth firewall is currently in use by several major corporations, Internet Service Providers, and research institutions. Figure 14.13 shows a screenshot of CYCON’s site.
For more information, contact CYCON Technologies, Fairfax, VA, (703) 383-0247, or at their Web site at URL http://www.cycon.com
CYCON Labyrinth firewall’s stateful inspection engines support all IP based services and correctly follows TCP, UDP, ICMP, and TCP SYN/ACK traffic. Support for all major IP services include, but not limited to:
- DNS (both TCP and UDP)
- IMAP and POP3
- ICMP (ping, traceroute)
CYCON Labyrinth firewall offers full bi-directional network address translation. CYCON Labyrinth firewall can rewrite the source, destination, and port addresses of a packet. Network address translation conceals internal addresses from outside untrusted networks. Additionally, bi-directional address translation enables CYCON Labyrinth firewall to properly redirect packets to any host in any system. Using two CYCON Labyrinth firewalls together allow the proper communication between two private IP networks connected to the Internet by translating both incoming and outgoing traffic.
CYCON Labyrinth firewall can be configured to authenticate users on both inbound and outbound access. Inbound access authentication is used to implement stronger security policies. Outbound access authentication can be used to track and log connections for internal billing or charge backs purposes. Authentication is at the user level, not at the IP address level. This allows the user to move across networks and retain the ability to use resources regardless of their physical IP address, making it appropriate for Dynamic Host Configuration Protocol (DHCP) address assignments.
CYCON Labyrinth firewall supports multi-level logging. In regular mode, connections are logged. In debug logging mode, connections, packets, bytes, and actions taken are logged. Log files are written in standard UNIX syslog ASCII format and are easily manipulated by a firewall administrator for analysis. Syslog logging allows multiple CYCON Labyrinth firewalls to log to a single machine for greater security and ease of analysis.
CYCON Labyrinth firewall utilizes a rewritten BSD UNIX kernel incorporating optimized data structures and algorithms designed to produce high-speed packet filtering. CYCON Labyrinth firewall implements stateful inspection and packet modifying technology to overcome gaps found in traditional packet filtering methods
An Integrated Stateful Inspection
The CYCON Labyrinth firewall provides outstanding protection to all aspects of an organization’s network: Internet, Intranet, and enterprise-wide connectivity. Its security model utilizes next generation firewall technology, intelligent tracking of connections, and packet modifying engines to offer transparent use of current and emerging Internet technologies. Client applications and protocol stacks operate without modifications.
Features include user authentication, high-speed static and dynamic filters, Web-based management GUI, support for up to six network interfaces, real-time monitoring and reporting, multiple logging levels, and custom alarm notifications. Also, introduced in January of 1997, this firewall includes IPSec-compliant encryption for Virtual Private Networking, native low port NFS support, and secure support for VDO, Vosaic, VXTreme, Internet Phone, and Microsoft’s NetShow.
Its integrated stateful inspection and bi-directional network address translation engines allows this firewall to perform unusual tasks, as discussed below. Also, command line syntax is included in the descriptions, as appropriate, to explain how the CYCON Labyrinth firewall’s filter rules can be applied in each scenario.
Here are some examples of these tasks:
- Intelligent Connection Tracking
- Redirecting Traffic
- Network Address Translation
- Load Balancing of Connections
- Proxying - source address rewriting
- Spoofing - destination address rewriting
- IPSec - encryption
Intelligent Connection Tracking
The CYCON Labyrinth firewall transcends ordinary packet filtering devices by utilizing an advanced connection tracking feature called Intelligent Connection Tracking (ICT). The ICT module is designed to recognize the internal portions of IP packets, enabling the CYCON Labyrinth firewall to "remember" authorized connections for replies. This algorithm heightens security, as it alleviates opening large holes in the filter rules required by other firewalls. These large holes are common areas of security breaches.
The ICT module examines each packet as it is processed by the CYCON Labyrinth firewall, and stores vital information about the packet. The module compares the packet information to the saved state of previously transmitted packets, and permits only those packets that are successfully tested.
The CYCON Labyrinth firewall uses a combination of static and dynamic filter rules to achieve ICT. As traffic crosses an interface, it encounters one of two rule sets: dynamic or static. If a static rule considered Stateful is encountered, the CYCON Labyrinth firewall creates a dynamic rule in the opposite direction, allowing the manipulations performed on the outbound packet to be reversed when the destination system replies. A stateful static rule would be:
ipcycon de0 in spoof ip 0.0.0.0:0.0.0.0 126.96.36.199 spoofaddr 188.8.131.52
Traffic enters the interface "de0" from any source address destined for the host 184.108.40.206. These packets match static rules and trigger the following dynamic rule on the outbound portion of the interface:
ipcycon de0 out proxy ip 220.127.116.11 18.104.22.168 spoofaddr 22.214.171.124
When traffic returns from host 126.96.36.199 destined for host 188.8.131.52, it will match the above dynamic rule and adjust the source address back to 184.108.40.206 so traffic will route normally.
This example illustrates how the CYCON Labyrinth firewall "remembers" the packet state via the dynamic static rule couplet and can successfully route the traffic through the ICT algorithm.
The address translation features of the CYCON Labyrinth firewall is used to redirect traffic to any host in any network. This feature has a number of real-world uses; examples include: transparent redirection to fault-tolerant systems; diverting scanning programs back to the attacker; and diverting an attacker to a dummy machine specifically designed to trap and log the attacker.
Address translation is accomplished by altering the destination address of the packet to a new location, and altering the source address of the packet to reflect the address of the CYCON Labyrinth firewall. When the reply packets are returned from the receiving host, the address translation process is reversed, and the packets are rewritten and sent to the original sender as though they came from the originally intended destination.
Transparent Redirection to Fault-Tolerant Systems
If a Web server inside your network fails, the CYCON Labyrinth system is used to redirect all incoming Web traffic to an external backup system. This is accomplished by changing both the source and destination addresses in the packets destined for your internal Web server. Assuming your failed Web server’s IP address is 220.127.116.11 and the backup external Web server’s IP address is 18.104.22.168, the exact rules to accomplish this are:
ipcycon de0 in spoof tcp 0.0.0.0:0.0.0.0 22.214.171.124:255.255.255.255 dst-eq 80 spoofaddr 126.96.36.199:255.255.255.255
ipcycon de0 out proxy tcp 0.0.0.0:0.0.0.0 188.8.131.52:255.255.255.255 dst-eq 80
The second command alters the source address, ensuring that replies from the external Web server are sent through CYCON Labyrinth system and back to the client.
Diverting Scanning Programs
A special variation of the spoof rule redirects unwanted traffic back to the sender. This particular form of the spoof rule is called Rubber and Glue, and is designed specifically to confuse hackers by reversing the connection back onto the hackers system(s). For example, to redirect all unwanted traffic entering your network back to the sender, use the following spoof rule (assuming your network is 184.108.40.206):
ipcycon de0 in spoof ip 0.0.0.0:0.0.0.0 220.127.116.11:255.255.255.0 spoofaddr 0.0.0.0:255.255.255.255
The source address of these unwanted packets will need to be altered to complete the ruse, as follows:
ipcycon de0 out proxy ip 0.0.0.0:0.0.0.0 0.0.0.0:0.0.0.0
This spoof rule uses the 0.0.0.0:255.255.255.255 as the spoof address. This special form of the spoof address is used to represent the source address of the original packets. The result is that the packet’s destination address is changed to the source address, and the source address is changed to the firewall’s address. All of these address changes are reversed when a reply packet is received.
A more complex version of this rule may be used to redirect traffic to the hacker’s network instead of redirecting traffic to the source address used in the attack. This is accomplished by using a different mask on the spoof address. For example, to redirect unwanted traffic to the hacker’s network, use the following spoof rule:
ipcycon de0 in spoof ip 0.0.0.0:0.0.0.0 18.104.22.168:255.255.255.255.0 spoofaddr 0.0.0.0:255.255.255.0
This rule will cause the destination address to be replaced with the first three octets of the hacker’s address, followed by the last octet of the original destination. If the hacker is coming from the address 22.214.171.124 and sending packets to 126.96.36.199, then the new destination address would be 188.8.131.52. If the hacker is sending packets to 184.108.40.206, then new destination address would be 220.127.116.11.
Network Address Translation
The CYCON Labyrinth firewall transcends traditional Network Address Translation (NAT) by utilizing full bi-directional network address translation. Ordinary NAT is used to alter either the source or destination address in packet headers. Bi-directional NAT rewrites source, destination, and port identifiers of packets on both inbound and outbound interface traffic. This is extremely useful to route traffic over public networks using private IP addresses or to load balance one URL among multiple Web or FTP servers.
The CYCON Labyrinth firewall performs bi-directional NAT by using special rules to instruct the translation modules to substitute any address "B" for the originating address "A" of a packet. The syntax of the command would appear as follows:
ipcycon de0 out proxy ip 18.104.22.168 22.214.171.124 spoofaddr 126.96.36.199
| | | | | | | | |
command | | | | | | | |
interface | | | | | | |
direction | | | | | |
action | | | | |
service | | | |
source | | |
destination | |
This command alters IP packets leaving the interface "de0" from source 188.8.131.52 bound for destination 184.108.40.206 so that the source address is rewritten to 220.127.116.11. The CYCON Labyrinth firewall has mechanisms in place for proper translations of any reply packets.
The packet leaving the de0 interface is detected by the CYCON Labyrinth firewall as its internal rules are being processed, and is marked for action because the packet originated from host "18.104.22.168" and is destined for the host "22.214.171.124". As 126.96.36.199 is not routable on the public network, the source address must be changed or the sender will get the error No Route to Host.
If a rule matching the source and destination addresses is encountered, the Proxy action occurs, and the spoofaddr address 188.8.131.52 is substituted for 184.108.40.206 as the source address. The packet is modified and routed through the interface.
This is all that is necessary to route the packet out of the network, but any replies to the packets will have 220.127.116.11 as the destination address. Replies to 18.104.22.168 will not be routed back properly into the internal network, so the CYCON Labyrinth firewall rewrites the incoming destination address. The CYCON Labyrinth firewall remembers the original source address and established port of the packet and rewrites packets of expected reply traffic (known as Intelligent Connection Tracking).
When the original packet was processed and the 22.214.171.124 address rewritten, the CYCON Labyrinth firewall created a dynamic rule and applied it to the inbound portion of the de0 interface, noting the original destination address and destination port of the packet. When the firewall encounters traffic from 126.96.36.199 destined for 188.8.131.52 on port 3456 (in this example, a negotiated TCP port), the CYCON Labyrinth firewall knows to replace the 184.108.40.206 destination address back to 220.127.116.11 and route the packet to the internal network. This dynamic rule remains until the transaction is terminated and removed from memory.
The following is a time-lapse view of how and when the packets are rewritten:
- Packet going out to destination
- Source address being rewritten by the CYCON Labyrinth firewall
- Reply packet coming back from outside host
- Destination address being rewritten by the CYCON Labyrinth firewall
This concept of altering source and destination addresses can be applied to either direction (inbound and outbound) and on any individual interface. This provides extreme flexibility for generating rules. Other examples of the applicability include load-balancing one address among multiple servers, directing any inbound web requests to one web server on the DMZ, and sending all SATAN packets back to the originator (causing attackers to attack themselves).
Load Balancing of Connections
The CYCON Labyrinth firewall uses SPOOF and PROXY rules to load balance incoming connections between multiple hosts and/or networks. Load balancing is a process in which packets are redirected to alternating hosts or networks per concurrent connection. This capability allows organizations to use multiple small hosts to serve requests, rather than investing in high-powered systems.
Using standard IP addresses and netmasks, you can construct a single rule that can disperse traffic to four different hosts and networks.
These special rules use a standard rolodex calculation. Each time a connection is established, the firewall directs the connection to the next available address. When the list of addresses has been exhausted, the CYCON Labyrinth firewall returns to the beginning of the list to establish the connection.
Multi-Host Load Balancing
Web Server 1: 18.104.22.168
Web Server 2: 22.214.171.124
Web Server 3: 126.96.36.199
Web Server 4: 188.8.131.52
ipcycon de0 in spoof ip 0.0.0.0:0.0.0.0 184.108.40.206:255.255.255.0
spoofaddr 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199
The CYCON Labyrinth firewall is intelligent. Utilizing intelligent connection tracking modules, the firewall creates dynamic rules for each connection and thus "remembers" the correct host.
This technology enables an organization to spread connections to one web address across multiple web servers. Without the CYCON Labyrinth firewall, an organization is forced to use either multiple web servers or inefficient round-robin Domain Name Server (DNS) techniques.
Proxying - Source Address Rewriting
The CYCON Labyrinth firewall offers bi-directional address translation of host and network addresses; that is, the CYCON Labyrinth firewall has the capability to translate addresses in the header portion of IP packets on traffic either entering or leaving a specific interface. This is particularly useful in areas such as host load balancing, using private IP addresses in a public space, hiding internal networks, etc.
CYCON Technologies uses the term Proxy to describe the capability of rewriting the source address of IP packet headers. Proxying IP addresses allows sites to use private or unregistered addresses to connect to the Internet using any publicly routed address, thereby hiding internal IP addresses and eliminating the high cost of reassigning IP addresses when changing providers. Utilizing special rules, the CYCON Labyrinth firewall, upon receiving traffic that matches a proxy rule, rewrites the source address to an individual address, translates network to network, or chose one of four possible network/hosts addresses.
The CYCON Labyrinth firewall utilizes subnetmasks to achieve the host to host, host to network, and network to network address translation. A wild card mask - 0 - can be used in any octet position to cause the firewall to use the existing assumed octet address. If the spoof address is left blank, the address of the interface is assumed.
In the event a site using a private address space wants to access the Internet, the only option in the past was to acquire an IP segment from the provider and visit each host and alter configurations. This is both time consuming and costly. Utilizing the Proxy feature of the CYCON Labyrinth firewall, organizations can get a single Class C address space and proxy all traffic, creating the appearance that it is coming from the provided network. For example:
ipcycon de0 out proxy ip 172.16.1.0:255.255.255.0 0.0.0.0:0.0.0.0 spoofaddr 188.8.131.52:255.255.255.0
Spoofing - Destination Address Rewriting
The CYCON Labyrinth firewall offers bi-directional address translation of host and network addresses, that is, the firewall has the capability to translate addresses in the header portion of IP packets on traffic either entering or leaving a specific interface. This is particularly useful in areas such as load balancing, using private IP addresses in a public space, hiding internal networks, etc.
CYCON Technologies uses the term Spoof to describe the capability of rewriting the destination address of IP packet headers. Utilizing special rules, the CYCON Labyrinth firewall, upon receiving traffic that matches a spoof rule, rewrites the destination address to one address, translates network to network, or chooses one of four possible network/hosts addresses.
The CYCON Labyrinth firewall utilizes subnetmasks to achieve the host to host, host to network, and network to network address translation. A wild card mask - 0 - can be used in any octet position to cause the firewall to use the existing destination octet address. The following are examples of the rules:
- Host to Host - When the CYCON Labyrinth firewall encounters a packet coming from any host destined for host 184.108.40.206, it changes the 220.127.116.11 address to 18.104.22.168. For example:
ipcycon de0 in spoof ip 0.0.0.0:0.0.0.0 22.214.171.124 spoofaddr 126.96.36.199:255.255.255.255
- Host to Network - When the CYCON Labyrinth firewall encounters a packet coming from any host destined for host 188.8.131.52, it changes the 184.108.40.206 address to 220.127.116.11. For example:
ipcycon de0 in spoof ip 0.0.0.0:0.0.0.0 18.104.22.168 spoofaddr 22.214.171.124:255.255.255.0
- Network to Network - When the CYCON Labyrinth firewall encounters a packet coming from any source destined for any host on the 1.1.1 network, it changes the 1.1.1 address to 2.2.2 network address. For example:
ipcycon de0 in spoof ip 0.0.0.0:0.0.0.0 126.96.36.199:255.255.255.0 spoofaddr 188.8.131.52:255.255.255.0
- Port-based Spoofing - To add another level of complexity, the CYCON Labyrinth firewall also has the ability to distinguish traffic based on port mappings. For example, an internal web server may be used, and all incoming traffic for any local IP address with a destination port of 80 is remapped to the single web server, as follows:
ipcycon de0 in spoof ip 0.0.0.0:0.0.0.0 0.0.0.0:0.0.0.0 dst-eq 80 spoofaddr 184.108.40.206
The CYCON Labyrinth firewall also has the ability to spoof only destination ports and remap only the port. For example, an advertised web server at port 8080 and can be changed to the standard WWW port 80. The CYCON Labyrinth firewall identifies any inbound traffic destined for the internal web server on the original port and rewrites the header to map to the new destination port, as follows:
ipcycon de0 in spoof ip 0.0.0.0:0.0.0.0 220.127.116.11 dst-eq 8080 spoofaddr 18.104.22.168 spoofport 80
IPSec - Encryption
IPSec is a set of standards for Internet security to ensure open standard host-to-host, host-to-firewall, and firewall-to-firewall connectivity. The standard includes two parts: Authentication and Encapsulation. The CYCON Labyrinth system supports these standards as specified in RFC 1825, RFC 1826, RFC 1827, RFC 1828 and RFC 1829.
The Authentication Header (AH) provides a mechanism whereby the sender signs IP packets and the receiver verifies the signature. This helps to prevent alteration of packets and spoofing during transit.
The Encapsulation Security Protocol (ESP) provides a mechanism whereby the sender encrypts IP packets and the receiver decrypts the packets. This helps to preserve confidentiality and privacy and is key to implementing virtual private networks (VPN).
The CYCON Labyrinth firewall supports IPSec as specified in the standards RFC-1825, RFC-1826 and RFC-1827. The CYCON Labyrinth firewall allows AH and ESP to pass through the system using security filter rules. AH is treated as an attribute of the protocol field while ESP is treated as a separate protocol. For example, to permit AH signed packets into interface de0, the following firewall command is used:
ipcycon de0 in permit ip-ah 22.214.171.124:255.255.0.0 126.96.36.199:255.255.0.0
The "-ah" attribute can be used on any protocol. When used, a packet must have an Authentication Header within the packet.
To permit ESP packets into interface de0, the following command is used:
ipcycon de0 in permit esp 188.8.131.52:255.255.0.0 184.108.40.206:255.255.0.0
The ESP protocol matches all encrypted packets.
These two methods only permit packets in and out of interfaces. Concurrently, the CYCON Labyrinth firewall also functions as an IPSec gateway. Using the following features, it is possible to authenticate and/or encapsulate communication to and from the firewall as well as to and from hosts on networks via the CYCON Labyrinth firewall.
The CYCON Labyrinth firewall uses two versions of a special security key system to control the AH and ESP mechanisms within the firewall. As such, the CYCON Labyrinth firewall can be configured to sign packets (AH) on behalf of the client system, and/or check the AH signature of packets entering the network. Furthermore, the CYCON Labyrinth firewall can encrypt and decrypt communications between hosts or networks communications through the CYCON Labyrinth firewall. This is accomplished by configuring the encryption, decryption, and authentication algorithms, keys, and addresses with the spi command.
When the CYCON Labyrinth firewall is functioning as an IPSec gateway, an additional set of attributes is available for the ipcycon rules. These attributes are set for inbound rules when a packet is successfully authenticated or decrypted. Likewise, these attributes force authentication and encryption when used on outbound rules. For example, a packet decrypted by the CYCON Labyrinth firewall will match the attribute "-via_esp". To accept decrypted packets through the de0, the following command is used:
ipcycon de0 in permit ip-via_esp 10.9.0.0:255.255.0.0 220.127.116.11:255.255.0.0
To force encryption on communications through the de0, the following command is used:
ipcycon de0 out permit ip-via_esp 10.9.0.0:255.255.0.0 18.104.22.168:255.255.0.0
Likewise, the "-via_ah" attribute may be used to match properly authenticated packets or force authentication headers to be added to packets.
The most common mode of operation is to support Virtual Priave Networks (VPN). In this mode, two or more LANs communicate with eac other over public networks (e.g., the Internet) and maintain their security by encrypting all communications between these networks. In this mode, the CYCON Labyrinth firewall resides between the LAN and the public network. The system encrypts all traffic from the LAN before it is passed over the public network to another LAN. The system also decrypts all traffic entering the LAN from the public network. As a result, the computers on the LAN do not have to support encryption. Instead, they communicate as they would with any other system, and the CYCON Labyrinth firewall does all the work transparently to the users.
The next common mode of operations supports access to private LANs via public networks by remote users. In this mode, the remote user will use an IP stack that support the IPSec standard. If the user’s IP address dynamic, then a third-party authentication is needed to identify the user, the IP address and the encryption keys needed for the session. If the user’s IP address is static, then a weaker authentication method could be used. Once the remote users is authenticated, all traffic in and out of the LAN to and from the user’s address is encrypted and decrypted. This protects sensitive information from sniffer attacks while it traverses the public network.
Protection of Attached Networks and Hosts
CYCON Labyrinth firewall intercepts, examines, decides, and either blocks or permits IP traffic passing between the protected and unprotected networks. CYCON Labyrinth firewall blocks or permits those traffic flows based on the rules that the firewall administrator creates.
Blocking and permitting of network traffic is based on CYCON Labyrinth firewall’s ability to examine packet headers, compare the information against filter rules, and take an appropriate action. If the packet’s header information does not directly apply to a permit rule, the packet is dropped. In addition, the stateful inspection module remembers outgoing connections and only allows the expected replies of permitted connections back through the firewall. CYCON Labyrinth firewall can perform the following actions on packets:
- Permit - permits the packet and routes it to the appropriate interface;
- Deny - denies the packet and sends an appropriate ICMP message back to the sender;
- Drop - drops the packet with no reply message;
- Track - permits the packet and creates a dynamic rule to permit expected replies;
- Proxy - rewrites the source address of the packet with either the address of the firewall or a range of user specified IP addresses; and,
- Spoof - rewrites the destination address of the packet with either the address of the firewall or a range of user specified IP addresses.
The proxy and spoof actions can redirect packets to any host on the network or on the Internet.
CYCON Labyrinth firewall protects against network spoofing with one simple rule. The filter rule will not accept packets originating from the external interface that contain source addresses that match any internal IP addresses. In addition, all source routed packets or IP fragments are dropped.
CYCON Labyrinth firewall supports standard username and password authentication and 128-bit encrypted S/KEY (MD5) authentication. Inbound and outbound authentication is performed via an embedded technology called "VISA."
The firewall administrator maintains access lists of users and groups. A user must authenticate with the authentication server (which runs on the firewall, but optionally can run on a dedicated machine) before access is permitted. Upon successful authentication, the "VISA" system creates a dynamic rule permitting access for the user as defined in the access lists.
Any possible access rights are predefined by the firewall administrator and can be set to expire after a predefined time has passed. It is possible to allow only certain types of access (e.g. Web, Telnet, ftp) to one group of users while allowing a different type of access (e.g. Archie, gopher, NFS) to another group. The "VISA" system is flexible enough to receive authentication requests from third-party servers, such as DHCP and WINNS servers.
CYCON Labyrinth firewall supports temporary and timed rules. These rules allow security policies that prevent certain protocols during specific times. An organization may want to restrict outbound Web access to non-business hours, or only during lunch time.
Protection of Individual Hosts
No client-side modifications of software are necessary to provide host-to-firewall authentication. Inbound and outbound access can be configured to be completely transparent, require authentication for each session, or require authentication which is usable for a predefined period of duration.
As discussed above, the incorporation of IPSEC standards in CYCON’s Labyrinth firewall enables the support of full featured peer-to-peer encrypted traffic by any third-party mechanism, either software or hardware. The IPSEC standards implemented provides fully compliant Virtual Private Networking (VPN) technology for net-to-net, host-to-net, and host-to-host connectivity.
- Intel Pentium or Intel 486 (Pentium recommended), 100 MHz minimum for active 10 MB Ethernet, or 166 MHz minimum for 100 MB Ethernet
- 16 MB RAM minimum, 32-64 MB RAM for active Ethernet (each rule [static or dynamic] requires 128 bytes)
- 1 GB HD (IDE or EIDE) for typical sites (intensive logging requires more space and may degrade performance)
- CD-ROM (IDE recommended)
- 3.5" Floppy drive
- Mouse (recommended for initial load and setup)
NetGuard’s Guardian Firewall System - MAC Layer Stateful Inspection
NetGuard Ltd. is a software company specializing in security solutions for corporate networks attached to the Internet. The Guardian Firewall System, the company’s first product, was released in 1995 and was acknowledged world-wide as a leading firewall product. The Guardian was the first firewall designed to operate on the popular Windows NT platform, and is recommended by Microsoft as a Windows NT solution .
Guardian Firewall software has won the British EMAP Networking Industry Award 1996 as "Internet Product of the Year". The judges described the Guardian as "...a sensibly thought-out package, which is easy to implement and manage...the Guardian takes a refreshing look at problems of implementing Network security..." NetGuard Ltd. is a subsidiary of LanOptics Ltd. a leading supplier of hubs and networking products. NetGuard takes full advantage of LanOptics’ large customer base and field-proven experience in the network environment to provide high quality and efficient. Figure 14.13 is a screenshot of NetGuard’s Web site, showing the awards and certification of this product.
For more information, contact NetGuard Ltd, via e-mail, email@example.com, or visit their Web site at URL http://www.ntguard.com/. You can also contact their headquarters at 2445 Midway Road, Carrollton, Texas 75006, Tel: (972) 738-6900 - Fax: (972) 738-6999.
According to NetGuard’s press release of August, 1997 (http://www.ntguard.com/newlan.htm), GUARDIAN Firewall software was named "The Best of LAN Times" in the magazine’s Aug. 4 review of the industry’s leading Windows NT-based firewalls.
Guardian was designed to enable you to easily and accurately establish comprehensive security strategies and manage on-going corporate Internet access.
Guardian firewall is basically an Internet Control and Firewall software that protects the private network against sabotage, unauthorized information access, intrusions, and a wide range of threats initiated from the Internet. Guardian is certified by NCSA.
Guardian’s firewall architecture is based on the unique MAC Layer Stateful Inspection that makes it immune to Operating System security leaks. It is available for Windows NT server and workstation operating systems.
The developers of Guardian, NetGuard, are a leading provider of advanced Internet and Intranet Security and Productivity products and is the first company worldwide to offer Internet Productivity Monitoring and Bandwidth control capabilities.
A Unprecedented Internet Management Tools.
NetGuard, besides being an effective user-friendly firewall System offers Network Administrators unique Internet Access Control Tools. Much has been said throughout this book, and everywhere in the news, about the hazards involved in connecting to the Internet, and indeed the issue of secured Internet connectivity has been the prime concern of network administrators in recent years.
The Firewall Market evolved in order to give a satisfactory answer to Internet security issues and NetGuard’s Guardian, winner of the EMAP networking Industry Award under the category "Internet Product of the Year", plays a major hole in setting the standards for Internet security. Thus, Guardian 2.1 ordinates and facilitates the task of Internet Connectivity Management, offering Network Administrators a variety of powerful management tools and comprehensive inside information in real-time. The following sections describe some of the most relevant features and tools provided by Guardian
Visual Indicator of Enterprise-Wide Agent Activity:
Figure 14.14 shows Guardian manager screen, one of the powerful tools available with Guardian. Through it, you’re able to effectively manage the firewall, including analysis of bandwidth allocated, as shown on figure 14.15 and more,a s the following sections describes.
Another useful tool is the Agent Icon, as shown on figures 14.16 and 14.17, which in its minimal capacity format enables you to receive comprehensive visual indication of the overall activity by viewing on the same screen the activity of as many Agents as he/she chooses.
Extended Gateway Information
Guardian also provides a comprehensive interface to gather extended gateway information through an enlarged Agent Icon, as shown on figure 14.18. As you can see on figure 14.18, the interface provides gateway Information on:
- Total bandwidth available
- Total bandwidth consumption
- Number of connections
- Number of active users, and
- Total number of users
Activity Monitoring Screen
The Activity Monitoring Screen of Guardian allows auto detection of active users. Every User is represented by an icon which functions as an activity indicator, as shown on figure 14.19. The green computer screen indicates an active user and the blue one a non-active user.
Enhanced Activity Monitoring Screen:
The Activity Monitoring Screen of Guardian, as show on figure 14.20, can be configured to show additional user activity information if necessary, which includes:
- IP address and name (if assigned)
- Number of active connections
- Number of bytes received and sent
- Actual bandwidth allocation for each user
- Type of service in use
Monitoring User’s Connectivity
Users connectivity can be monitored with Guardian by using the connection monitoring screen, as showing on figure 14.21. By selecting a user icon on the Activity Monitoring Screen you are able to monitor a "real-time user connection monitoring" window which shows the following information about the user’s active connection:
- Destination IP address and name
- Type of Service in Use
- Number of bytes received and sent
- Elapsed time for this connection
- Bandwidth allocation for each session
The Connection Monitoring Window introduces two new administrative functions:
- Allows the Network Administrator to close an active connection for a predefined period of time
- Allows the Network Administrator to create rules which determine the conditions under which a user operates.
Firewall Strategy Wizard
The Guardian’s firewall strategy wizard, as shown on figure 14.22, has two main functions:
- To assist you in creating a basic set of security strategy rules which serve as guidelines for a corporate security strategy. These guidelines rules in themselves can provide adequate security for the Network.
- Or, if you want to benefit from the more advanced features of the system, you may opt to develop a unique strategy rules using the firewall strategy editor.
Also, the Guardian Strategy Wizard has a tutorial function as well, which helps clarify the process of creating strategy rules and paves the way for independent creation of complex security strategies.
WAN Adapter Support
Guardian can also be configured to work on WAN adapter connected to the Internet. The additional adapters on which an agent can be installed such as modems, ISDN and Frame Relay adapters can be used and installed on any NDIS compatible LAN or WAN adapter.
In many cases this new feature can eliminate the requirement to install a router, as shown on figure 14.23.
Also, as shown on figure 14.24, NetGuard has added to Guardian the capability to define several class C networks. When defining a NAT strategy, looking at the example below, two rules will be defined:
- Our network-1 - Global Network-1 ( 1st class C network)
- Our network-2 - Global Network-2 ( 2nd class C network)
- Our network-1, Our Network-2, Global Network-1, Global Network-2 are networks defined in the Network Object dialog box.
Logoff Command on Authentication Client
While enabling authentication for users, Guardian enables requires the user to be assigned a time period to logon and work, as shown on figure 14.25.
This process is executed while setting an Authentication client, In the firewall strategy, when entering relevant Action for the user, where the total access time that the user can be logged on (Authenticate with an Access for) must be entered, as shown on figure 14.26. The interface also has a mechanism to control spoofing attacks, as shown on figure 14.27.
Guardian enables you to specify a list of networks to be checked for spoofing attempts
CyberGuard’s CyberGuard Firewall - Hardening the OS
CyberGuard Corporation is dedicated to providing the strongest, most comprehensive Internet, intranet and electronic commerce security solutions for organizations with enterprise-wide data networks.
CyberGuard Firewall is a multi-level secure computer that resides between internal networks - or between an internal network and the Internet - to provide a single secure connection point through which all data must travel. The firewall screens and filters all traffic to and from any public network before allowing it to pass. To eliminate the possibility of data theft or damage, unauthorized attempts to communicate with the internal network are logged and blocked.
The CyberGuard Firewall Release 3 is now expanded to run on Intel boxes. CyberGuard Firewall features a lower cost software-only entry-level option for departmental and remote office security solutions. CyberGuard Corporation claims to provide the world’s most secure firewall on the Intel platform, also allowing you to integrate the firewall with industry-standard off-the-shelf hardware.
CyberGuard Firewall’s Release 3 is an off-the-shelf software solution comprised of a trusted UNIX-based operating system, integrated secure networking software and a Remote Graphical User Interface (GUI) Manager.
This latest release (version 3) combines packet filtering and application proxy security in a solution that can be customized to allow two-way, incoming-only or outgoing-only communication while blocking high-risk commands. CyberGuard delivers high performance, high throughput, enterprise-wide security applications.
For more information, contact CyberGuard Corp, at 2101 W Cypress Creek Road, Fort Lauderdale, FL 33309, Phone: 800.666.4273 or Phone: 954.973.5478 - Fax: 954.973.5160. You can also contact them via e-mail at E-mail: firstname.lastname@example.org or at the URL http://www.cybg.com
The Trusted Operating System
CyberGuard’s integrated suite of secure firewall components gives you the highest degree of protection against attacks. In a typical firewall solutions, if an attacker penetrates the firewall application, the unsecured operating system can be accessed and penetrated.
With the CyberGuard Firewall solution, the operating system has been hardened with extra security measures, as shown on figure 14.29, so unauthorized users or requests can not penetrate the O/S and the network. The secure operating system and secure networking software are based on multi-level security that restricts access to information based on the sensitivity of the information and the access authorization of system users.
The underlying operating system and networking software are designed for demanding security environments. The high performance operating system has the ability to process high levels of throughput without time-consuming failures. CyberGuard Firewall technology can be utilized with your remote offices to operate secure enterprise-wide mobile security applications, secure database applications and access controls.
CyberGuard claims to be the strongest enterprise security solution available because it is built on a secure operating system that utilizes an extension of multi-level security called Multiple Virtual Secure Environments (MVSE), as shown on figure 14.29 above. MVSE matches data access to user privileges, preventing theft or unauthorized access to highly sensitive data via networks at lower levels of security.
This unique capability, Multiple Virtual Secure Environments (MVSE), allows a single physical network to be divided by security level into multiple virtual networks. Simultaneously, customers can divide their physical data servers into multiple virtual data servers, each with a unique level of security. MVSE ensures that the data at a given level of security only travels over networks at the same level of security. MVSE technology recognizes the need for protection of two separate corporate assets - the data and the network. Contemporary firewalls generally protect the network but not the data traveling across it. The CyberGuard Firewall is the only firewall to protect data at all enterprise levels.
MVSE’s capacity to create over 200 virtual networks/servers from a single network/server provides the flexibility and growth potential the your company may need. CyberGuard’s unique Multiple Virtual Secure Environments also provides a secure, cost-effective, multiple network implementation while extending security coverage to data traveling over the network.
Intuitive Remote Graphical User Interface (GUI)
The CyberGuard Firewall 3 on the Intel platform offers a Remote Graphical User Interface with an optional remote feature that allows you, as an administrator, to centrally control and monitor multiple CyberGuard Firewalls. This capability significantly lowers the cost of firewall administration by simplifying administration tasks and eliminating the need to have multiple firewall security administrators.
This innovative feature provides an integrated graphical environment for setup, configuration, monitoring and reporting. Based on the X Window System and OSF/Motif, the system hides internal mechanics from the user while presenting an easy-to use, intuitive interface. All features are configurable through the GUI. The online help includes window-level context-sensitive information, a table of contents, "how-to" tasks and a glossary, as shown on figure 14.30.
Dynamic Stateful Rule Technology
Security decisions made on a machine without a trusted O/S are inherently insecure. Part of CyberGuard’s strong security approach is its dynamic stateful rule technology that extends common packet-filtering (as shown on figure 14.32) capabilities. Figure 14.31 shows the proxy configuration screen of CyberGuard.
CyberGuard Firewall monitors each connection to ensure that all network traffic from the client or server adheres to the network security policy and network protocol. The dynamic stateful rule technology of CyberGuard works with all IP network traffic, including UDP and ICMP and split DNS system, as shown on figure 14.33. Unlike other firewalls on the market today, CyberGuard’s secure solution is not limited to TCP traffic. With dynamic stateful rule technology, CyberGuard Release 3 on the Intel Platform can identify network attacks such as IP spoofing and hijacking.
Further, CyberGuard establishes unique dynamic stateful rules for each new connection to or from the firewall, even if multiple connections are between the same client and server. The dynamic stateful rules reflect the state of the connection at any moment in time. Each connection has a unique dynamic stateful rule allowing CyberGuard to monitor the status of the individual connection and enforce its connection-specific security policy. Any packets received by the firewall that do not match are discarded as invalid, and alarms are tripped, as shown on figure 14.34. At the conclusion of each session, CyberGuard Firewall dismantles the dynamic rule to prevent hijacking of the connection.
The CyberGuard Firewall Release 3 is designed by the same team that created the hardware/software CyberGuard Firewall solution (Release 2.2) with an operating system and integrated networking software that have been evaluated at the B1 level of trust by the National Computer Security Center (NCSC) and certified by the National Computer Security Association (NCSA). The CyberGuard Firewall Release 2.2 was also tested in by Celar in France and is the first firewall solution to undergo ITSEC E3 evaluation in the United Kingdom.
This firewall, for Intel platform, is offered in three configurations:
- An entry-Level Option, supporting 50 users or less;
- A workgroup Option for 51-250 users; and
- An enterprise Option which has unlimited user support.
With CyberGuard Firewall 3, both Pentium and Pentium Pro processor systems (single or dual processor configurations) come with the same high throughput, scaleability and flexibility of previous versions of CyberGuard. An easy-to-use remote graphical user interface (GUI) manager allows system administrators to configure and manage the firewall from both remote and local sites. Figure 14.35 shows the basic architecture design of CyberGuard.
The following is the recommended systems requirements for configuring CyberGuard:
- Pentium and Pentium Pro processor systems (single and dual processor configurations)
- 32MB local memory
- 2 Ethernet connections (with optional additional independent connections)
- UNIX SVR4 compliant
- 2GB hard disk
- 17-inch color monitor
- 4mm DAT backup medium
- High resolution super VGA video interface
- Tower enclosure (or optional rack-mountable chassis)
- Optional encryption (U.S. and international)
- Optional WebTrackTM Internet-access tracker and controller
Raptor’s Firewall - An application-level Architecture
Founded in 1992, Raptor Systems is a leading company in integrated firewall security management software and services. Based on an application-level firewall architecture, the Eagle family comprises a suite of modular software components that provide real-time network security for Internet, workgroup, mobile computing, and remote office domains within the enterprise. The Eagle family, when used individually or as part of an integrated network security management system, addresses the need for network security in large and small companies. Eagle runs on Sun Microsystems, Hewlett-Packard, as well as Windows NT workstations. Figure 14.36 shows a screenshot of Raptor’s Web site.
For more information of Raptor’s Eagle family of firewalls, contact Raptor Systems, Inc., 69 Hickory Drive, Waltham, MA 02154, telephone 800-9-EAGLE-6 or 617-487-7700, Fax: 617-487-6755. You can also reach them via email at email@example.com or on the Web at URL http://www.raptor.com/
Enforcing Security at All Levels of the Network
Comprehensive security is a key strength of Raptor’s Eagle family firewalls. Industry experience shows that of all attacks, the most damaging are those that rely on application data streams. Attacks at this level, as seen throughout this book, often go undetected by stateful packet filters, which only examine the protocol headers of packets at the network layer. Circuit level gateways are also vulnerable, since they lack the ability to examine application level data.
The Internet represents only one domain that must be secured. Every enterprise - whether newly emerging or an established multinational - has security needs that extend beyond unauthorized access over the public network.
Securing confidential data among and between workgroup LANs is a growing concern, see figure 14.37. An executive would never send an employee’s salary review to human resources in an unsealed envelope. Nor would an engineering team leave product development plans on the table. A prospect list in unauthorized hands could mean disaster for quarterly sales. When that same data sits unprotected on a PC or within a server, however, it is susceptible to privacy breaches that would never be allowed in a "paper" world. It is common knowledge that over 85% of all computer crime is perpetrated by individuals who are authorized to use the systems they are working on. Hence, desktop PCs and workgroup LANs must be secured from "unauthorized" users within an organization as well as from Internet users.
Working at all seven layers of a network-based application gives the Eagle access to all contextual information needed to make authorization and authentication decisions, including:
- The specific type of application used
- Specific application commands and data allowed or disallowed
- The users, groups, or times of use allowed for the service
- Time and date ranges
- Authentication information
Based on this information, the Eagle makes complex security decisions. It automatically enforces service restrictions, issues alerts via email or beeper, SNMP trap or client program, and compiles a comprehensive log on all connections-whether they are allowed or not.
To derive only a portion of the information available to the Eagle, packet filtering firewalls must evaluate each IP packet individually, capturing state information on-the-fly. This makes these systems particularly vulnerable to attacks that exploit packet fragmentation and reassemble operations. The Eagle’s architecture makes it invulnerable to such attacks.
Raptor defines five domains of network security to promote an integrated approach to protecting the enterprise:
- Domain 1: Internet Security - To protect networks exposed to unauthorized Internet access, as shown on figure 14.38, Raptor Systems offers the flagship Eagle firewall. Designed as the foundation on which any enterprise solution can be built, Eagle is a flexible, application-level firewall that secures bi-directional communications through the public network. It includes EagleConnect virtual private networking, a powerful, real-time network security management facility with intuitive GUI, suspicious activity and alert monitoring, encryption and multiple types of authentication and proxy software to foil IP spoofing attacks. Multiple hardware platforms are supported including Sun Microsystems, Hewlett Packard and Windows NT on Intel and DEC Alpha platforms.
- Domain 2: Workgroup Security - Raptor Systems provides two solutions to protect sensitive data that reside at a workgroup level, as shown on figure 14.39. The EagleLAN is a departmental firewall that integrates seamlessly with the Eagle. If one department attempts to access another department’s data without authorization, the network administrator will know immediately. As with our Eagle firewall, real-time alarms let administrators catch hackers in the act. And for desktop security, EagleDesk resides on a user’s PC, behind the firewall, to provide secure communications between the PC and any other authorized destination inside or outside the enterprise.
- Domain 3: Mobile User Security - The combination of portable PCs, telecommuters, and virtual offices opens the door to data access anywhere in the enterprise from anywhere in the world through public and private networks. To protect this newly-emerging mobile portion of the enterprise, Raptor Systems provides EagleMobile (see figure 14.40). An option to the Eagle firewall, EagleMobile can be installed by a non-technical user on any portable or off-site PC for additional password protection and encryption between their PC and an Eagle firewall.
- Domain 4: Remote Site Security - To secure communications among corporate headquarters, corporate divisions, and branch offices (see figure 14.41), Raptor offers the EagleRemote firewall. EagleRemote includes all of the superior security features of the flagship Eagle firewall for remote sites that must use the public network to communicate with other enterprise "satellites." The EagleRemote is configured and monitored by the Eagle firewall. This allows the network administrator to have complete control from one central location back at the enterprise.
- Domain 5: Integrated Enterprise Security - As shown on figure 14.42, Raptor has designed its products as a suite of modular software components that can interact seamlessly with each other using a common management and monitoring capability. This building-block approach to security management lets companies change and grow their network security systems without changing their underlying security strategy. Central to this integration is Raptor’s EagleConnect virtual private networking technology, which transparently manages the connections among network security points within the enterprise.
Eagle’s strong, rules-based defense (see screenshot on figure 14.43) is very impressive. Packet filtering firewalls authorize passage of IP packets on a first fit rule matching basis. As packets enter a router or filtering firewall, the device compares each packet in turn against a set of match conditions (filters).
By default, the device accepts the first fit to these conditions to allow or deny the packet. Herein lies the problem: filtering rules are inherently general and highly order dependent. This means that the first match triggered may allow a connection that would be denied by a subsequent comparisons. Thus, whether a packet gets into your network may depend on the way you order of the rules, rather than on the rules themselves. This complexity makes misconfiguration an ever present possibility.
Therefore, with the Eagle Firewall,
- All connections are denied unless explicitly permitted
- Automatic suspicious activity monitoring
- Comprehensive logging for all connections
- Fine grained access-controls and service restrictions
- "Best-fit" Rule management
The Eagle’s best fit approach is simpler, tougher, and easier to manage. To begin with, the Eagle denies all network traffic except for that which is explicitly allowed. Second, the rules the Eagle applies are not order-dependent, so it always chooses a rule specific to the connection attempt at hand. And to make sure the rule chosen is specific, the Eagle always applies conservative best fit criteria to allow or deny a connection. And if no rule meets its best fit criterion, the Eagle denies the connection. This approach to rule management by the Eagle firewall allows a firewall administrator to concentrate on the creation and management of a security policy rather than on the management of the firewall itself.
Reliance on Dedicated Security Proxies
The Eagle uses secure application proxies to examine each attempt to pass data in or out of your network. As discussed throughout this book, proxying connections provides the strongest safeguard against network intrusion. These proxies provide:
- Protection against application level attacks
- Automatic hiding of all internal IP addresses and their associated systems
- Strong and weak user authentication
- Comprehensive logging of all activity
- Fine grain control of direction of service, e.g. FTP put versus get.
The Eagle’s secure proxy architecture presents a virtual brick wall between your networks and the unsecured world of the Internet. This wall protects you in two ways:
- Only connections explicitly allowed are permitted. This greatly simplifies configuration. This in turn virtually eliminates security breaches arising from mismanagement.
- Your networks are not only protected but hidden from the outside world. This bars hackers from probing for insecurities in your internal systems, and safeguards the critical information needed to mount an attack.
Using Raptor’s Firewalls Eagle Family
Eagle is very easy to set up and use. Its richness of function and flexibility are married to a graphical user interface that makes configuration and monitoring easy.
Graphical Policy Configuration
The Hawk graphical user interface segregates all aspect of your security set-up into discrete areas of function. You use one window to write rules, and others to define internal and external systems, specify firewall users, create authentication templates, and perform other functions. This makes the process of rule authoring straightforward, and the rules you write easy to understand. The Eagle’s monitoring window gives you a birds-eye view of all connection attempts into your network. Its log file window displays statistical information on all connections at a glance.
According to Raptor, the Eagle is the only product in the industry with graphically configurable service proxies for all key services, including:
- HTTP (Web browsing)
- SNMP (due on next release, by mid-November of 1997)
- FTP puts and gets (file transfer)
- DNS (name resolution)
- Secure Remote Login (remote management)
In addition to supporting commonly used applications with out-of-the-box proxies, Hawk makes it a snap to specify additional applications.
Consistent Management- Locally or Remote
Whether you are managing the Eagle locally, or via an encrypted Internet link, Hawk presents you with the same management interface. So there is never any doubt about whether the policies you put in place are really in force.
One of the key requirements for administrators is to be able to easily and securely gain access to the host operating system that the Eagle runs on top of. Raptor provides a Secure Remote Login (SRL) capability that allows administrators to remotely gain access to the operating system for configuration and maintenance. SRL establishes an encrypted and authenticated TELNET session to the firewall system.
The Eagle allows you to enforce policy decisions for end users, while making it easy for them to get their jobs done. Whether this entails use of Web browsers, file transfer, or remote login to selected systems, the Eagle’s presence is unobtrusive. In most cases, users are not even aware of the Eagle’s operations.
The Flexibility to Allow "Transparent" Access
While it presents an unbreachable wall to unwanted users, the Eagle provides flexible access to users you need to accommodate. In fact, you can configure the Eagle so that users will not be aware of its presence.
Usually referred to as transparency, this level of access allows users to "see" and (apparently) connect directly to certain systems. These connections are still proxied by the Eagle, which continues to carry on extensive logging and alerting operations. So even though your users may be unaware of it, the Eagle is still watching the store.
At times, you may need to allow users to access data on certain internal systems, and still conceal these systems’ identities and addresses, as showing on figure 14.47. Examples of this could include customer information databases or commerce servers: resources that you must both protect, and provide access to from the outside world. The Eagle can be configured to present one or many public IP addresses which can then be mapped or redirected (on a per service basis) to systems behind the firewall with different (and hidden) IP addresses. A common use is to map multiple public IP addresses to multiple and different Web servers behind the firewall.
As for performance, independent lab tests performed at the National Software Testing Laboratories (NSTL) confirm the Eagle as the fastest transaction processing engine of any tested.
The Eagle’s application proxy architecture is the key to its great performance. Since the Eagle authorizes connections at the application-level, it has access to all contextual information on each connection attempt. As a result, the Eagle only needs to evaluate each connection once. No additional checking is needed to proxy packets securely. This delivers a big performance advantage over other approaches.
Fine-grained control of VPN Tunnels
The ability to apply packet filters within configurable Virtual Private Networking (VPN) tunnels, as shown on figure 14.44, provides Eagle administrators with fine-grained control of the types and direction of traffic that can be passed between hosts or systems. This control boosts overall network performance by enabling you to specify appropriate levels of encryption for each tunneled application.
The Eagle performs all filtering on the VPN tunnels you establish between trusted systems. All traffic passed between these systems is encapsulated and encrypted by cooperating Eagle systems, as shown on figure 14.46. This ensures the privacy and integrity of the communication. The additional use of packet filters provides an even higher level of security on these trusted tunnels, allowing only certain types of traffic in specifiable directions. Figure 14.45 shows the monitoring of real-time suspicious activity of Raptor’s Eagle family firewall.
Integrated Web Blocking Capability
The Eagle’s integrated WebNOT software gives you the ability to restrict web browsing from sites containing objectionable materials. The service restrictions the Eagle supports give you the power to limit browsing activities in specific, carefully defined ways. This ensures that your organization gets the full benefit of the Internet’s resources, while avoiding the unnecessary risks and performance degradation.
For more information on WebNOT, check Raptor’s URL at http://www.raptor.com/products/webnot/webnot.htm.
HTTP Service limitations
In addition to the WebNOT blocker, the Eagle gives you the tools you need to limit Web access and content retrieval. Controls available for HTTP rules include:
- Filtering of designated MIME types, including Java applets
- Filtering of file types by extension
- Filtering by designated URL
- Automatic filtering of specific HTTP attacks related to buffer overruns, embedded 8-bit characters and illegal URL formats
Raptor’s UNIX firewall is available on Sun Solaris and HP-UX. Now in its fourth generation, Eagle NT provides the same robust security and flexibility of our award winning UNIX variant, tightly integrated with the Microsoft Windows NT platform.
The Eagle supports the broadest range of authentication types in the industry. It’s design makes it easy to combine weak forms of authentication (like gateway password and NT domain) and strong, single-use password schemes in a single rule.
According to Raptor, the Eagle firewall family is also the first commercially available firewall to offer full support for IPSec, including DES, triple DES and RC2 encryption. Additional standards supported include SNMP V1 and V2 traps, and NT Domain, TACACS+ and Radius authentication types.
Milkyway’s SecurIT FIREWALL - a Factory Hardened BSDI Kernel
Milkyway Networks, incorporated in 1994, is a leading global supplier of Internet and Intranet security applications designed to safeguard corporate-wide information. The company’s vision is to provide a single security solution for internetworking, no matter where users or servers are located on the network.
SecurIT FIREWALL is the centerpiece of the Milkyway SecurIT SUITE, the industry’s first bundled suite of security products that leverages the power of Milkyway’s flagship Black Hole technology with a secure, remote access product and a network security auditing tool. Milkyway’s firewall product has been evaluated by the Canadian Security Establishment as an information security product achieving international draft functional specifications and "tested and certified" by the National Computer Security Association in the US. It has also been identified by Network World as the most innovative firewall. Milkyway is the first firewall vendor to incorporate a "factory hardened" UNIX kernel, which experts agree is more secure than other approaches that merely filter out unauthorized Internet addresses or use unhardened operating systems. Figure 14.47 shows a screenshot of Milkyway’s Web site.
For more information, contact Milkyway Networks Corp., 2650 Queensview Drive, Suite 150, Ottawa, ON - CANADA, K2B 8H6 or via their distributor in U.S., North Eastern, 109 Danbury Road, Office #4B, Ridgefield, CT, USA, 06877. By telephone, dial 613) 596-5549 or 800) 206-0922, Fax: (613) 596-5615 or via e-mail at firstname.lastname@example.org and Web site at URL http://www.milkyway.com/
A Bullet Proof FIREWALL
SecurIT FIREWALL acts like a security guard to protect your private network from the Internet, as seen on figure 14.49. But the people at Milkyway know that the security guard itself must be protected to remain effective. Protection is crucial, you do not want your security guard to be attacked while on duty.
To protect the firewall, the SecurIT FIREWALL kernel has been "hardened" to eliminate insecure processes. Thus the firewall is very secure and will stand up to any attack. In fact, SecurIT FIREWALL also monitors for many types of attacks and alerts the system administrator if an attack is in progress. Figure 14.50 illustrates how SecurIT FIREWALL controls and monitors network visibility.
Building a Secure Kernel
For any operating system, the Kernel is responsible for resource allocation, low-level hardware interfaces, and security. The configuration of the kernel dictates the functions that the operating system supports and includes everything from basic functions like hard drive access and video support, to more advanced features such as sound card support. To enhance security, Milkyway also suggests a dual SecurIT FIREWALL setup, as illustrated on figure 14.51, but the secure kernel is one of the main features of SecurIT FIREWALL.
Configuring a Dual SecurIT FIREWALL
The following policy is used in this configuration:
In this configuration, all the internal users on both the Private Network and the Inside Network still enjoy transparent access and the Inside Network is immune to access to the Internet by a man-in-the-middle attack.
The Dual SecurIT FIREWALL configuration provides the ultimate defense against man-in-the-middle attacks to the protected sub-network and allows all users (private and sub-net) transparent access to the internet.
To build a secure kernel for SecurIT FIREWALL, Milkyway started with a standard UNIX kernel for the platform on which SecurIT FIREWALL was to run (a Sun Sparc kernel and a BSDI kernel). Then the kernel was modified to remove all non-essential functions, resulting in a kernel that only supported TCP/IP networking, hard drive access, and similar basic functions on a restricted selection of platforms. The result is a specialized and very secure kernel but with limited functionality.
Functionality was carefully added to support the needs of a firewall. Care was taken to ensure that all functionality that was added was secure. The resulting SecurIT FIREWALL kernel is a very secure hardened kernel that has limited and specialized functionality. In addition, the kernel has also been made untouchable so that it cannot be accidentally modified (and its security compromised) by the administrator.
This limited functionality means that the SecurIT FIREWALL kernel does not support a wide range of devices but support is limited to devices essential to a firewall. As new devices are developed, before they can be supported by the SecurIT FIREWALL kernel they must be evaluated by Milkyway and only added if they are essential and a secure way can be found to support them.
For this reason SecurIT FIREWALL does not support all types of network cards. In fact, support for two network cards was not added to the kernel because the vendors of the cards could not supply Milkyway with drivers that would allow secure support of the product.
SecurIT FIREWALL Kernel Modifications
When designing SecurIT FIREWALL, Milkyway examined the standard kernel and identified seven network functions that can cause security vulnerabilities. To protect against these vulnerabilities, the SecurIT FIREWALL kernel:
- Disables automatic source routing so that the firewall does not route any packets automatically. All packets that are received by the firewall must be authenticated.
- Disables Internet Control Message Protocol (ICMP) redirect functions. If enabled, these functions allow remote users to change routing. Disabling ICMP redirect protects SecurIT FIREWALL from this sort of tampering.
- Disables IP forwarding so that the firewall does not act as a router. All TCP and UDP packets are forced to be processed at the application layer rather than the kernel layer, where the packets can be authenticated.
- Disables communications on the syslog ports. The syslog ports are used by the SecurIT FIREWALL system log and disabling communication on these ports protects the firewall system log from being altered.
- Monitors all 64,000 TCP/UDP ports to detect all connection attempts. No connection is possible on any port until it is authenticated. No other firewall is able to monitor all ports.
- Verifies IP packet direction to eliminate the possibility of an intruder on the Internet masquerading as an internal IP source address. This firewall also verifies the direction of the traffic flow to detect and log all IP spoofing, and masquerading attempts. Milkyway’s firewall also verifies packet direction for all interfaces to the firewall, not just the interface to the Internet (called the insecure interface).
- IP packet absorber functionality has been added, so that the network layer accepts any packets received on any of its configured devices. All packets are forwarded to the kernel layers above the network layer. This permits SecurIT firewall to spoof the originating host into believing that Black Hole is the actual destination machine.
Kernel Security Features are Certified By CSE
According to Milkyway, SecurIT FIREWALL successfully completed an EAL-3 Common Criteria (CC) evaluation from the Communications Security Established (CSE).
The CSE, a Canadian federal government organization, evaluates commercially available information security products under the Trusted Product Evaluation Program (TPEP) to ensure that such products meet stated functional specifications. Thus, the Canadian Security Establishment (CSE) has certified that the Black Hole technology, including the basic secure kernel and all of the additions made to the kernel, function as documented.
Key management is one of the most difficult and crucial aspects of providing a usable and trusted virtual private network. The basic problem is how to provide all trusted users with access to up-to-date keys while keeping private keys from being intercepted by people outside the realm of trust.
SecurIT FIREWALL uses the Entrust Public Key Infrastructure (PKI) as a mechanism for authentication and encryption using public keys. This PKI is based on the X.509 standard for authentication and encryption.
Automated key distribution using Nortel Entrust PKI means that once identity is established, distribution of public keys is managed automatically. Key distribution using an X.500 database and Version 3 X.509 certificates can be centrally managed by a third-party key management service or by an in-house key management system.
Automated key distribution provides all SecurIT FIREWALLs on the VPN with easy access to up-to-date public keys for any other SecurIT FIREWALL on the VPN.
Key Management and Certification Service
A third-party key management service, such as Stentor’s OnWatch, uses an Entrust/Server to create an identity for each node of your VPN. The identity includes public keys, which are stored in the key management service’s X.500 public key database. Figure 14.52 illustrates this concept.
When two SecurIT FIREWALLs use Entrust/Session to start a VPN session, they authenticate each other using SPKM. The key management service is also the certificate authority for authentication of the public key. The advantages of using a key management service are the ability to provide the best security possible with a minimum of administration.
In-house Key Management
In-house key management involves creating an X.500 database behind one of the SecurIT FIREWALLs on the VPN. Entrust/Server can be used to create identities and manage public keys in the X.500 database, as shown on figure 14.53. In-house key management can provide virtually the same quality of security (key management and certificate authority) as using a key management service. But keep in mind the operating cost of this, as running Entrust/Server in-house and maintaining an X.500 database is usually an option for larger organizations.
Manual Public Key Management
The key management and distribution systems described previously employ Entrust/Session running on SecurIT FIREWALL and Entrust/Server to provide key management. A third option is to use Entrust/Lite to provide key management and create public and private keys for each SecurIT FIREWALL on the VPN, as shown on figure 14.54.
Entrust/Lite incorporates the standard Entrust features, except that Entrust/Lite does not require an X.500 infrastructure and does not support automated key distribution. Instead, Entrust/Lite creates an address book containing public keys for each SecurIT FIREWALL on a VPN. This address book must be distributed to each SecurIT FIREWALL, and each copy of the address book must be kept up-to-date.
SecurIT FIREWALL supports the use of private keys for data encryption and decryption, as shown on figure 14.55. Note that while a private key system requires very little overhead, it may be difficult to keep private keys for many SecurIT FIREWALLs up-to-date in a reliable and secure manner.
Something Else You Should Know: Ubiquitous Monitoring of All Ports
As mentioned in the section above, SecurIT FIREWALL is the only firewall capable of listening ubiquitously to all ports to detect and report any attempt to communicate with the firewall. SecurIT can intercept any attempt by an intruder trying to gain access to the firewall or the private network being protected by the firewall. When an intruder is detected, SecurIT logs all of the details of the intrusion attempt and alerts the system administrator.
Securely implementing Internet access, Intranets and Extranets is as confusing as ever with a myriad of security technologies, claims and concerns to consider. While "crackers" account for the vast majority of external intrusion attempts, internal incidences account for 70% of all security compromises. Industrial espionage is the most serious threat to a company, though it accounts for a very small portion of detected problems. Therefore, a layered "belt and suspenders" approach is essential for protecting your organization's networked assets. Figure 14.56 shows the fundamental components of corporate security as seeing by Milkyway, as the base for their firewall product development.
Watch for Port Numbers: The Milkyway Way
For a packet of information to be received by a computer communicating across the Internet, the packet must include a port number. The port number identifies the network service required to receive the packet. For example, if a computer is running an FTP network application, it can receive packets containing the FTP port number. If no FTP network application is running, the computer cannot receive FTP packets.
All network applications are assigned a port number. FTP uses port 21. Telnet uses port 23 and so on. There are a total of 64,000 ports. The port number is used by a computer receiving a packet to determine what application or service is required for the packet. If there is a network service running that can receive the packet, the computer can receive information on that port. If the network service is not running, then the computer does not receive information on that port.
A common first step to gaining access to a computer is to run a port scanning program against the computer. The port scanner attempts to communicate with the computer using each communications port and reports back the ports that receive information.
Knowing which ports receive information lets an intruder know what network services can be used to access the computer.
For example, if the port scanner found that the computer was accepting packets sent to port 21, this means that the computer is capable of communicating using FTP. This allows the intruder to attempt to use an FTP program to access the computer or to exploit known FTP weaknesses.
One of the strongest feature I find on SecurIT is that it listens on all ports. Listening on all ports means that this firewall accepts communications on all 64,000 ports, which has two important consequences:
- All ports accept communications
- All attempts to connect to the firewall are intercepted.
As far as I can tell, as I write this section (August 1997), listening on all ports is unique to SecurIT firewall. This is a very important feature, as an effective way to protect a system from unauthorized access is to prevent an intruder from learning anything about the system. As discussed earlier, port scanning normally provides an intruder with exploitable information about a system. However, if all the hacker learns is that all ports are accepting communications he/she is no further ahead. There is nothing to distinguish one port from another. No new information is gained.
Further, any attempt to connect to any port on a SecurIT firewall is recorded by the Logging Facility. The information logged includes the source address of the connection attempt. This information can then potentially be used to determine the source of the attack.
In addition, the Alarm Facility of this firewall continuously analyses logging information and will raise an alarm if compromising activity (such as port scanning) is recognized.
Defending Against Common Attack Methods
As discussed earlier, listening on all ports protects SecurIT FIREWALL, and the networks behind SecurIT FIREWALL, from most attacks. In addition to the broad-band protection offered by listening in all ports, SecurIT FIREWALL has other security features built in to protect against other kinds of attempts to gain unauthorized access.
A buffer overflow occurs when a program adds data to a memory buffer (holding area) faster than it can be processed. The overflow may occur due to a mismatch in the processing rates of the producing and consuming processes, or because the buffer is simply too small to hold all the data that must accumulate before some of it can be processed.
Software can be protected from buffer overflows through careful programming, but if a way to cause a buffer overflow is found, the computer running the software can be compromised. If a user accesses a computer across the Internet and intentionally causes a buffer overflow, the program that the user was running may crash but the user may remain connected to the computer. Now, instead of accessing the computer through the controlled environment of the program, the user may have direct unrestricted access to all of the data on the computer.
Milkyway codes the programs (for example, proxies) that run on SecurIT FIREWALL to stop buffer overflow from occurring. Even if a buffer overflow occurs, the proxy crashes because the memory "box" in which the proxy runs is protected from buffer overflow. Also, when the proxy crashes the user is disconnected because the connection depends on the proxy.
In addition, protecting the memory buffer means that the firewall keeps running and security is not compromised. If a firewall that is not protected in this way encounters a buffer overflow the entire firewall may crash, causing a service disruption.
Trojan Horses Running on the FIREWALL
If you remember, a Trojan horse is a program designed to break security or damage a system but that is disguised as something benign. There is no way to load or run unauthorized applications on SecurIT FIREWALL. Thus a program used to create a Trojan horse would not be able to run.
Spoofing can occur when a packet is made to look like it came from an internal network even though it came from an external one. SecurIT FIREWALL eliminates spoofing by recognizing the firewall interface that specific source addresses can connect to. If a port receives a packet that should only be received at another port, the packet is denied.
Sniffing involves observing and gathering compromising information about network traffic in a passive way. This can be done by any node on a non-switched Ethernet. On non-broadcast media (for example, ATM, T1, 56k, ISDN) an intruder would either have to be in the telephone switches, have physical taps, or easiest, break into any router where the data travels.
SecurIT FIREWALL does not prevent people from sniffing the external network. As a matter of fact, no firewall can prevent that! However, since the firewall keeps external people from breaking into the internal network, this effectively prevents external people from running sniffers on the internal network.
Hijacking a connection involves predicting the next packet in a TCP communications session between two other parties and replacing it with your own packet. For example, hijacking could be used by an intruder to insert a command into a Telnet session. To hijack successfully, an intruder must either make an educated guess about the TCP sequence information, or be able to sniff the packet.
Hijacking is a threat because the intruder can wait for users to authenticate themselves, and then the intruder can take over the authenticated connection. Hijacking of a connection can happen no matter how strong the authentication required to start the connection
Since traffic on the networks protected by SecurIT FIREWALL cannot be seen, and cannot be sniffed, this firewall prevents hijacking attacks on traffic that does not pass through the firewall. Figure 14.57 shows Milkyway’s product family at glance to protect against all the issues discussed in this section. Figure 14.58 shows a screenshot of Milkyway’s site at URL http://www.milkyway.com/prod/info.html, which provides a product information matrix. I recommend you to access this page for additional information.
The following is the recommended systems requirements for configuring SecurIT:
- Pentium and Pentium Pro processor systems (single and dual processor configurations)
- 32MB local memory
- 2 Ethernet connections (with optional additional independent connections)
- UNIX SVR4 compliant
- 2GB hard disk
- 17-inch color monitor
- 4mm DAT backup medium
- High resolution super VGA video interface
- Tower enclosure (or optional rack-mountable chassis)
WatchGuard Technologies’s Watchguard Firebox System - Combining All Major Firewall Approaches into a Firebox
Founded in 1996 and based in Seattle, Washington, WatchGuard Technologies' founders and engineers have expertise in network management and firewall technology from previous entrepreneurial ventures, including the highly successful Networx and Mazama Software Labs. WatchGuard Technologies is building on this heritage by delivering next-generation Internet/intranet security products that eliminate the cost and complexity associated with current offerings and feature powerful hybrid firewall technology plus intelligent security management at an affordable price. During late summer of 1997, the company unveiled WatchGuard SchoolMate, the first firewall product intended specifically for use in schools. Based on the low-cost, plug-in-appliance designed for mid-sized corporations, it integrates Microsystems's CyberPatrol filtering software with the WatchGuard Firebox system.
According to WatchGuard Technologies, their firewall product, Watchguard Security System, is the industry’s first network security appliance and Windows-based security management system. It is also the industry’s lowest cost complete firewall solution, and the first to bring high function firewall protection to Microsoft network administrators without extensive UNIX networking expertise.
The WatchGuard Security System is also the first product to Figure 14.59 shows a screenshot of WatchGuard Technologies Web site.
For more information, contact WatchGuard Technologies Labs, Inc. at 316 Occidental Avenue South, Suite 300, Seattle, WA 98104. Tel.: 206/521-8340 and Fax: 206/521-8341. Or you can visit their Web site at URL http://www.sealabs.com
WatchGuard at Glance
WatchGuard offers you all major approaches to firewall design, such as packet filtering, proxies and stateful inspection as many of its competitors, however, with a low cost and easy to use interface. It also adds features not easily available in other similar products, such as inspection of executable content such as Java and ActiveX and the ability to e-mail you with traceroute and finger information.
Basically, the WatchGuard System consists of the WatchGuard Firebox, a network security appliance featuring a Pentium processor, and WatchGuard Security Management System (SMS), software that runs on Windows NT, Windows 95 and Linux workstations.
The WatchGuard "point-and-click" approach makes it very easy to install and configure the firewall. Configuration information is presented on a service-by service basis, allowing you to setup security even if you don’t have extensive knowledge of your network. You only add Internet services you wish to enable, keeping access to a minimum and security to a maximum. Also, WatchGuard’s visualization tools allow you to get a complete picture of your network security land see overall trends and network usage patterns.
WatchGuard has the ability to automatically warn you of security-related events occurring at the firewall. It delivers these messages by e-mail, pager, or custom script to almost any device, computer, or program that you use. It can provide detailed logging of every firewall event or simply record events that you designate to be significant. Thus, you can test for "holes" and see at-a-glance what visitors to your site can and cannot do.
The Firebox itself is a dedicated network security "appliance". It contains a real-time firewall operating system giving you the ability to be up-and-running right out of the box. The firewall operating system does not allow user log-ins and only supports encrypted connections to the Firebox from the SMS software.
As a standalone element, the security appliance is a specialized solution. As such, the WatchGuard Firebox is more reliable than a general-purpose system modified to do the specialized work of network security.
Other advantages associated with the standalone, dedicated nature of the appliance include the following:
- It plugs into the network and is operational within minutes. As a dedicated device rather than a general-purpose computer, it is simpler to boot up and run.
- It is managed from an ordinary desktop Windows 95 or NT PC that is used for other functions, yet it serves any network-PC, Macintosh, or a cross-platform environment.
- Its specific configuration makes it easier to verify security performance. In a general-purpose OS, a stew of network drivers, devices, and third-party software produces unbounded and sometimes undetectable security risks.
- Its exclusive focus on security ensures that it does not degrade the router or the network server's performance.
WatchGuard is built around the basic premise that unless an external user has authorization for a specific activity, then that external user is denied an inbound connection. The second premise is WatchGuard’s ability to enforce security even if your network fails. It ensures that your site and the SMS software itself are not under attack by intruders. If WatchGuard suspects that its own software has been tampered with, it shuts off access to your network before an intruder can circumvent its protective screen.
WatchGuard Security Management System
As illustrated on figure 14.60, WatchGuard consists of two major components, the Security Management System (software) and the Firebox (hardware). The Security Management System (SMS), as shown on figure 14.59a, configures and monitors the Firebox and performs logging and notification of firewall events. SMS provides a secure gateway or firewall between any combination of IP hosts and IP networks. It can act in the following ways:
- InternetGuard, to protect corporate networks and bastion hosts from the Internet and to define company-level security
- GroupGuard, to protect departmental systems, restrict information and packet flow and define group-level Internet privileges
- HostGuard, to protect mission-critical servers with crucial databases
WatchGuard's Security Management System runs on standard Windows 95, Windows NT or Linux workstations that can be connected to the WatchGuard Firebox over a LAN or directly via a serial cable connection. WatchGuard SMS software includes all firewall setup and configuration software as well as the WatchGuard graphical user interface which is based on a service-centric model, meaning that you add only the services that you wish to enable, keeping access to a minimum and security to a maximum.
The WatchGuard SMS includes a powerful alarm and event notification system that serves to alert you to attempted security attacks while automatically blocking scans. It also includes a "reverse probe" capability that traces scan attempts back to the originating host address.
With the event notification system, network managers can choose to be notified of attempted break-ins either via email or pager messages. They also can establish a threshold number of attempts to set off the alarm system in order to avoid being "flooded" with messages.
The WatchGuard graphical interface, as you can see on figure 14.61, is based on a service-centric model, meaning that you add only the services that you wish to enable, keeping access to a minimum and security at a maximum. WatchGuard’s operating system has been "hardened", as many other products reviewed on previous sections, which helps to eliminate security holes and ensures reliability.
The following is an itemized list of features available with WatchGuard:
- Block unwanted traffic into and out of the network
- Camouflage of internal host IP addresses from outside network
- Inspect e-mail for likely hacker commands
- Control FTP privileges
- Inspect Web traffic for dangerous mime types (i.e. Java, ActiveX, PostScript, etc.)
- Notification system alerts you to attacks and scams
- Visually depict traffic and usage
- Optional add-on modules
As mentioned earlier in this section, WatchGuard consists of two major components, the Firebox (hardware) and the Security Management System (software). The WatchGuard Firebox is a hardware firewall platform that runs the transparent proxies and the dynamic stateful packet filter to control the flow of IP information.
The WatchGuard Firebox resides between your router and your trusted local network, which connects to local workstations and servers. The Firebox also provides an interface for an optional bastion network which might contain servers (for FTP and World Wide Web for example) you wish to be accessible from the Internet with different access policies than the machines on your trusted local network.
The Firebox is a specially designed, properly optimized machine for running the WatchGuard firewall. It is designed to be small, efficient and reliable, as seen on figure 14.62.
The following is an itemized list of the Firebox features:
- Real-time embedded operating system
- Stream-lined firewall engine
- Camouflages internal addresses
- Tamper-proof operation
- Inspects and blocks unwanted traffic
WatchGuard’s Global Console
As showing on figure 14.63, the WatchGuard Global Console depicts real-time status of each firewall on the network. It gives network administrators the ability to easily manage multiple firewalls from a single location.
Essential information about each Firebox, such as contacts, phone numbers, IP addresses, and configuration information, is organized and accessible for each Firebox making on-the-fly configuration and monitoring quick and easy.
For management ease, an overview of the real-time status of all Fireboxes on the Internet is summarized on one screen. Easy-to-understand icons indicate various firewall states including whether or not the system is running, the amount of traffic over the firewall, or if a packet has been denied. The console also generates in-depth details about each state, as illustrated on figure 14.64.
The following is an itemized list of the main features available in the Global Console:
- Real-time status of all Fireboxes summarized on one screen
- Easy-to-understand icons
- Configure any Firebox from a single location
- Critical and important information organized for easy access for each Firebox
- Encrypted session links to multiple Fireboxes
- Easy zoom in to detailed information for each individual Firebox with standard SMS tools.
WatchGuard Graphical Monitor
The WatchGuard Graphical Monitor is the perfect complement to the WatchGuard Security Management System (SMS). It is composed of three separate programs that monitor three different aspects of your network.
- HostWatch , as showing on figure 14.65, shows real-time graphical representations of host to host activity on your network, allowing you to watch as connections begin and end. Arrows indicate the direction of the connection and the type of service is indicated by icons, displaying at a glance the type of connection that is occurring between hosts. HostWatch also allows instant replay of activity based on your log files. This allows you to review your network’s activity at your leisure, or look for patterns over several days or months.
- ServiceWatch, as shown on figure 14.66, plots the number of connections occurring for a specific service so that you can monitor the composition of your network traffic.
The Mazameter monitors the amount of bandwidth being used by your network. It can graph usage on scales, as shown on figure 14.67, from dial-up to full T1 to identify when your Internet connection is busiest.
WatchGuard Reporting System
Tired of searching through logs and writing custom scripts to sort and tally your network usage? The WatchGuard Historical Reporting Module, as seeing on figure 14.68, provides an easy interface which gives you a quick summary of network activity, as well as the ability to export the information to any database.
Configurable searching based on time spans, clients, and services is available with the WatchGuard Historical Reporting Module. As you can see on figure 14.69, standard reports include top ten clients, top ten services, incoming connections based on time of day, outgoing sessions for a particular client during a particular time, and many more.
WatchGuard WebBlocker is a tool that provides tailored management control over web surfing putting Web site access privileges fully under the control of corporate managers. Because WebBlocker is flexible, users can block all browsing of the Web by user group and times of day.
For example, corporate managers can use WebBlocker to prevent selected departments and work groups from accessing all of the selected site categories (see figure 14.70) during normal business hours, but allow access to categories such as sports and leisure during lunch breaks and after 5:00pm. WebBlocker also provides users the ability to add the names of sites they wish to permanently block or permit, as shown on figure 14.70a, in keeping with their corporate access requirements.
WatchGuard WebBlocker is based on Microsystems Software’s Cyber Patrol database. Each week automated updating of the WebBlocker database is downloaded via a secure, encrypted Internet connection. The list of supported groups feature questionable or inappropriate content.
WebBlocker set-up software vastly simplifies the creation of customized group profiles as well as other configuration tasks, as shown on figure 14.70b. The WebBlocker set-up walks users through each step of the process and lets them map different access privileges to different groups using simple point-and-click operations.
As I write this section, WatchGuard SchoolMate stands as the first firewall product intended specifically for use in schools.
WatchGuard SchoolMate is an affordable system that meets all four security challenges to support productive classroom use of the Internet. It protects students and educators from falling victim to Internet abusers of all kinds, as it plugs security holes as soon as it's plugged into the network.
WatchGuard SchoolMate’s main components are these:
- The WatchGuard Firebox houses core firewall functions in a standalone device and plugs into a school network in minutes. In contrast, software-based firewalls generally require two or more days for installation and can carry a five-figure price tag. In addition, WatchGuard can serve any network-PC, Macintosh, or a cross-platform environment.
- WebBlocker software, which relies on Microsystems' CyberPatrol service, is highly regarded by K-12 educators as the most discriminating "guidance system" for student Internet use. WebBlocker allows educators to establish times of restricted and unrestricted use and categories of sites blocked. The site-blocking feature also allows educators to customize these categories.
- The WatchGuard Graphical Monitor module shows real-time graphical representations of host-to-host activity on the school network, enabling educators to see which sites students visit and what they do there. It plots connections so educators can monitor the composition of their network traffic. The Graphical Monitor module also measures the bandwidth being used by the school network and provides instant replay of network activity.
- The WatchGuard Historical Reports module keeps track of student's Internet activities by providing daily, weekly or monthly reports in an easy-to-read summary format. It produces "suspicious activities summaries" that serve as an early warning system of potential security breaches.
For more detail on the challenges of Internet use in schools and WatchGuard SchoolMate's role in overcoming them, check the paper entitled, "Surfing Schools: Issues and Answers regarding Students on the Internet at http://www.watchguard.com/schoolmate.
WatchGuard’s VPN Wizard
Virtual Private Networks (VPN) is a standard feature of the WatchGuard system. The combination of VPN-enabling software-User Authentication combined with Remote-User VPN-in WatchGuard's standard bundle of security features makes it the first company to provide protection for an extended network to remote users at no additional cost. WatchGuard also offers Branch Office VPN software for companies whose network includes multiple locations, such as branch offices.
Activating the Remote User VPN to include mobile workers merely involves clicking on a dialog box in the WatchGuard Security System software. The Remote-User VPN component of WatchGuard's standard system relies on Microsoft's industry standard Point-to-Point Tunneling Protocol (PPTP).
Windows NT 4.0 and Windows 95 machines are either equipped with PPTP or are PPTP-ready (can run Dialup Networking 1.2), so users of the WatchGuard system can have literally no additional costs if they wish to extend their secure network to include mobile workers. To use the VPN, workers on the road dial into their ISP or corporate network via standard remote access. A "tunnel" is created with the PPTP. All traffic then flows transparently through the secure tunnel across the public network.
The complexity of setting up a virtual network of branch offices is simplified too, with the VPN Wizard. Like the 'wizards' that accompany much Windows software, the VPN Wizard guides you through a set-up process. In this case, it simplifies establishing the VPN no matter how many branch offices are included in the extended network.
The VPN Wizard enables you to establish the Branch Office VPN with point-and-click ease, as the Wizard steps through the process of setting up remote sites and configuring the remote Fireboxes for VPN - all from a single location.
The following is an itemized list of the minimum requirements recommended by WatchGuard Technologies Inc. to run WatchGuard:
- Pentium-class processor
- Minimum 16 MB Ram
- Windows 95, Windows NT or
- Linux network client
- 3.5" floppy drive
- Hard disk with 5 MB of free space (50 MB if same workstation is used for logging)
- SVGA display adapter and monitor
- Modem for pager notification (optional)
AltaVista Software’s Firewall 97 - The Active Firewall
AltaVista is dedicated to develop and market software products for use in the emerging, integrated Internet/Intranet business environment. Their portfolio of innovative software products enables you to:
- find useful information
- control access to information and transmit it securely
- collaborate and communicate from multiple locations.
AltaVista products and services are designed to integrate all levels of your working environment, from the Internet and enterprise, to workgroup and individual use, to allow location and platform-independent computing.
To increase global awareness of the AltaVista brand and showcase AltaVista software technologies and products, the company provides the already well-known AltaVista Search Public Service, which is the world’s most popular Internet search engine, and other Internet services free on the World Wide Web. They also license their Internet services to major telecommunications and media companies outside the United States, and to major Internet content providers.
Figure 14.71 shows a screenshot AltaVista Firewall Center Web site.
For more information, contact AltaVista Software Inc., 30 Porter Road, Littleton, MA, Tel.: 508-486-2308, Fax (508) 486-2017. Or you can visit their Web site at URL http://www.altavista.software.digital.com
AltaVista Firewall: Always in Motion
The AltaVista Firewall keeps constant watch on the network day and night, actively deploying evasive action technology to detect and stop network attacks.
The active firewall offers maximum security based on a unique four-tiered alarming system. This alarming mechanism automatically takes actions not only on the attack itself but also on its context.
As a result, AltaVista Firewall provides better tools to fight against repetitive or multi-proxy threats. Furthermore, AltaVista Firewall 97 also provides a wide spectrum of actions to respond to any attack levels. This includes mail or paging to system administrators, custom scripts, and even services or firewall shutdown to guarantee the protection of your assets under any circumstances.
According to AltaVista Software, their firewall is quick and nimble enough to be called the Active Firewall. It’s the only one that independently reacts to network violations while alerting you via pager, e-mail, or audio alarm, and even shutting down the firewall against heavy attacks.
AltaVista Firewall 97 for Windows NT provides a flexible and secure connection between your private network and the Internet, or other insecure public TCP/IP networks. It prevents unauthorized access to your private network, while providing controlled access to Internet services to users within your network. According to Data Communications Magazine (March 21, 1997) AltaVista Firewall 97 "shines in ease of management."
According to the vendor, this firewall is the only one that takes an active role in your security management. With its unique intelligence, it warns you of impending danger of intrusions, is constantly looking for threats to your defined security zone, and takes evasive action when attacks do occur. Figure 14.71a is a screenshot of Firewall 97’s main menu.
AltaVista Firewall 97 combines trusted application gateways, comprehensive logging, reporting, real-time alarms, strong authentication, graphical user interface (GUI), and a step-by-step installation wizard all in one software package. Also, according to my lab tests AltaVista is by far the fastest firewall available in its class, with no compromise on security. This demonstrates not only its high efficiency, but the tightness of its Windows NT integration.
Services: a Matter of Security
AltaVista’ firewall provides trusted application gateways to allow users access to most common services on the Internet, including file transfer (FTP), remote sessions (Telnet), World Wide Web, Mail, News, SQL*Net, RealAudio and finger. This firewall can also be configured to allow controlled access from the internal network to the public network, and also from the public network into the internal network. Figure 14.71b shows a screenshot of the alarms for e-mails featured by AltaVista.
It also enables you to customize generic TCP application gateway, which provides secure connections to services that do not use a dedicated application gateway.
Security: Supporting SSL
AltaVista’s firewall also supports the Secure Sockets Layer (SSL), which is included with the World Wide Web proxy.
Its security model is enforced at several levels. IP forwarding is disabled and continuously monitored by the firewall alarm system. All access through the firewall must be through the trusted application gateways. A system on one side of the firewall cannot access another system on the same side of the firewall via the firewall.
This firewall also has strong authentication support, using one-time passwords. FTP and Telnet gateways can be configured to allow access only to authenticated users through NT domain login or with hand held authenticators. The hardware authentication cards such as SecureID cards from Security Dynamics must be purchased separately.
There is a comprehensive logging of all events relating to the operation of the firewall that is worth mentioning. The reports it generates, which gives a summary of the usage of the firewall and of individual services are excellent. The reports can be viewed through the user interface, mailed automatically to a specified distribution list at regular intervals, or both. All reports use information from the system log files. A wide range of summary reports and detailed reports are also available.
Management Features: Remote Management Through Tunneling
AltaVista’s firewall has an active architecture which can take actions on behalf of the system administrator with a sophisticated alarming and notification system.
It has automatic alarms that alert the system administrator to unusual or potentially threatening events relating to the firewall. The alarm system continually monitors the firewall system in real time for any events that are unusual or suspicious. Standard alarm actions, which includes sending mail to the system administrator, raising the security status of the firewall, triggering a custom script and shutting down individual services or the whole firewall are also one of the main features of this firewall.
Because system administrators may have to manage several platforms, the remote firewall management is very consistent and compatible on all supported platforms. It implements a HTML based user interface for a same look-and-feel. It is written in Java for enhanced portability.
AltaVista Firewall 97 offers remote management for firewalls within any network sizes from a centralized console running either Windows 95 or Windows NT. This is both a cost and time saving feature which allows system administrators to monitor and take quick actions on their UNIX or NT based firewall.
Remote management is also offered, which allows system administrators to perform the following operations remotely:
- View/Change firewall status
- View firewall activity
- View firewall event messages
- Stop/Start firewall services
When thinking about remote management of firewalls, you must be careful with the side effect of it: the establishment of a weak link to the firewall via a serial port or Telnet session on a high port. With AltaVista Firewall, its remote management services is done through tunneling, using AltaVista’s Tunnel. The tunnel product provides RSA 512 bit authentication, MD5 integrity and the strongest encryption worldwide with RSA 128bit (U.S.) and 56/40 bit (International.)
The new remote management enables system administrators to view firewall activities and allows them to quickly take appropriate actions. Consistently with the OnSite Computing vision of AltaVista, you are able to manage the firewall from anywhere within the Intranet or from an untrusted network.
On all supported platforms, the remote management displays the states of all services as well as various statuses and alarms. It also allows to modify the firewall status and start/stop specific services such as FTP. Additionally, on Digital UNIX, network administrators can maintain and manage security policies, user authentication, DNS, mail, SNMP alarms and active monitoring of traffic. Furthermore, different levels of control can be assigned on UNIX. As an example, one Firewall administrator can monitor the status of the firewall, while another can change some security policies.
The installation wizard provides an easy step-by-step firewall installation, including DNS configuration. Its comprehensive graphical user interface through which all configuration administration, and management tasks are performed makes management of the firewall much easier.
Another great feature is its automatic shutdown of individual services, or the whole firewall, if the firewall is under continued or repeated attack. AltaVista Firewall for Windows NT can automatically shut down the service or the whole firewall to prevent the firewall from being compromised.
URL and Java Blocking
This is both a performance and a security feature. According to easily definable policies, AltaVista Firewall 97 can block URLs to preserve network performance and to restrict access to specific Web sites for productivity purposes. Security managers can define specific policies for URL access. AltaVista Firewall 97 can also detect and block Java applets entirely by allowing selective filtering of Java applets through the firewall to protect against one the most common network attacks.
The firewall has an updated proxy contains significant performance improvements based on code optimization and caching implementation. It supports the following protocols:
- gopher and
It implements the CERN/NCSA Common Log Format for enhanced reporting and integration with third party analysis tools. As for other proxies, access restriction policies per user can also be combined with time limitations.
Support for Real-Audio proxy: RealAudio is an application that allows playback of audio in real-time over Internet connections. Through the RealAudio proxy, managers can allow or prevent users on internal network systems with Web browsers to access RealAudio services on the external network. For this proxy, system administrators can specify security policy details, time restrictions and blacklists of hosts forbidden access (common with ftp, Telnet and finger proxies.)
A new generic UDP proxy allows UDP-based applications, such as Internet Chat, to pass through the firewall securely. Also, with AltaVista Firewall 97, you are a system architect, you are now free to build any sophisticated, distributed networks of Oracle7 or third-party data repositories across the Internet. SQL*Net establishes a connection to a database when a client or another database server process requests a database session. The proxy is based on the Oracle Multi-Protocol Interchange (MPI), so it inherits many of the Multi-Protocol interchange’s features.
SQL*Net firewall proxy is able to control access based on information contained in the SQL*Net connection packet. This includes the client machine name, the destination name and the database service. The firewall also integrates the administration of this authorization list with various authentication methods such as smartcards.
AltaVista Firewall 97 broadens security policies by offering a generic TCP relay for one-to-many and many-to-one connections. Consequently, an instance of the generic relay such as news can have one server on the inside of the firewall getting feeds from multiple news servers on the outside.
This generic relay is also fully transparent outbound so there will be no need to reconfigure internal systems. The management GUI supports both one-to-many and many-to-one configurations.
Powerful and Flexible Authentication
The enhanced WWW proxy includes authentication for specific users or group of users by any authentication schemes currently supported by the UNIX firewall such as CRYTOcard or re-useable passwords. This feature provides system administrators with great flexibility to implement their policies with finer granularity. This authentication is integrated with the existing system management GUI on UNIX.
AltaVista also integrates Windows NT domain authentication scheme onto its firewall. This allows access to Internet services (e.g. FTP, Telnet) to users authenticated by this scheme and finer grained control over firewall traversal. This is a clear win for both end-users and MIS managers. MIS managers can easily integrate NT domain concept in their policies and users can appreciate a simplified login mechanism. The AltaVista Firewall 97 authenticates in both directions across the firewall.
Before the introduction of AltaVista Firewall 97, the recommended name server configuration was the hidden DNS setup hiding the internal address space from the untrusted network. However, this recommendation required to set up a second name server within the Intranet causing some management issues.
With AltaVista Firewall 97, firewalls can now be configured as Dual-DNS servers that understand which name services are internal or external. This Dual-DNS server is fully configurable through the GUI based management.
Most of us, Internet Managers, are mostly interested in dedicated boxes for security, performance and management reasons, correct? Well, AltaVista has been offering the capability of running a security low-end server on the same UNIX box. It managed to minimize any security impacts by a close integration between those two products. With Firewall 97, AltaVista now extends this integrated solution to Windows NT servers.
Note that the Windows NT server must be connected to the ISP through a router. Support for a direct connection over an ISDN or a dial-up line is not yet available in this firewall but according to the vendor, will follow in a next release.
With DMZ (Demilitarized Zone), AltaVista 97 on UNIX offers more than a simple trusted/untrusted implementation supporting only two LAN connections. While two interfaces is often enough for an Internet-oriented firewall, many organizations need three:
- one for the Internet,
- one for public servers for such items as WWW, News and File Transfer Protocol (FTP), and
- one for the Intranet.
The introduction of DMZ support provides security managers with great flexibility when configuring their security implementations. While DMZ is fully supported, it still needs to be done outside the GUI. An application note in the GUI describes the configuration process.
AltaVista Firewall can be expanded to handle larger, more complex environments as it supports a large variety of platforms, including Windows NT, BSD/OS and Digital UNIX, which enable it to easily scale from small businesses to enterprise environments.
AltaVista Firewall software can be used with the AltaVista Tunnel product to create a virtual private network over the Internet and allow encryption and authentication securely through the AltaVista Firewall. Both products can run securely on the same system with a packet filter application provided with the firewall.
For more information on AltaVista’s Tunnel product, check the URL http://www.altavista.software.digital.com/tunnel/index.htm.
The product supports Remote Access Service (RAS) on NT for external connection. This feature is used most often in an environment where Internet connection is via a dial-up line.
The AltaVista Security Pack 97 contains all firewall proxies, firewall remote management, and full authentication, with no extra costs. It consists of a complete AltaVista Firewall 97 kit and a complete AltaVista Tunnel 97 kit.
The systems requirements are:
- System : Pentium
- Disk space required for installation : 40MB
- Disk space required for use : 2GB
- Memory RAM : 48MB, 64MB recommended for optimum performance.
- OS : Windows NT V4.0 Service Pack 2 or later required.
- Browsers : Netscape Navigator 3.0 or Internet Explorer 3.0
- NICs : 2 interface cards with static IP addresses.
SQL*Net proxy does not run on Alpha platforms running Windows NT
ANS Communications’s InterLock Firewall - a Dual-Homed Application Level Gateway
Advanced Network & Services, Inc., the former parent company of ANS CO+RE Systems, Inc. (ANS), was established as a not-for-profit company in 1990 by IBM, MCI and Merit -- a consortium of Michigan universities. Its mission was to advance high-speed networking technology and use. In 1994, Northern Telecom also became a member. As the principal architect of the National Science Foundation Backbone (NSFB) network service, ANS developed proprietary expertise in the design, development and deployment of large-scale, high-performance, wide area data networks.
Company founders recognized that the acceptance and adoption of this new technology by the business community would be critical to the overall success of the Internet. They established ANS CO+RE Systems, Inc., in June 1991 to target the networking and security needs of the business community. ANS’ nationwide backbone enabled large segments of the Internet to carry commercial traffic. During the following four years, use of the Internet by commercial organizations skyrocketed.
In 1995, America Online (AOL) acquired the assets of ANS CO+RE Systems, Inc. As the nation’s fastest growing provider of online services, AOL was impressed with the success ANS had in deploying and operating large scale, private networks and sought to use ANS’s networking resources to better serve their rapidly-growing customer base.
ANS uses its expertise to deliver high-speed, value-added internetworking solutions that meet the mission-critical requirements of businesses and other organizations.
ANS offers services in three areas: Enterprise Networking Services, Web Application Hosting & E-Commerce Solutions. ANS designs, engineers, installs, manages, monitors and maintains nationwide private corporate data networks over one of the fastest, largest TCP/IP networks in the world. It is dedicated to helping businesses achieve their full potential through custom-designed internetworking solutions and through the use of resources available on the Internet. ANS is also committed to focusing on network security and offering unparalleled support services to its customers.
Since its formation, ANS has been a pioneer in the Internet and has led the industry in implementing higher performance networks and the scaling of large IP networks. ANS people designed, deployed and managed the construction of -- the first full duplex public 45 Mbps data network and a major backbone network of the Internet. The ANS team was the driving force behind several advanced routing technologies which enhance the scaleability (i.e., the ability of the network to work efficiently as the number of users and the amount of traffic increases dramatically), and thus the overall reach and performance of the Internet. ANS also supports the largest closed user group in the world - 8 million America Online subscribers. Figure 14.72 is a screenshot of ANS Web site.
For more information, contact ANS at 1875 Campus Common Drive, Suite 220, Reston, VA 20191-1552. You can contact them by phone at 800-456-8267 from within the US or +1-703-758-7700, Fax: +1-703-758-7717. You can also send an e-mail to email@example.com or visit their Web site at URL http://www.ans.net/
ANS InterLock Firewall Service provides network access control, attempted intrusion detection/response and cost accounting functionality to help organizations protect and manage valuable Intranet and Internet resources. One of the original application-layer firewalls, it provides high granularity of control with a full line of application proxies for all the major TCP/IP services as well as address remapping, file integrity monitoring and a real time utility to detect and prevent intrusion attempts. Detailed auditing information, cost of use/abuse controls and accounting reports are provided for advanced management of network resources.
As discussed throughout this book, firewalls are an important component of any organization’s network security architecture. Good firewalls provide security controls without making Internet access prohibitively difficult for the end user. Better firewalls improve upon those solutions by adding detailed audit trails and accounting information. State-of-the-art firewalls offer management control over secure Internet and Intranet resources. In short, they combine access control mechanisms, detailed logging, usage and chargeback reports, intrusion detection capabilities and graphical administrative interfaces to provide secure, managed access network solutions. ANS InterLock service 4.0 has evolved to meet customer requirements for this advanced level of security, accountability and manageability. Figure 14.73 shows a layout of a multi-ANS InterLock configuration
ANS InterLock Service
The ANS InterLock service is a connectivity management tool that provides access control, intrusion detection and cost accounting functionality. Configured as a dual-homed application level gateway, the ANS InterLock service manages access between site-designated protected and unprotected networks. Proxy support is provided for an expanding list of Internet applications including:
- News (NNTP)
- Real Audio
- HTTP (Web)
- Generic TCP
- Generic UDP
- Network Time Protocol
ANS InterLock solutions can be deployed throughout an organization. Figure 14.73 above shows a multi ANS InterLock configuration for the XYZ Corporation. XYZ uses ANS InterLock systems to manage Internet connectivity, to isolate R&D information from unauthorized corporate users and to limit access to internal resources from Intranet-connected vendors.
As a network security and resource management tool, ANS InterLock service provides:
- Application Gateway Services Between IP Networks;
- Access Controls by User, Group, Pair of Hosts or Networks,
- Protocol, Time of Day;
- Cost of Use (Abuse) Controls and Reports;
- Attempted Intrusions.
Enhanced features in Version 4.0
ANS InterLock service 4.0 offers enhanced security, performance and functionality over previous releases. The following is a list of advancements offered with this release:
- High Performance WWW Gateway - Improved performance, password changing from Web browser, Java-filtering and URL-level controls. Performance tuning and customization are possible with this gateway.
- HTML Reports - Audit tools which generate HTML and ASCII based output for an expanded set of user, group, chargeback and protocol reports.
- Attempted Intrusions - Real time log monitoring system to watch the logs for a variety of attacks including port scans, IP spoofing and ISS or SATAN probes.
- Integrity Watcher - Utility to monitor the permissions and contents of key files on the system from potential tampering.
- SSL Forwarder - Support for SSL based forwarding (https: and snews: URLs).
- RealAudio 2.0 support - Support for Real Audio’s RA Player.
- Solaris 2.5 port - Overall system performance and stability improvements and support for UltraSparc platforms.
- HTML-based Administrator Interface - Security policy updates via Web-browser.
- Enigma Logic Support - Support for Enigma Logic DES Gold card authentication.
InterLock’s Access Controls
A primary function of any firewall solution is allowing access to users with appropriate privileges while preventing unauthorized transactions. Traditional firewall solutions rely on IP address and protocol as the sole criteria for deciding if connection requests should be granted or denied. The ANS InterLock service provides access controls on user and system administrator activity at a highly granular level.
The following is a description of the overall security model, address hiding, administrator controls and the access control rulebase of ANS InterLock:
- Security Model - The ANS InterLock system integrates both a modified (not just hardened) operating system and the set of associated applications. ANS has obtained and modified the SunSoft Solaris operating system source code to improve security and overall system performance. The general security model is: that which is not expressly permitted is denied. This model is implemented using application proxies which grant/deny access requests based on queries into a central access control rulebase (ACRB). By default, ANS InterLock application gateways require user level authentication.
- Information Hiding - The ANS InterLock service supports the use of RFC1597 and other non-NIC assigned IP addresses on the protected network. Even though, the remote user will perceive that he/she has an end-to-end connection to a remote host, the application proxy is managing two connections; one from the client application to the ANS InterLock and a second from the ANS InterLock to remote server. Under this model, the original source address is hidden from the remote destination and vice versa. All connections will appear to be coming from the ANS InterLock network interface nearest the destination host. The system also can be used to remove or remap domain name information from outbound mail and news articles. This further controls leaks of potentially useful information to an attacker about the architecture of the protected network.
- Separation of Administrator Privilege - ANS InterLock service 4.0 supports multiple administrator privileges which can be assigned to different accounts. One or more of the following administrator privileges can be assigned to an account.
- Security - maintenance of security policies (rulebase)
- Admin - creation/maintenance of user accounts
- Audit - monitoring/data reduction of log information
- System - miscellaneous other privileged system maintenance operations
- Access Control Rule Base (ACRB) - Each application gateway makes queries into the ACRB to determine if a connection request should be granted and, if so, the level of service which should be provided. ANS InterLock administrators define the set of rules which describe an organization’s security policy. There are multiple components to each rule. The first portion of each rule describes the situations when the rule is to be enforced. Rules which do not match a particular situation (e.g. outside the time range) can be configured by the administrator to deny access or simply remain inactive. The second part of each rule defines the authorizations or constraints to be enforced. Different levels of logging (Low, Medium, High, Debug, Trace) can be associated with each rule.
- Access Controls Criteria
- User or Group
- Protocol/Port Number
- Source and Destination Address Associated with Connection
- Time of Day (start/stop times)
- Days of the Week
- Rule Constraints
- Direction of Connection/Data Flow
- Authentication Required (SecurID, Enigma Logic, Unix password)
- Audit Level (Low, Medium, High, Debug)
When making changes to the ACRB, the name of the administrator making the change and a timestamp are associated with each rule. This feature is useful for multiple administrator coordination and accountability. Figure 14.74 shows a sample rulebase modify screen of InterLock.
- Application Gateways - One of the original design goals of the ANS InterLock service was to develop application proxies which would require user authentication. This was easy for some gateways (e.g. FTP, Telnet) since user/password mechanisms were included in the protocol specification. For applications like SMTP or NetNews (NNTP), the ANS InterLock system uses a concept of mapping entries to have user-level controls even though those services are normally non-authenticated. For access to applications via Web browser, the ANS InterLock system takes advantage of proxy and basic authentication mechanisms to require passwords for these transactions. There were several reasons for this approach, more granular control, more detailed auditing and chargeback reports based on user, group and/or IP address. Below a typical Web transaction is traced.
Web access is transparent to the end user. The only requirement is to make the browser aware of the ANS InterLock through standard proxy configuration as shown in figure 14.75. What is unique about this approach is that the Web gateway on the ANS InterLock prompts the user for name and password whenever a remote access is requested via the desktop Web browser, as seen on figure 14.76). Most browsers cache this information for future requests. Even though each Web transaction is separately authenticated, the user enters his/her password only one time.
InterLock’s Access Management
InterLock’s access management describes the audit, control and reporting functions such as audit levels, limitation of access to non-business related sites and so on.
It is common for sites to require more detailed information on some transactions but less for others. Audit levels can be assigned to each rule added to the ACRB. For example, medium auditing may be required for corporate users accessing the Internet but a much higher audit level may be assigned for vendors accessing internal resources.
Recognizing that site administrators are often concerned about the percentage of traffic going to non-business related sites, the ANS InterLock service provides support for restricting users from going to specific URLs in the WWW gateway. Since many Web sites today are implemented using multiple hosts with different IP addresses, this blocked site database allows URL-level controls for pages, directories or entire sites without having to add an excessive number of rules into the ACRB.
ANS InterLock 4.0 includes a modified version of the Unix syslog daemon. Each service generates logging information allowing an administrator to generate usage statistics, isolate configuration problems, and determine if there have been any attempts to obtain unauthorized access to the protected network.
Log entries contain information specific to each service including the time the action occurred, a unique process ID associated with the connection, number of bytes sent in each direction, the type of message, the addresses of the source and destination host, the user accessing the service, any commands entered, and an informative message describing the action performed.
FTP logs include information on the operation performed (put versus get) and the name and size of the file being transferred. HTTP entries contain information on URL accesses and byte transfer sizes. All user and administrative activity is logged. Audit information can be logged to local disk and to a syslogd on a protected site host. Figure 14.77 shows a typical HTTP log entry.
InterLock’s Reports Feature
A number of reports and formatting options are available with ANS InterLock. Reports can be configured to generate HTML or ASCII output, HTML-based reports can be viewed by system administrators via local Web browsers. The system generates usage reports by user, group, IP address, and protocol. Web usage is tracked via additional reports which identify top surfers, top sites accessed, and a list of users accessing non-business related sites.
ANS InterLock Service For Intrusion Detection
The ANS InterLock service provides intrusion detection mechanisms to automatically notice and respond to potential attacks. The following is a list of the main InterLock features on intrusion detection:
- Audit Log Thresholder - ANS InterLock service includes an intrusion detection facility. The audit log thresholder is designed to look for administrator defined patterns in the system logs and to trigger an automated response when that pattern event occurs. For example, three failed logins from the same IP address may result in a rule being added to deny access fromthat host, an e-mail page being sent to the ANS InterLock administrator and an SNMP trap sent to the site’s network monitoring station.
- IP Spoof Guard - The ANS InterLock system maintains a routing table for address-to-interface comparisons. Protected side subnets and networks are defined in this table. If the ANS InterLock system receives packets from (what it believes to be) a protected side address on the public interface, the spoof guard is triggered, the event is logged and the packet is discarded. The spoof guard also monitors for public packets on the private interface.
- Port Scan Detection - The operating system kernel used by the ANS InterLock system prohibits IP forwarding, ICMP redirects and all forms of source routing through the box. These security controls prevent the ANS InterLock ACRB from being by-passed with IP packets. All connection requests must be handled by a proxy gateway. If no proxy is configured for a particular port, connection requests to that port are logged and denied. The ANS InterLock includes a port scan detection system as part of the Audit Log Thresholder package to identify when sites are being probed by Satan, ISS or other port scanning utilities.
Summary of InterLock’s Security Feature
The following are the main security features found on InterLock firewall:
- Granular Control - Access Control Rule Base (ACRB) enables administrators to define the set of rules that describe an organization’s security policy. With ANS InterLock Service, that which is not expressly permitted, is denied. Access and authorization functions let administrators control the use of each application protocol according to various criterias, as well as support to "least privilege" by separating the administrator’s functions.
- Modified Kernel (not just hardened) - The underlying source code has been modified to remove IP forwarding, ICMP redirects, and source routing functions. The ANS InterLock firewall includes a port scan detection system to identify probes by SATAN, ISS, etc.
- Address Remapping - The ANS InterLock firewall hides internal network addressing and topology information from the external network and allows use of non-NIC registered addresses on the protected network.
- Java Filtering - Enables network administrators to filter out JAVA use from a central point.
- Spoof Guard - Prevents hackers from exploiting protected site network addresses to gain entry.
- Audit Log Thresholder - Recognizes and responds to potential security attacks in real-time. Attack patterns can be pre-loaded by ANS or created by you. Sophisticated response options include e-mail, paging, SNMP traps, scripts and customer programs.
- Integrity Watcher Daemon - Monitors configurable set of ANS InterLock files not ordinarily subject to change. This helps protect your network against Trojan horse attacks.
Global Technology’s Gnat Box Firewall - a firewall in a floppy disk
Global Technology Associates, Inc. (GTA) is a privately owned, U.S. corporation involved in the development of computer network security systems. Founded in 1992 as a small flexible company of highly motivated software engineers, GTA has evolved into a leading innovator of network security firewall products. The company's GFX Internet Firewall System was one of the first firewall systems to be certified by the National Computer Security Association and has been widely recognized as a rock solid security solution. With the introduction of the GNAT Box Firewall software, GTA has sought to meet the growing demand for a truly affordable network security system.
Global Technology believes so much in GNAT Box that they decided to host their web site through a GNAT Box system. Thus, if you were to access their site (see a screenshot of it on figure 14.79), you would find that their Web server resides on a Private Service Network (PSN), attached to a 3rd network card in a GNAT Box system. This server has an IP address of 192.168.5.2, but you can't see that address as it is hidden and translated to the GNAT Box's external IP address of 22.214.171.124. A GNAT Box facility called a "tunnel" is mapping all the Web access requests through the GNAT Box to their Web server. A network diagram of their GNAT Box configuration is provided on that site, as figure 14.80 illustrates.
For more information, contact Global Technology Associates, Inc. , 3504 Lake Lynda Drive, Suite 160, Orlando, FL 32817. You can call 1.800.775.4GTA, or internationally, +1.407.380.0220, Fax: +1.407.380.6080. You can also contact them via e-mail at firstname.lastname@example.org or via their Web site at the URL http://www.gnatbox.com/index.html
Getting to Know GNAT Box Firewall
You shouldn't have to pay for security features you will not use or do not want in a firewall product. GNAT Box was developed to provide a powerful, simple and affordable IP network security solution for organizations that would otherwise be forced to purchase an expensive solution or due without IP security altogether.
So lets start by outlining what the GNAT Box is NOT:
- A general purpose computer system, so:
- you can't log on to it (there is no user shell)
- you can't Telnet to it
- you can't use it for a mail server
- you can't use if for a web server
- you can't run any other software on it
- A Unix system, although it uses core technology from the Unix operating system.
At the heart of GNAT Box is GTA's network address translation and stateful packet inspection engine. This facility was originally developed for GTA's premier turnkey dual wall firewall, the GFX Internet Firewall System. The stateful packet inspection facility monitors every IP packet passing through the GNAT Box to guarantee that:
- Network address translation is performed for all packets passing through the GNAT Box.
- Only valid response packets or packets passing through user defined tunnels reach hosts on the Protected or PNS networks from the External network.
This facility is tightly integrated into the GNAT Box's network layer to guarantee maximum data throughput.
Outbound Packets from the Protected Network
When an IP packet arrives on the GNAT Box's protected network interface, the engine determines where the packet should be sent and performs the necessary modifications on the packet (i.e. network address translation) if required and then routes the packet to the correct network interface. Translation is performed if the destination host is on the External or Private Service networks.
If translation is performed, the IP packet's source address will be modified to be that of the network interface that is the route to the destination IP address of the packet. When a response packet returns to the GNAT Box, the packet is inspected to determine if the packet is in fact a response on an active transparency circuit.
If the packet is accepted it is then modified with the originating reply IP address and routed on to the Protected network.
Inbound Packets from the External Network
In its default configuration the GNAT Box does not listen for any unsolicited inbound packets. It only responds to reply packets, (those packets which are returning in response to packets that originated from the Protected or Private Service networks). If you need to allow unsolicited connections to internal hosts, use the GNAT Box's Tunnel facility.
Outbound Packets from the Private Service Network
The Private Service network works the same as the Protected network, except that the Private Service network can not reach the Protected network. If a host on the Private Service network attempts to reach a host on the Protected network, the connection will be refused. Additionally the following message will be generated to the system console (and if syslog is enable to the log server):
"Warning: Attempt by PSN to access protected network."
How Tunnels Work in GNAT Box
When an IP packet arrives at the GNAT Box and it is not a response packet for an active connection, the packet is compared against user defined Tunnels. If the destination IP address and port match the entrance of a Tunnel, a new connection is created.
This new connection will automatically change the destination address and port of all packets arriving on this connection to be those given for the end of the tunnel. Additionally all response packets originating from the Tunnel's destination host will have the source address and port changed back to the Tunnel's beginning as the packets leave the GNAT Box.
The following is an overview of GNAT Box Firewall at glance:
- Secure Network Address Translation (NAT)
- Firewall protection utilizing proven firewall technology
- Transparent network access for TCP and UDP applications
- Transparent network access for non-standard applications like:
- VDOLive, VXtreme, etc
- Simple to install and operate
- Supports more than 16,000 concurrent connections
- No limit on the number of users
- Web browser user interface
- Minimal hardware requirements
- Cost effective
- IP aliasing
- Dynamic and static address mapping
- Protected Private Service Network (PSN)
- High performance
- PPP support
- Built-in support for several application protocols such as,
- Xing StreamWorks
- NTT AudioLink
- NTT SoftwareVision
- Real Time Streaming Protocol (RSTP)
How Do You Pronounce GNAT Box?
GNAT Box is pronounced, "nat box", with the 'g' silent, like the tiny insect called a gnat. The derivation comes from GTA's Network Address Translation.
What is GNAT Box Firewall?
The GNAT Box system is based upon GTA's GFX Internet Firewall Network Transparency technology, which has been distilled and refined to fit into a compact powerful software system. The GNAT Box system completely hides all IP numbers on an internal network from an external network, (typically the Internet). This feature allows organizations to use unregistered IP addresses or RFC 1918 addressees on the internal private network.
The GNAT Box is a firewall. The GNAT Box protects the internal network from unauthorized access, while allowing users on the internal network transparent access outbound. The GNAT Box in default operation offers no services to the external network, so there are no cracks to allow an intruder access to your internal network. The GNAT Box utilizes the GFX Network Transparency technology which maintains stateful information about all packets passing through the GNAT Box gateway and only allows returning packets that have been registered to pass back through to the internal network.
One of the great things about the GNAT Box system is its simplicity. The GNAT Box system is software that you run on your own hardware. No need to pay extra for hardware when you probably have the required hardware components already. The system boots and runs off a single 3.5" floppy diskette, you don't need a hard disk. All the hardware you need is:
- 386 CPU or better,
- 8Mb RAM,
- 3.5" 1.44Mb floppy drive, and
- 2 network cards(10 and 100mbp Ethernet and FDDI).
- Optional 3rd network card for a Private Service network.
Ethernet Card Notes
Network interfaces are addressed by their two or three character device identifier and a positional number starting at zero. The first card of a specific type identified by the system will have a positional identifier of zero, (e.g. de0). If a second card of the same type as the first is found then it will have a positional identifier of one, (e.g. de1) and a third card will have a positional identifier of two, (e.g. de2). Each new type of card identified in the system will begin with a base identifier of zero. This naming scheme does not apply to cards that must be configured to specific values listed below.
The system doesn't require a keyboard or monitor for operation, however you'll need them for the initial configuration. Figure 14.81 shows a typical layout of a network using GNAT Box firewall.
Considerations about ISA Cards when using GNAT Box
GNAT Box configuration is simple too, 4 commands (well 5 if you count the reboot command) to get the system up and running. Figures 14.89, 14.90, 14.91 and 14.92 shows a sequence of GNAT Box console configuration interface.
Once the system is up just use the web browser interface to administer the system, (if you need to). The GNAT Box configuration is simple yet powerful, facilities are provided for: static routes, IP aliasing, logging and inbound tunnels. According to the vendor, other features such as filtering will be offered in a later release.
For those organizations that need to allow some inbound connections, the GNAT Box offers a tunneling facility. This facility allows a service port (IP port) on the external network interface of the GNAT Box to be mapped to a port on the PSN network (with optional 3rd network card) or an internal host system. Facilities that you might want to tunneled include email, http (WWW), ftp and Telnet. Using the IP aliasing facility in conjunction with the tunneling facility the GNAT Box can operate in a virtual hosting role.
The GNAT Box system is cost effective. The hardware required is inexpensive, there are not many components that can fail, and there are no license restrictions on a per user basis as found on most other systems. Figure 14.82 gives you a graphic description of what you would need as hardware requirements to run GNAT Box firewall.
Figure 14.83 shows a basic GNAT Box firewall configuration, where the requirements are,
- Two Networks
- External Network (typically the Internet)
- Protected Network
- Operational Mode
- Unsolicited packets from the External Network are rejected.
- Packets that originate on the Protected Network are allowed to pass through the GNAT Box and their reply packets are allowed to pass back to the Protected Network.
Now, you can have a more advanced configuration (see a basic installation of GNAT Box on figure 14.85) for the GNAT Box. Figure 14.84 shows a typical example of such a configuration, where you have,
- Three Networks
- External Network (typically the Internet)
- Protected Network, and
- Private Service Network
- Operational Mode
- Unsolicited packets from the External Network are rejected.
- Packets that originate on the Protected Network are allowed to pass through the GNAT Box and their reply packets are allowed to pass back to the Protected Network.
- Tunnel(s) are defined to allow External Network access to servers on the Private Service network (see figure 14.86). Common servers might be web, email (see figure 14.87), and ftp.
- Users on the Protected Network have complete access to the Private Service network, as it is typical of a University or a multi-departmental company, as seen on figure 14.88.
- The Private Service network has no access to the Protected network unless a Tunnel is defined.
Network-1 Software and Technology’s Firewall/Plus - a High Performance Multi-Protocol Firewall
Network-1 was incorporated in July 1990. The company has an impressive credential, averaging 16 years of technical experience. In particular, Dr. Bill Hancock is a noted authority on networks, connectivity and security. He has published many books and is currently the network editor for Digital News & Review.
The company has designed, planned, audited & implemented over 3,000 networks worldwide. Their consultants have also conducted seminars at industry conferences (i.e. DECUS, TCA, INTEROP, CSI..etc) for many years and are all well-known speakers around the world.
Their experience spans many different hardware systems, including IBM, DEC, Sun, HP, PC’s & Macintosh. Network-1 specializes in network and security software, consulting, training and seminars.
Figure 14.93 is a screenshot of Network-1 Software and Technology Inc. Web site.
For more information, contact Network-1 Software and Technology Inc., at 909 3rd Ave. 9th Floor, New York, NY 10022. By phone at (212) 293-3068 or fax at (212) 293-3090. You can also contact them via e-mail at email@example.com or at their Web site at URL http://www.network-1.com.
FireWall/Plus is a NCSA certified frame, packet and application filtering network security firewall. It provides a very high degree of security between internal corporate networks as well as controlling access to and from external networks such as the Internet.
Installation and configuration of FireWall/Plus is accomplished with a minimum amount of effort using a powerful Graphical User Interface (GUI). Using pre-defined rule bases the system can be installed in a plug-and-play manner and made available for immediate use. Since FireWall/Plus is transparent to the network community all network applications will operate without interruption or modification.
FireWall/Plus may be configured in a variety of methods to provide a secure firewall installation for networks. The most common configuration is as a dual-homed gateway, as shown on figure 14.94
In the configuration described on figure 14.94, FireWall/Plus provides total filtration services between an exterior network, such as the Internet, and the internal network. This is the first line of defense against unwanted network attacks.
However, for sites that require systems such as Web Servers and gopher servers to be accessed from internal users and external users, a demilitarized zone (DMZ) network configuration may be used, as shown on figure 14.95
This DMZ configuration would require two FireWall/Plus systems to secure the systems on the inside section of the network from both the external network and the DMZ systems.
Installation, Set-up and Use of FireWall/Plus
Installation of the complete FireWall/Plus system (hardware and software) is accomplished with little effort. It involves the following basic steps:
- Selecting a default security policy rule base. FireWall/Plus provides a comprehensive set of pre-defined security policy rule sets from which to choose in order to dramatically reduce the amount of time it takes to set-up the firewall. Rule bases include e-mail outbound only, standard information services outbound only, file transfer outbound only, e-mail both directions, TELNET outbound only, web services access outbound only, gopher services outbound only, variations of the standard rule bases for specific site requirements and many others. This is accomplished via a drop-down menu item in the configuration section of the product.
- Obtain a license key from Network-1 technical support and insert into it into the product. This is accomplished via a dialog button on the main screen.
- Activate the product by clicking on the "Start Operations" tile from the main screen, as shown on the screenshot of figure 14.96.
Selecting a Default Rule Base for FireWall/Plus
The default rule base of Firewall/Plus is very easy to be selected. By clicking on the Configuration tile or tab, the system brings up the Configuration Page, as shown on figure 14.97.
The Configuration File section at the top of the screen contains a drop-down menu with the currently loaded default security policy rule bases. You simply select one that matches the needs of the site and click the Save Settings tile at the bottom of the screen. The rule base is then loaded into memory and is ready for use.
The trusted side of the network is identified by a picture of an angel. The untrusted side is identified by a picture of a devil’s head. This motif is carried throughout all Pages of the product to make it instantly obvious which side of the network a particular operation is affecting (an alternate set of icons are included in the package for those sites desiring a less dramatic identification of resources).
The trusted and untrusted network configurations both have a box called Block All Connections. This is the network "panic button" which is used in an emergency to immediately stop all traffic on either side of the FireWall/Plus(tm) product.
FireWall/Plus provides real-time system and network performance statistics on system and network activities, as shown on figure 14.98. As filters and flags are added to the system and as the traffic loads increase over time, FireWall/Plus provides pro-active performance data so that the system may be upgraded before performance degradation occurs.
Additionally, network statistics for the trusted and untrusted sides of the firewall system provide detailed information on connections, node access counts and other items required for proper management of traffic performance.
Additional and Advanced Filtering
As with any firewall, site customization will be required from time to time. FireWall/Plus allows a very high resolution filtering capability through the use of an intuitive and extensive GUI, as shown on figure 14.99.
Filters and flags may be added to any level of the protocol hierarchy, from the frame level to the applications level. By selecting a default configuration, a base set of filters have been set into the system. Using the GUI, the system or security manager may build custom filters and flags on top of the default configuration selected in order to implement specific site security objectives.
As an example, world-wide web (WWW) may be configured to allow outbound connections only via a browser such as MOSAIC or Netscape. By clicking on the filter status button, the symbol will change from the universal NO ACCESS (a red circle with a line through it) to a green check mark, as shown on figure 14.100, indicating that all users of the application on the trusted side of the network have the ability to make outbound connections to the untrusted side. If bi-directional connections for all users were to be allowed, the check mark would also be necessary on the untrusted side of the FireWall/Plus icon.
There are situations where advanced and detailed filtering and rules are required for specific network conditions or network resources. For instance, specific systems on the network, on the trusted or untrusted side, may require additional filters other than the general defaults. In this situation, very specific filters may be defined, as also shown on figure 14.100.
In the example of figure 14.100, a node named JOE with an IP address of 126.96.36.199 on the trusted network side is allowed only to use IP with a TCP transport with the 3com-tsmux application for inbound and outbound traffic. Further more, the FireWall/Plus system has been configured to only report on those packet conditions where the firewall did not pass the packets along.
For situations where the filtering described on figure 14.100 is not sufficient to solve an organization’s security policy requirement, FireWall/Plus allows a to-the-bit-definition level filtering facility. Individual fields in the protocols may be identified and filtered based upon rule definitions and, if necessary, individual bits in a packet or frame may be toggled on or off to identify specific patterns of traffic to be filtered.
In the above example, field-level definitions are being set up for filtering. In some cases, bit masks will need to be identified in a frame, packet or application packet that will need a rule applied for filtering. FireWall/Plus, through the use of the GUI, provides a very simple manner in which to set up very sophisticated bit-level filtering (bit-level filtering provides application level functionality, such as proxy filters, without implementation of the application itself).
Figure 14.101 shows the set-up of a bit-level filtering mask for the destination service access point (DSAP) in an 802.3 (Ethernet) frame.
By clicking on the arrows above the bit-field, as seen on figure 14.101, the system or security manager may allow the field to be passed or rejected, depending upon the security policy required for the site. This type of granularity of filtering is usually very difficult to do with any firewall product and requires the writing of sophisticated scripts, usually in Perl. FireWall/Plus does this quickly and graphically without the hassle of learning a programming language.
Summary of Features of FireWall/Plus
As seen in this section, FireWall/Plus provides a comprehensive security solution with an easy to manage GUI interface. While incorporating the latest in security and expert technology, FireWall/Plus is a robust yet easy to use network security solution.
- Frame, packet and application-level filtering
- Automatically blocks all traffic that is not allowed
- ("Nothing is permitted except that which is allowed")
Special Features and General Characteristics
The following is a list of special features bundled with Firewall/Plus
- Very easy to set up (less than 30 minutes under most conditions)
- No special consultation or external services required
- Very low cost (includes hardware and software)
- Very high performance, real-time responsiveness
- Highly secure from external attack directly on the firewall itself
- Dynamic changes and updates means no downtime to users
- Ability to add additional protocols besides IP in the future
- Invisible to IP probes from external or internal networks
- Customer-configurable bit-level filtering capabilities
Firewall/Plus general characteristics:
Firewall/Plus is capable of defeating:
- TCP sequence number prediction
- Source routing
- RIP attacks
- Exterior Gateway Protocol
- ICMP attacks
- Authentication server attacks
- finger (firewall or internal nodes)
- DNS access
- FTP authentication attacks
- Anonymous FTP access (accept or reject)
- SNMP (to firewall or through firewall)
- Remote booting (firewall cannot be remote booted)
- IP spoofing
- MAC address spoofing
- Broadcast storms
- ARP spoofing
- TFTP to/from firewall and filter to/from networks
- Reserved port attacks
- Remote access
- External takeover from outside networks
- External compromise (firewall itself)
- TCP wrappers
- Gopher spoofing
- MIME spoofing
- Network analysis facilities
- Autoboot after power failure
- Autosave of set-up and parameters
- Autoboot into secure mode with or without manual intervention
- Prevents DNS manipulations
- Network traffic analysis
- Firewall performance statistics software
- Cross-charging facilities
- Undetectable intrusion trapping and reporting
- Security logging and analysis tools
- Non-detectable monitoring of firewall attacks
Firewall/Plus also provides logs of :
- all connections to/through firewall
- Extensive ad-hoc query facilities (make your own reports)
- External activities
- Accounting and chargeback reporting capabilities
The following are the management features and services provided by Firewall/Plus:
- Configuration files are in plain-text
- All "safe" outgoing connections are transparent
- Filtering and rule set-up is easy to implement
- Graphical User Interface (GUI) is very easy to use
- Little management or changes to firewall required
- Easy to use and maintain
- Modifications easy to implement
- Modifications to rules and filters are dynamic and immediate
- Handles large numbers of systems (thousands of nodes)
- Replacement code and updates take very little time (less than 1 hour)
- Robust hardware and software
These are the filtering capabilities of Firewall/Plus:
- Auto-disable UDP and SNMP
- Prevents source routing and IP forwarding through firewall
- Immune from RIP vulnerabilities
- Redirect messages
- routing protocols
- tunneling (assembly/disassembly)
- MAC addresses
- User-configurable application filters
To operate FireWall/Plus, you must have Windows NT Version 3.51 or 4.0, and NDIS 3.0 drivers for Ethernet/802.3.
The hardware requirements of FireWall/Plus are as follows:
- Intel Pentium or DEC Alpha class CPU, 133 MHz minimum clock speed
- 500MB disk space
- 1.44MB 3.5" floppy drive and/or CD-ROM drive
- 32MB of memory
- Video card, SVGA 14" monitor, keyboard, mouse
- NDIS 3.0 compliant Ethernet/802.3 Network Interface Card/s (SMC EtherPower PCI recommended)
Trusted Information Systems’s Gauntlet Internet - an application proxy-based Firewall
Trusted Information Systems, Inc. (TIS), has been dedicated to providing computer and communications security solutions for business information systems for over a decade.
TIS, a company with a worldwide presence, provides an unparalleled breadth and depth of security expertise. TIS products and services range from theory to practice, and policy to product, with a pragmatic approach. Through a combination of advanced research and engineering, system security analysis, practical and affordable solutions, and training, TIS is transforming the Internet into a safe place to do business.
TIS is the developer of the TIS Internet Firewall Toolkit. The firewall software allows system managers to control access between their corporate networks and internetworks. This firewall toolkit has been requested by over 50,000 Internet users. TIS also offers a family of Gauntlet Internet Firewall products, and Gauntlet ForceField, a first-of-its-kind product designed to protect web servers. They have a patented RecoverKey technology that was developed to support effective, exportable, and recoverable software and hardware cryptography solutions. This technology allows software applications vendors the ability to provide strong data protection internationally and the end-user the ability to recover their data when their encryption key is lost, stolen, or destroyed.
TIS is internationally renowned for research in information systems security. They are actively participating in government research contracts and internal research and development projects that advance the state of the art in trusted system technology.
Under DARPA and National Laboratory sponsorship, TIS staff are performing innovative research in access control for O/S and networks, cryptography (including key management), security services for Internet mail, trusted distributed file systems, secure distributed operating systems, and integrated Fortezza support. TIS also provides trusted systems engineering and consulting to a number of major government organizations and DoD programs. Figure 14.102 is a screenshot of TIS Web site.
For more information, contact Trusted Information Systems, Inc., 15204 Omega Drive, Rockville, MD 20850. Or by phone at +1 (301)527-9500 or Gauntlet Sales at (888)FIREWALL (toll free) or +1 (301)527-9500, FAX: +1 (301)527-0482. You can also contact them via email at firstname.lastname@example.org or on the Web at URL http://www.tis.com.
TIS Gauntlet Internet Firewalls
Trusted Information Systems’ (TIS) Gauntlet Internet Firewalls provide strong points of defense and controlled, audited access to services - both from within and without an organization’s private network. Thousands of Gauntlet Firewalls are already in use internationally.
TIS’ Gauntlet Family of Firewall products offers one of the most secure firewall system available today. The Gauntlet Firewall system is application proxy-based. By serving as the only connection between outside, untrusted networks or users and your private, trusted network, a Gauntlet Firewall uses specific software application gateways and strong user authentication to tightly control access and block attacks. Gauntlet Firewalls provide a network strong point where strict enforcement of your security policy is concentrated.
Since an application gateway is the most secure type of internetworking firewall, TIS has designed Gauntlet Firewalls to rely on proxies to provide services, as shown on figure 14.103. Therefore, no direct connection is ever made between machines on opposite sides of the firewall; network packets are never passed between the networks, only application data. Their unique design combines these seven tenets:
- Simplicity in mechanisms and services provided
- Simplicity in software design, development, and implementation
- A"Crystal Box" approach, in which source code is distributed to allow for assurance reviews by customers, resellers, and other experts
- No users are allowed on the firewall system itself
- For a complete security audit trail, anything that can be logged, should be logged
- Strong user authentication methods and mechanisms must be supported and encouraged
- A firewall should enforce an organization’s network security policy, not impose one of its own
A Firewall Transparent to the User
Gauntlet Internet Firewalls let you extend your organization’s network security by establishing a Virtual Network Perimeter. Remote offices can network with your main office with the Gauntlet Net Extender. The Gauntlet PC Extender allows traveling users with remote access to become a part of your trusted network. And the Gauntlet Intranet Firewall allows controlled access between trusted workgroups inside your organization.
Gauntlet provide the transparency and ease-of-operation of filtering router firewalls, but the application-level security services strongly regulate both incoming and outgoing communications, as illustrated on figure 14.104. The proxy-based system of this firewall passes only application data, so security is assured. Gauntlet Internet Firewalls look like they are behaving as an internetwork router, but supply proxy-based security for specific provided services. Gauntlet updates include additional proxies as additional services are developed.
Gauntlet Internet Firewalls also allow multi-national companies to build Global Virtual Private Networks (GVPNs) over low cost Internet communications links. TIS Commercial Key Escrow (CKE) system allows corporations to utilize their own data recovery centers. Other services available on Gauntlet Internet Firewalls include Domain Name Service (DNS), a secure Web server, secure Anonymous FTP, and Internet electronic mail. Gauntlet Firewalls are IPSEC-ready, X.400/X.500 compatible, NSA MISSI approved, and DoD DMS compliant.
What about GVPN?
Virtual Private Networks (VPNs) allow privacy for all allowed network traffic between two protected gateways through the Data Encryption Standard (DES). No level of trust between networks is assumed. But when a trusted relationship exists between networks, the security perimeters may be extended. Users can economically establish security-assured, high-speed, Internet VPNs at a fraction of the operating expense of dedicated, leased-line networks. Gauntlet Internet Firewalls come standard with software encryption; hardware encryption and Commercial Key Recovery are available.
As an add-on feature to Gauntlet Internet Firewall, a Gauntlet Intranet Firewall allows you to place additional network strongholds within your security perimeter, as shown on figure 14.105. You can pass authorized information quickly and securely inside your organization. It can be easily managed locally or remotely, using the same access rules and features provided by your Gauntlet Internet Firewall.
As far as firewall management, Gauntlet also includes:
- A secure, graphical management interface, accessible from an authorized computer on your trusted network.
- A firewall system integrity checker using cryptographic checksums to detect and report any changes in the system software.
- "Smoke alarms" that can be configured to "go off" any time connections to unsupported services are attempted.
- An audit tool that provides audit reduction and reporting on a timely basis.
Extending Firewall Protection to Remote Offices
Gauntlet enables you to extend your trusted network’s security perimeter by using is key to the dynamic, flexible ways you work today. Using a Gauntlet Net Extender or PC Extender, all of the services and security of your existing Gauntlet Internet Firewall are extended to your remote offices and users through strong encryption.
Gauntlet Net Extender
An add-on to your existing Gauntlet Internet Firewall, the Net Extender supports remote sites connected to a primary site by an untrusted network, using encryption to provide a private connection. The network security perimeter can be extended to allow remote access to all services. It is remotely managed and has the same features as a Gauntlet Internet Firewall. Figure 14.106 illustrates this configuration
Gauntlet PC Extender
Also an add-on to your existing Gauntlet Internet Firewall, the PC Extender extends the network security perimeter from host-to-host or from hotel room to trusted network, allowing for privacy and easy access on business travel. Figure 14.107 illustrates how it works, through its interaction with the Gauntlet Internet Firewall employing the same strong cryptography for privacy, whether directly connected to the trusted (inside) network or dialed in. Strong authentication is required to establish trust when the user is outside the physical security perimeter.
Technologic’s Interceptor Firewall - an Intuitive Firewall
Technologic, Inc. is a leading provider of network security products and services for the Internet and Intranets. They are the developers of the Interceptor Firewall Appliance--a "plug and play" firewall including hardware and software--as well as other security products and services.
Figure 14.108 is a screenshot of Technologic’s Web site.
For more information, contact Technologic, Inc. 1000 Abernathy Road, Suite 1075, Atlanta, GA 30328. You can call 770/522-0222 or 800/615-9911, Fax: 770/522-0201. You can also contact them via e-mail at email@example.com or on the Web at URL http://www.tlogic.com
An Overview of Technologic’s Interceptor
Interceptor Firewall Appliance is an application proxy firewall designed to provide maximum network security in a turnkey package for companies with Intranets or Internet connectivity. Interceptor Appliance is a bundled solution including hardware and software that provides plug-and-play firewall security. Interceptor is a comprehensive firewall that protects from an organization’s external Internet connection all the way down to the individual desktop. Interceptor is delivered with ready to use proxies for all leading Internet applications and services.
Interceptor 3.0, released in March 1997, includes many useful capabilities including,
- A Secure Wide Area Network (S/WAN) enabled version of Virtual Private Network (VPN),
- Compatibility with Microsoft’s Proxy Server,
- Secure, enhanced Remote Administration,
- Diagnostics and Reporting (RADAR) management,
- Web-based management interface,
- Web caching,
- Management of multiple firewalls,
- Interoperability with other firewalls,
- Added security measures,
- Windows-based management reporting,
- Automatic paging and emailing for security alerts
- Ability to easily create a corporate Intranet within your existing network,
- 100% proxy transparency,
- User authentication for WWW access at the individual URL level,
- On-demand security scanning using Internet Scanner from ISS to verify security.
Interceptor Firewall Appliance is available for configurations supporting 32, 256, 1024, 4096, and unlimited network connections. It is delivered as a pre-configured hardware/software system. For organizations that have already designated a processor, a software-only version is also available. It is available in English, Chinese, and Japanese language versions.
Interceptor’s reputation for being one of the most secure, reliable, and easy-to-use firewall on the market has made it a favorite among small and large organizations alike. Companies like Lockheed-Martin Corporation, BellSouth, GEAC (formerly Dun & Bradstreet Software), and Security First Technologies all use Interceptor to keep their information assets safe and accessible.
The following is an overview of the main components and features of Technologic’s Interceptor firewall
Virtual Private Networking
As discussed on chapter 3 "Cryptography: Is it Enough?," strong and manageable encryption technology enables the use of the Internet for private network communications. We all are looking for cost-effective alternatives to expensive private networks and WANs based on leased lines, and Virtual Private Networks (VPNs) can be an alternative.
VPNs provide a protected private path for network traffic between two or more gateways. High-speed Internet VPNs can be established and maintained at a fraction of the cost of dedicated, leased-line networks.
Interceptor 3.0’s fully integrated security solution for Intranets includes an S/WAN enabled version of VPN. S/WAN designates specifications for implementing the Internet Engineering Task Force’s Internet Protocol security (IPSec) standards to ensure interoperability among firewall and TCP/IP products. With this interoperability in place, as shown on figure 14.109, users can securely exchange data with other companies or departments implementing other S/WAN enabled firewalls and systems.
Secure Encryption for All Applications
Confidentiality is an important component of any network security policy. It is a vital issue for organizations leveraging the cost savings inherent in public networks such as the Internet. With Interceptor’s VPN option, you can encrypt data from firewall to firewall and from client to firewall. Sending e-mail, transferring files, browsing a web site, or connecting to a remote computer can be performed in privacy using encryption over the Internet. And because Interceptor uses the IPSec standard for VPNs, you’re assured of industry compatibility.
Transparent Encryption for Users
Interceptor’s VPN encryption is automatic and transparent to the individual user and does not require special or modified client application programs. The encryption takes place in the TCP/IP kernel at the IP level, which provides fundamental, lower-level security than higher-level protocols such as SSL and S/HTTP.
A significant percentage of network vulnerabilities result from the presence of bugs, holes and system configuration weaknesses on devices attached to an organization’s network. Technologic uses Internet Scanner from Internet Security Systems (ISS) - a powerful network scanning system - to locate these exposures. Internet Scanner identifies network security vulnerabilities on both internal and external machines.
Internet Scanner is the first and most comprehensive network security assessment tool available to help you close the gap between security policy and security practice. Internet Scanner provides you with an excellent view of your network’s security exposures. The system tests for over 130 known vulnerabilities and recommends appropriate corrective action. It also provides frequent updates with latest vulnerabilities and automatically identifies and reports these vulnerabilities.
The Connection Manager
The Connection Manager is the first level of protection for Interceptor. It listens for connection requests for each service provided by Interceptor. Connections are accepted or rejected based upon the type of request, the source and destination IP addresses, and the time of day. Accepted connections are directed to service-specific gateway programs. Each connection request, whether it is accepted or not, is logged along with its source, destination, type of service, and action taken. The Connection Manager also allows control over the maximum number of connections that can be simultaneously active for each service, as well as the maximum rate at which connections for each service are processed.
The FTP Proxy
The FTP proxy server handles connection requests on the FTP port. Connections that originate inside Interceptor are normally allowed to use the proxy transparently, while connections that originate outside Interceptor usually must provide special authentication.
All connection attempts are logged. For transparent connections, the FTP proxy is invisible to the client. For connections requiring authentication, the user must enter a user name and password when the FTP proxy requests one, and then initiate a second login sequence to instruct the proxy to connect to the FTP server.
Once a connection is established, the FTP proxy relays traffic between the client and the remote server, while at the same time it monitors and controls the commands being sent. Specific FTP commands can be disabled or logged based on the access policy that applies to the connection. The proxy supports both normal and passive mode data transfers with clients, and can be configured (by the access policy) to initiate either normal or passive mode data transfers to the server.
Application proxies are a trusted delivery mechanism, protecting your network from external invasion. When an application requests a connection through the firewall, Interceptor intercepts and verifies the connection requested by the service. If approved, it establishes a separate connection to complete the task. Because the proxy is a trusted delivery mechanism, the outside service is never in direct contact with your organization’s network, or with its valuable data assets. Figure 14.110 illustrates this concept on Interceptor.
Telnet and Rlogin Proxy
The Telnet and Rlogin proxy servers handle connection requests on the Telnet and Rlogin clients respectively. Connections which originate inside Interceptor are normally allowed to use the proxy transparently, while connections which originate outside Interceptor are usually required to provide special authentication. All connection attempts are logged.
For transparent connections, the proxy is invisible to the client. Otherwise, the proxy prompts the user to enter authentication information and then a destination host. Once a connection is established, the proxy relays traffic between the client and the remote host.
The HTTP proxy server handles connection requests on the HTTP port. It allows internal web browsers to access remote HTTP and FTP servers. It also supports the relaying of SSL-encrypted connections with secure HTTP and NNTP servers.
All e-mail between the internal protected network and the external Internet is handled by the Interceptor host. Secure handling of e-mail through Interceptor host is achieved using a two-step process.
First, all SMTP connections to Interceptor are answered by the SMTP proxy program which runs without privileges and simply receives the incoming message, checks if it is allowed by the access policy, and if so hands it off to the sendmail program which performs the final delivery. The benefit of this approach is that malicious clients never speak directly to the sendmail program and thus cannot exploit any weaknesses it can contain. Instead they interact with a bare-bones SMTP server program small enough to be inspected and verified.
X11 Proxy and Generic TCP Proxy
The X11 proxy allows X Window-based GUI applications (X clients) running on one side of Interceptor to display their output on an X server on the other side. A typical use of this proxy server is to allow an internal user to invoke a GUI program on an external host and display its output on the user’s local desktop.
The generic TCP proxy handles a variety of services such as NNTP, Whois, Gopher, Finger, POP, CompuServe and AOL.
The Authentication Server
The Authentication Server programs are an extended optional feature of the Interceptor Firewall System. They support enhanced user authentication for the Telnet, Rlogin and FTP proxy servers. A number of enhanced authentication mechanisms are supported, including the SecurID card from Security Dynamics.
The Domain Name Service
The Interceptor host can be registered with the Internet NIC as the primary name server for your domain. It provides information to the Internet about only the portion of your network that is externally visible.
In most cases, it is just the Interceptor host itself. In addition, it provides Mail Exchange records to direct all incoming e-mail for your domain to the Interceptor host.
Real Audio/Real Video Proxy
This proxy handles the Real Audio/Real Video Protocol and allows transmission of real audio sound files and real video files through Interceptor.
There is a proxy to handle the VDOLive protocol and allows the transmission of VDOLive video files through the Interceptor firewall.
RADAR and Utility Command Server
The Remote Administration Diagnostics and Reporting (RADAR) Server provides a facility for secure, remote administration of Interceptor via a World Wide Web browser.
The Utility Command Server allow user to initiate X11 proxies and ping and trace route diagnostic utilities via a World Wide Web browser.
Web Caching and Java and ActiveX Blocking
With Interceptor version 3.0, you can set up a web cache on the firewall system. If there are many internal people who request the same outside resource (and there usually are), this feature will retrieve the information only once and store it on the firewall. This feature greatly increases performance for most organizations.
Also, each time you retrieve a WWW page, the browser makes a new and separate connection for the text and every image contained on the page. This feature allows the connection to stay open until all the information is retrieved, therefore significantly increasing performance of WWW activity.
Technologic has incorporated Java and ActiveX applet filtering into Interceptor.
Multiple Firewall Management
This feature helps people manage increasingly complex Internet usage. Interceptor allows you to set up multiple firewalls in groups. Through RADAR, you can manage these groups. You make one change and RADAR updates all the firewalls in the group at once. This allows you to maximize the security expertise in your organization and provide concise, consistent Internet access policy.
Interceptor Firewall requires:
- Intel-based Systems Pentium 90Mhz
- 16 MB RAM
- 500+ MB Fast SCSI-2 Hard Disk Drive
- 500+ MB SCSI Tape Drive
- Two Ethernet or Token Ring Network Adapters
- Standard VGA Video Card and Monitor
Sun’s Sunscreen EFS Firewall - a Stateful Inspection Firewall
With world headquarters in Mountain View, Calif., Sun Microsystems, Inc., has been described as a "full service provider that can compete on an equal footing with IBM and Hewlett-Packard Co." (InformationWeek, Feb. 13, 1995). The company was founded in 1982 on the premise that "the network is the computer." This simple, yet revolutionary concept helped change the face of the computer industry and has propelled the company into a thriving $6 billion company.
While the company’s legacy has been as a technical workstation supplier, Sun is successfully transforming itself into an enterprise computing firm focused on global network computing. Sun believes that the vast network and resources that exist beyond a person’s own computer is where the true strength of information technology lies. Unlike PCs -- which were built to enhance individual productivity -- workstations incorporate networking into its design core to allow groups of people to collaborate, thereby improving company-wide productivity.
Nonetheless, to meet the rapidly evolving needs of today’s networks, corporations require an integrated security solution that is flexible and scaleable. Sun has created a suite of security solutions that scales to meet enterprise needs: the SunScreen suite.
Figure 14.111 is a screenshot of Sun’s Web site.
For more information, contact Sun Microsystems, Inc., 901 San Antonio Road, Palo Alto, CA 94303, telephone at 1-800-SUN-FIND or 1-972-788-3150 outside the United States. You can also contact them via e-mail at firstname.lastname@example.org or at their Web site at URL http://www.sun.com.
The SunScreen Model
With a mission to provide the enabling products, services and technologies for secure electronic commerce and communication over public networks, Sun leads the evolving market in infrastructure and architecture. SunScreen products provide the foundation for secure Internet access and electronic commerce. The SunScreen product line focuses on enabling corporations to create secure virtual private networks (SVPNs) and provide network access control.
The traditional way of securing corporate networks, as shown on figure 14.112, has been with firewall based perimeter security, separating the networks into static safe and unsafe areas much like creating fences. The problem with this approach is that once the fence has been breached, the network can be compromised.
Sun’s solution for this problem is a suite of products, which includes,
- SunScreen SPF, a dedicated, stealthy, network security solution, designed for the highest security needs of complex networks; typically deployed at the gateway to a public network;
- SunScreen EFS, an encryption server software product with strong firewall/gateway functionality. It can be used to protect all servers in the de-militarized zone (e.g. FTP, WWW, mail) and Intranet (e.g. database, HR, payroll servers); and
- SunScreen SKIP, which provides encryption and key management capabilities, to the desktop or remote end user, which enables PCs, workstations, and servers to achieve secure/authenticated communication.
Figure 14.113 illustrates the SunScreen line and how they fit in your security policy.
Sun security implementation vision is scaled to enterprise needs as secure virtual private networks are deployed in volume, as shown on figure 14.114.
The SunScreen product line enables you to secure your network in an entirely new way. SunScreen SPF provide stealthy network access control and SVPN solutions. SunScreen EFS provides similar network access control and encryption capability, allowing corporations to lock down each of the DMZ machines, as well as all the servers within the corporate network. This secures the whole network, not just the perimeter.
Deploying the product line will help create multiple SVPN’s both within the Intranet and Internet environments. Each department, from the corporate office, to finance, to personnel, can each have a separate secure network. Secure and authenticated communication with remote customers and employees, as well as business-to-business communication can be accomplished via SunScreen SKIP.
This creates a network security system involving dedicated gateway-level security with SunScreen SPF a hardened encryption server for databases, NFS, mail, Web and other types of application machines with SunScreen EFS and encryption equipped end nodes with SunScreen SKIP.
This secure network solution creates one large electronic workspace, as shown on figure 114, where distinctions between Intranets and the Internet become academic from a security standpoint, and all communication can be made private and authenticated as needed.
Sun’s SKIP technology allows you to use the Internet as a conduit to your business partners and employees. According to Sun, studies have shown that this can reduce the overall operating expenses by 23% (U.S. Computer).
Secure access control.
By using stateful, dynamic, packet screening and rules-based technology, SunScreen products allow filtering at the packet level while retaining application-level intelligence. Packets are examined based on filtering rules, and are completely customizable. They may be filtered by connection type, source or destination address, protocol, or protocol port number, in addition to user-definable services. You determine which hosts are granted access to your network, when and what types of access are permitted, and what constitutes a security violation.
Also, because the encryption of data occurs at the network (or "IP" layer), existing applications do not require modification to take advantage of the SunScreen product family’s privacy features. In fact, all existing TCP/IP-based applications immediately reap the benefits of SKIP encryption and key management when any SunScreen product is installed.
Ease of administration.
Combined with a user-friendly interface and centralized control, SunScreen products allow for ease of maintenance and management with little training and low software maintenance costs. Web-based administration also allows for flexibility in selecting the number and placement of administration stations.
SunScreen products provide centralized and granular control of all authenticated users. SKIP authenticates remote clients for secure communication between an enterprise’s local network and the corporate branch offices, business partners, and nomadic users. Remote access can be granted or denied using a number of criteria such as network address or key identifier in the case of nomadic systems. Figure 14.115 and 14.116 shows an example of such a scenario.
SunScreen SPF-200 and SunScreen EFS Security Solutions
SunScreen SPF-200 is Sun’s premier security platform for perimeter defense and electronic commerce. SunScreen EFS complements SPF as the platform to secure all departments and sites within an organization. Together, they protect the entire organization, securing electronic commerce, remote access, and Extranets.
The SunScreen SPF-200 security solution is the premier perimeter defense in the industry. Its strength is in stealthing: no IP address is seen. Stealthing makes SunScreen SPF essentially impenetrable from the Internet because an intruder cannot address the machine. The SunScreen SPF product also scales to almost whatever level is required and supports high-speed, secure communication over the Internet.
SunScreen EFS software is designed for wide-spread deployment within a firm to protect key departments and sites, as well as for deployment of multiple Extranets. It is a powerful combination of a high-performance encryption server along with a strong firewall.
SunScreen SPF’s Features
SunScreen SPF package offers a set of solutions to your company’s security as outlined below:
- Stealthing to help protect an organization from Internet attacks.
- Top performing perimeter defense to screen a high level of Internet traffic.
- A multithreaded encryption engine to meet high-end electronic commerce requirements.
- State-of-the-art SKIP encryption to enable secure electronic commerce and remote access for employees.
- Remote administration.
SunScreen EFS’ Features
SunScreen EFS package offers a set of solutions to your company’s security as outlined below:
- High-speed dynamic packet screen.
- A multithreaded encryption engine to meet high-end Extranet requirements.
- State-of-the-art SKIP encryption.
- Remote administration.
The SunScreen SPF package is Sun’s strategic platform for perimeter defense, providing secure business operations over the Internet. To ensure a high level of security, SunScreen SPF uses a stealth design to protect it from attack, and state-of-the-art SKIP encryption to protect data going over the network. Its advanced dynamic packet filtering, coupled with Sun’s high-speed hardware, is designed to meet the most demanding performance requirements. The SunScreen SPF solution enables organizations to deploy a premier perimeter defense today, and accommodate business over the Internet at their own rate in the future
Features and Benefits
The following are the key features of SPF-200:
- Top performing perimeter defense - According to Data Communication magazine (March 21, 1997, SunScreen EFS was the fastest firewall among the top firewall products available on the market. Given SunScreen SPF’s internal design and optimization, SunScreen SPF should run even faster. SunScreen SPF performance ensures that it can keep up with the demands required to screen large amounts of Internet traffic.
- The stealth design - This design makes SunScreen SPF not addressable with an IP address provides two benefits. First, stealthing makes a SunScreen SPF system more secure because potential intruders can not address the machine running SunScreen SPF, possibly compromising the machine. Second, installation of SunScreen SPF into the network is easy since the administrator can install it without changing routing tables.
- The stealth design "hardens" the OS - This factor turns the system into a dedicated SunScreen SPF system that only runs SunScreen SPF. Hardening the OS enhances security. Since other applications do not run on the system, there is less exposure. SunScreen SPF systems use a separate administration station that can be any SPARC machine and need not be dedicated.
- State-of-the-art SKIP encryption technology - This encryption technology provides secure network communication and acts as the infrastructure for electronic commerce, Extranets, and secure remote access. SKIP protects the data being transmitted, ensures its integrity (not altered), and provides a high level of authentication.
- SunScreen SPF covers both TCP and UDP services - In regards to UDP, SunScreen SPF maintains state to improve security and performance.
- SunScreen SPF allows flexibility in logging what has passed or failed through the screen. - Administrators can choose what they want to monitor and be alerted to problems through pagers or alerts to network management stations.
- Network Address Translation (NAT) converts internal addresses to a different set of public addresses . This allows for additional protection for the internal network, and also helps those sites that have not registered their IP addresses. NAT supports both static and dynamic translation of internal addresses to public addresses. Since hackers do not know the internal addresses of hosts, attacks are minimized.
- Administration is done through secured, remote administration stations - This enhances the security and meets the needs of organizations for remote management
SunScreen EFS software is Sun’s strategic offering for compartmentalization, where companies deploy multiple screens to protect various departments and sites. SunScreen SPF is the best offering for protecting the corporation from Internet attack and for performing business over the Internet.
In contrast, SunScreen EFS was designed from the ground up to be deployed throughout an organization and protect sites and multiple departments inside the organization. With it, organizations can implement security policy and establish secure connections between departments, sites, or even between business partners over an Extranet.
Features and Benefits
The following are some of the key features and benefits of SunScreen EFS:
- High-speed dynamic packet screen - As mentioned earlier, this firewall was rated the fastest firewall by Data Communication’s performance test among the top firewall vendors. SunScreen EFS can meet the performance needs of most any department or site.
- SunScreen EFS runs on Solaris systems as a separate application along with other applications. This allows it to be deployed throughout the organization. In contrast, SunScreen SPF stealthing provides the ultimate in security in high-risk areas such as perimeter defense on the Internet.
- State-of-the-art SKIP encryption technology - As with SPF, this feature provides secure network communication and acts as the infrastructure for communication between departments, remote sites, and partners. SKIP protects the data being transmitted, ensures its integrity, and provides a high level of authentication.
- SunScreen EFS covers both TCP and UDP services. In regards to UDP, SunScreen EFS maintains state to improve performance.
- SunScreen EFS allows flexibility in logging what has passed or failed through the screen. The administrator can choose what they want to monitor and also be alerted to problems through pagers or alerts to network management stations.
- SunScreen EFS can be managed remotely - This feature makes it very practical to deploy numerous SunScreen EFS servers throughout an organization and manage them centrally.
- Conversion tool to migrate from Solstice FireWall-1 - This conversion facility translates host group definitions, network object definitions, service definitions, actions, and rules from FireWall-1 3.0 to SunScreen EFS 1.1.
- Network Address Translation (NAT) converts internal addresses to a different set of public addresses. - This provide additional protection for the internal network, and also helps those sites that have not registered their IP addresses. NAT supports both static and dynamic translation of internal addresses to public addresses. Since hackers do not know the internal addresses of hosts, attacks are minimized.
SunScreen SPF-200’s stealth feature dedicates the system running the screen to just SunScreen SPF. In addition, SunScreen SPF requires a separate administration station, but is not required to be a dedicated system.
In contrast SunScreen EFS runs as a separate application on any SPARC machine.
The system requirements for the SunScreen SPF-200 Screen are:
- CPU: Ultra 1or Ultra 2 or a SunScreen SPF-100 screen for upgrades
- Disk: 1 GB of disk
- Memory: 16 MB
The system requirements for the SunScreen SPF-200 Administration Station are:
- CPU: SPARC system or compatible
- Operating System: Solaris 2.4, 2.5, or 2.5.1
- Disk: 100 MB of free disk space
- Memory: 16 MB
As for the SunScreen EFS, the system requirements are:
- CPU: SPARC system or compatible
- Operating System: Solaris 2.4, 2.5, or 2.5.1
- Disk: 100 MB of free disk space
- Memory: 16 MB
Solstice FireWall-1 3.0
Another firewall product offered by Sun which deserves to be mentioned is the Solstice FireWall-1 software, which provides Internet and Intranet data security for the enterprise network in a distributed environment on Solaris and Windows NT platforms.
Solstice FireWall-1 Version 3.0 is one of the leading network security system for creating and managing TCP/IP firewalls. Solstice FireWall-1 software enables an enterprise to build its own customized security policy, yet is installed and managed from a single workstation console. As an enterprise firewall solution, Solstice FireWall-1 3.0 has the flexibility, scalability, extensibility, and cross-platform support to meet a company’s security needs.
Solstice FireWall-1 Features
Solstice FireWall-1 is based on Stateful Multi-Layer Inspection technology, delivering superior security, connectivity, and performance. It offers excellent network and application-level security, along with user authentication, for virtually any size enterprise, enabling safe access to the Internet’s vast resources. This technology delivers a superior solution compared to competitors’ products that are based only on application gateways, proxies, or simple packet-filtering.
Installed on a gateway server, the Solstice FireWall-1 inspection module acts as a security router for traffic passing between a company’s Intranet segments or between the internal network and the Internet. All inbound and outbound data packets are inspected, verifying compliance with the enterprise security policy. Packets that the security policy does not permit are immediately logged and dropped.
Comprehensive Services Support
By incorporating dynamic, application-level filtering capabilities and advanced authentication capabilities, Solstice FireWall-1 enables true connectivity for over 120 built-in services, including secure Web browsers and HTTP servers, FTP, RCP, all UDP applications, Oracle SQL*Net and Sybase SQL Server database access, RealAudio, Internet Phone, and many others.
Solstice FireWall-1 runs on the Solaris operating environment for SPARC and Intel platforms as well as on Windows NT for Intel platforms.
A management module running on one platform can manage inspection modules running on other supported platforms. The management module itself is now a client/server application, with a GUI client that runs on Windows 95 and Windows NT, as well as on all supported platforms.
Encryption Support for Data Privacy - Virtual Private Networks
The Solstice FireWall-1 encryption module enables virtual private networks and commerce over the Internet by encrypting all traffic over the Internet. It uses a highly efficient "in-place" encryption. By maintaining the size of the encrypted data packets, communications lengths are not altered and packet fragmentation is eliminated. The highest network performance is achieved, and routing priorities and policies are preserved.
Another important feature is the so called SecuRemote feature, which creates a virtual private network for Windows 95 and Windows NT users connecting to their networks with dial-up connections over the Internet or the public switched phone network to any Solstice FireWall-1 system running the optional VPN or DES encryption. SecuRemote will transparently encrypt any TCP/IP-based application, without change to the application itself.
Solstice FireWall-1 also supports the SKIP protocol, which was invented by Sun. This allows Solstice FireWall-1 installations to create a virtual private network with any other products, from Sun and other vendors, remaining compatible with industry standard.
Solstice FireWall-1 provides centralized and granular control of all users, including authenticated and unknown users. Client Authentication permits only specified users to gain access to the internal network, or to selected services, as an additional part of secure communications between an enterprise’s local network and corporate branch offices, business partners, and nomadic users. Client Authentication works without modifying the application either on the client or server side.
This firewall supports four different approaches for user authentication, including Security Dynamics’ SecurID one-time password cards. Unknown users can be granted access to specific services such as Web servers or e-mail, depending on your corporate security policy.
This firewall can protect users from viruses and malicious programs that enter a company’s network from the Internet. This includes viruses in executable programs, "macros" that are part of application documents, and ActiveX and Java applets. It also uses third-party "plug-in" anti-virus and URL-filtering programs available from such vendors as Symantec, McAfee, Trend Micro, Cheyenne, Eliashim, WEBsense, and others.
If you are operating a "server farm," Solstice FireWall-1 can optionally distribute incoming requests to the next available server. One logical IP address can support access to all servers.
Anti-Spoofing and SNMP Management
Spoofing is a commonly used technique to gain access to a network from outside, the Internet for example, by making packets appear to come from inside the network or firewall. Solstice FireWall-1 detects such packets and drops them, and can also log and issue an alert.
As for SNMP management. Solstice FireWall-1 has version 2 SNMP agents that integrate it to Solstice Domain Manager, Solstice Enterprise Manager, or other enterprise management tools.
Secure Computing’s Borderware Firewall: Combining Packet Filters and Circuit-Level Gateways
Headquartered in St. Paul, Minn., Secure Computing is one of the largest network security companies in the world. Secure Computing's services and comprehensive suite of interoperable products address every aspect of enterprise network security including consulting services, firewalls, Internet monitoring and filtering, identification, authentication, authorization, accounting and encryption technologies. The only network security company that provides end-to-end network solutions encompassing all universal enterprise security standards, Secure Computing has more than 4,000 customers worldwide, ranging from small businesses to Fortune 500 companies and government agencies.
Figure 14.117 is a screenshot of Secure Computing’s Web site.
For more information, contact Secure Computing at 2675 Long Lake Road, Roseville, MN 55113. Tel +1.612.628.2700 Fax +1.612.628.2701. Or via e-mail at email@example.com or via the Web at http://www.securecomputing.com.
The BorderWare Firewall Server
The BorderWare Firewall Server defines a new product category of firewalls by combining packet filters and circuit-level gateways with application servers into a single, highly secure, self-contained system. It is a powerful, advanced security product that protects TCP/IP networks from unwanted external access as well as provides control of internal access to external services.
Using the BorderWare Firewall Server you can connect your private TCP/IP network to the global Internet, or to other external TCP/IP networks, and remain confident that unauthorized users cannot gain access to systems or files on your private network. Figure 14.118 shows a typical layout of BorderWare Firewall configuration
The benefits and uses of BorderWare go far beyond protecting your network from external access as this firewall provides many other services, including a secure Mail server, dual Name servers (internal and external), a News server, an anonymous FTP server, a WWW server and a Finger information server.
The BorderWare Firewall Server is transparent to your internal network users. This means that all of the TCP/IP networking applications that your organization currently uses, including DOS and Windows driven software, will continue to work without modification.
The creators of BorderWare kept two things in mind when designing the firewall server: simplicity and security. It is simple as a light switch, but just turn it on and you can cross a threshold to the most complete set of features available to a firewall.
BorderWare has a simple graphical user interface (GUI) for configuration, setup, and control of the firewall server, which saves you from learning access rules syntax or the proper order that they must be defined. BorderWare lets you configure all aspects of the firewall through the GUI. DNS, Mail, News, outbound access, WWW, FTP, and alarms are just a few examples. BorderWare even lets you enable your own user-defined services, in an absolutely secure manner.
As discussed on chapter 7, "What is an Internet/Intranet Firewall After All?," firewalls come in three types: packet filters, circuit-level gateways, and application gateways. BorderWare combines all three into one firewall server giving you the flexibility and security you need, as seen on figure 14.119. BorderWare also supports multiple styles of authentication including address/port based authentication and cryptographic authentication.
There is one very important feature of BorderWare that really stands out in the crowd of commercial firewalls on the market today. BorderWare is built from the bottom up with a fail-safe design. The foundation for BorderWare was a securely hardened kernel. Each layer of functionality that was added was first made secure. In the event that any of these services is under attack, the firewall is still not compromised. There are tiny firewalls inside BorderWare that keep barriers around the services to prevent the spread of any compromised piece and the rest of the firewall remains unaffected.
The following is a list of the main features found on BorderWare:
- Easy to use - It works with any PC, MAC or UNIX Internet application and offers complete transparency to internal users. There is no need to change application software or user procedures.
- Has all you need to link to the Internet - , Enables you to incorporate application servers like Mail, News, WWW, FTP, DNS
- Makes joining the Internet easy - It remaps and hides all internal IP addresses, allowing use of non-registered IP address
- Is a complete network security solution - It combines packet filtering with application-level and circuit-level gateways.
- Provides worry-free inbound access - It permits authenticated inbound Telnet access using one-time password "tokens".
- Is flexible - It allows the security administrator to define proxies for secure and specialized applications that require "tunneling" through the firewall.
- Is easy to install and manage - It provides a simple graphical interface for configuration, control and set-up.
- Lets the administrator know then the system is being attacked - It incorporates security features to detect probing and initiate alarms.
- Makes audit simple and foolproof - It includes comprehensive audit capabilities and allows the security administrator to direct log files to a remote host.
BorderWare provides outbound application services such as Telnet, FTP, WWW, Gopher and America On Line transparently. Existing windows-based or non-windows-based point-and-click client software will run without modification. You can use your favorite shrink-wrap software. There is no need to login to the firewall. BorderWare is transparent.
Network Address Translation
BorderWare remaps and hides all internal IP addresses. The source IP addresses are written so that outgoing packets originate from the firewall. The result is that all of your internal IP addresses are hidden from the users on the Internet. This gives you the important option of using non- registered IP addresses on your internal network. In some cases this saves users hundreds of hours of work.
All IP packets going between the internal network and the external network must pass through BorderWare . User definable rules allow or disallow packets to be passed. The graphical user interface allows system administrators the ability to implement packet filter rules easily and accurately.
All of outgoing connections and incoming connections are circuit-level connections. The circuit connection is made automatically and transparently. BorderWare allows you to enable a variety of these such as outgoing Telnet, FTP, WWW, Gopher, American On Line, and your own user-defined applications. Incoming circuit-level applications include Telnet and FTP. Incoming connections are only permitted with authenticated inbound access using one-time password tokens.
One of the extra features of BorderWare is that it includes support for several standard application servers. These include: Mail, News, WWW, FTP, and DNS. Each application is compartmentalized from other firewall software, so that if an individual server is under attack, other servers/functions are not affected.
Audit Trails and Alarms
BorderWare has comprehensive audit and logging capability. It also provides alarms when probing is detected.
Log files are kept for all connection requests and server activity. The files can be viewed from the console displaying the most recent entries and scrolls in real time as new entries come in, as seen on figure 14.120. These files can also be retrieved from the firewall using the administrative FTP user from your internal network.
The log files include:
- connection requests
- mail log file
- news log file
- other servers
- outbound FTP sessions
- alarm conditions
- administrative log
- kernel messages
Log information that is sent to the FTP log area can now be sent to another internal machine running syslog. Also, BorderWare has an alarm system that watches for network probes. The alarm system can be configured to watch for TCP or UDP probes from either the external or internal networks. Alarms can be configured to trigger email, pop-up windows, messages sent to a local printer, and/or halt the system.
Traditional firewalls require either logging into the firewall system or the modification of client applications using library routines such as "SOCKS". BorderWare permits "off-the-shelf" software such as Beame & Whiteside BW-Connect TCP/IP package, NetManage Chameleon, SPRY AIR Series, and standard UNIX networking software to operate transparently through the firewall. Figure 14.121 shows the many protocols BorderWare incorporates proxies to.
Integrated Servers BorderWare includes support for several standard applications including Mail, News, FTP, Finger, Name Server (DNS), and WWW. Each applications is completely isolated from all other applications, so that attempts to compromise one server can have no effect on the others.
BorderWare Application Services
The BorderWare Firewall Server, as seen on figure 14.122, incorporates two separate DNS servers on the firewall itself:
- External DNS - The External DNS server provides a limited external view of the organizational domain and initially configures itself with a number of standard names that all point to the firewall itself (such as Mail, News, FTP, NS and WWW). It also has specific entries for the domain so that connections can be conveniently made using only the organizational domain name and whatever additional hostname is specified for the firewall. The External DNS also automatically installs NS and wildcard MX records that point to the firewall. Additional backup MX and secondary NS records can be configured by the administrator. No internal information is available to the External DNS and only the External DNS can communicate with the outside. Therefore, no internal naming information can be obtained by anyone on the outside. The External DNS cannot query the Internal DNS or any other DNS inside the firewall.
- Internal DNS : The Internal DNS is automatically configured with some initial information and can have additional hosts added via the administrator interface. Other internal domains or sub-domains can be primaried, secondaried or delegated to other internal nameservers. The ability to prime the internal DNS by downloading host and NS delegation information from an existing DNS is available in the next major release. The information managed by the Internal DNS is only available to internal machines. The Internal nameserver cannot receive queries from external hosts since it cannot communicate directly with the external network. Resolution of external DNS information both for the firewall itself and to handle internal queries for external information are handled by the internal nameserver. Although it is unable to communicate directly with the external network, it is able to send queries and receive the responses via the External DNS.
Mail Servers (SMTP and POP)
The BorderWare mail system was originally designed with a security model in mind, as shown on figure 14.123. It is based on ZMailer, a mature mail system in use on major Internet gateways. The author has made further specific enhancements for the BorderWare product.
The system consists of independent programs for SMTP reception, routing decisions, SMTP delivery, delivery scheduling, and other work. ZMailer has no code relation to Sendmail and has not in the past been susceptible to any of the security problems with Sendmail. In this product it also runs without special privileges in an isolated environment.
The BorderWare mail system can act as a corporate Internet or SMTP mail gateway. It allows the administrator to explicitly specify mail routing information so that a subversion of DNS data cannot be used to hijack mail. It is also an example of how the two-faced nature of the BorderWare system extends into application-level functionality. The mail system can easily be configured to completely hide the structure of an internal mail environment from the outside world without the inside users being aware of this. It is capable of arbitrarily mapping from internal addresses to external addresses, as may be desired due to either information leakage or corporate image considerations. The virtual division of views is carried to the point of foiling external email probe attempts, and manipulating outgoing message headers to remove any internal naming information that would otherwise be leaked.
Mail Domain Name Hiding
With BorderWare, if you ever decide to map several internal subdomains to a single organizational external domain at your company, the potential conflicts due to non-unique user ids can be resolved automatically by the mail system in its "training" mode. When that feature is enabled, new internal email addresses that arrive on the BorderWare Firewall are translated into unique externally visible addresses. If desired you can later disable the auto-creation feature and begin exercising manual control over the mappings. This allows an easy introduction of this kind of control into an existing gatewayed environment. It also allows administrative control over access to Internet email on a per-user basis. The administrator is of course always able to explicitly create or delete mappings between internal and external addresses.
POP Mail Server
In addition, the BorderWare system contains a POP3 server so that it can be used to directly support a typical client/server mail environment that uses commercial PC/Mac-based software. User mailboxes defined on the BorderWare Firewall Server take precedent over the internal message routing information. People within a single internal administrative subdomain can be given the option of whether they prefer to use POP mail or a traditional host-based mail system.
Anonymous FTP Server
BorderWare incorporates a secured anonymous FTP server which provides read-only access to a protected and limited file hierarchy. The GUI provides a mechanism to enable a writeable incoming directory to allow the sending of files to the firewall. An administrative account, only accessible from the internal network, is the single method of accessing and maintaining the data areas.
BorderWare incorporates a secured and self maintaining NNTP based news server. It accepts an Internet news feed from designated external systems, usually your Internet service providers news machine(s). The news can be read directly from BorderWare with standard PC or UNIX news reader clients. Also, the news can be fed to internal or external sites. No maintenance is required for the news server as there is auto-addition of new News-groups and auto-deletion of old News.
BorderWare incorporates a secured HTTP server. It will respond to internal or external requests for files from a limited file hierarchy. Internal users will be transparently proxied to other Internet WWW servers. However, external users will never be able to access any WWW server running on the internal network.
Finger (Information) Server
Finger is a standard utility that can be used for probing systems and it is useful to know who is examining your system. The BorderWare finger (information) server will respond to a request by displaying a customizable file. This file usually contains static information about your company such as phone numbers and addresses. The full request is logged.
Using a DES encryption based electronic challenge and response authentication card you can Telnet or FTP to the internal network from an external network. As soon as you request a Telnet or FTP session, you are prompted with an eight digit challenge number. The next Telnet or FTP attempt would be given a different challenge and would require a different response.
BorderWare has a built-in mechanism for automatic nightly backup. First, it does a backup of your configuration files onto a floppy diskette. It also backs up all your anonymous FTP directories, WWW data, and Finger server data on 4mm DAT tape. News data is not backed up for obvious reasons because of the amount of space it would use. When upgrading your software, you simply restore your configuration from the diskette and restore your data files from tape in minutes. The backup is also very useful if your system crashes due to any hardware failure.
The BorderWare Firewall Server is unique in integrating secure application servers as part of the basic system. Each server has been designed from the ground up with security in mind. This alleviates the necessity for you to modify and harden your own server application or machine as is required by some firewalls. Figure 14.124 gives an overview of the Secure Server Net (SSN).
The BorderWare Firewall Server is built upon a version of UNIX that has been hardened to protect against security violations. The operating system has been modified so that even if an attacker did gain access to the firewall through a service s/he would be unable to affect the other application systems or gain access to your internal network.
The BorderWare Firewall Server has secure versions of most Internet services and networking tools including:
- a dual Domain Name Servers (internal and external)
- a secure SMTP server
- a secure anonymous FTP server
- a secure World Wide Web server
- a secure Finger Information server
A variety of mechanisms are used to further enhance the integrity of the BorderWare Firewall Server and protect the internal network from unauthorized access such as:
- internal IP addresses are hidden so all internally originated traffic appears to come from the firewall itself
- lures and other mechanisms to detect probing from Internet
- challenge/response authenticated inbound Telnet access
- alarms triggered from external/internal probes
- file integrity checking to protect from subversion of the firewall software
Ukiah Software’s NetRoad Firewall: a Multi-Level Architecture Firewall
Ukiah Software is a Silicon Valley-based developer of Internet and Intranet software products. Their mission is to deliver solutions for secure information access over the Internet and Intranet, in environments requiring multi-platform and multi-protocol support. Ukiah is the only company offering advanced firewall products for heterogeneous TCP/IP and IPX/SPX environments, running on NetWare and Windows NT. Their firewall is also one of the most manageable firewall on the market today, through its integration with NDS.
Ukiah's flagship product, NetRoad Firewall, delivers advanced multi-level security incorporating application level gateway, circuit level gateway and packet level filtering functionality. This multi-level architecture delivers the highest level of firewall security in repelling an extremely broad array of security attacks.
Figure 14.125 is a screenshot of Ukiah’s Web site.
For more information, contact Ukiah Software, 2155 South Bascom Avenue, Suite 210, Campell, CA 95008, (800) 988-5424 or (800) 98-UKIAH, Fax: (408) 369-2899. Via e-Mail, firstname.lastname@example.org or on the Web URL: http://www.ukiahsoft.com.
NetRoad FireWall for Windows NT and NetWare
NetRoad FireWall, as seen on figure 14.126, provides multi-level firewall security and network address translation for TCP/IP as well as IPX clients. It is the only one of its kind on the market today. Runs integrated with Windows NT Domains, or can be integrated with Novell's NDS. For NetWare, NetRoad FireWALL is directly integrated with NDS.
Ukiah Software’s NetRoad FireWall provides a security firewall for both your TCP/IP and your IPX clients. By combining in a single, integrated product the capabilities of both an IP firewall and an IPX/IP gateway, FireWall delivers seamless security for mixed protocol networks. No need for separate firewalls and IPX/IP gateways. And, FireWall allows you to secure your entire network in an easily managed way, from a single management console integrated into NDS or other LDAP-compliant directory service.
The following is a list of the key features of NetRoad:
- Two products in one--an IP firewall and an IPX/IP gateway
- First-class IP firewall security for Internet and Intranet connections
- Secure IP connectivity for both IP and IPX clients
- Integrated with Novell Directory Services (NDS) and Windows-based management
- Available for NetWare and NT
Security for Mixed Protocol (IP and IPX) Networks
With mixed IP and IPX protocol networks now the norm in most organizations, a firewall must offer Internet connectivity and security to both. NetRoad FireWALL provides an IP firewall and Network Address Translation (NAT) to hide your internal addresses from the Internet. It also transparently controls the full range of TCP/IP operating systems and applications.
Various alternatives to providing security in mixed protocol networks do exist, but all represent only a fraction of the total required solution:
IPX/IP gateways provide Internet connectivity for IPX clients, but the security is very basic. Application security, for example, is generally based only on TCP ports - some products also support ICMP or UDP port-based filtering. The security focus with most of these gateway products is on controlling outbound access, not on dealing with the more serious problem of inbound network access. More importantly, these gateways do nothing to provide security for IP clients.
Filtering bridges or packet-level filtering by routers are partial solutions, but they also have major security limitations (see section on Types of Firewalls), and don't support Internet services for IPX clients.
IP firewalls can provide great security (as long as they provide capabilities up to and including an application level gateway), but they only support IP clients - not IPX.
Dual-protocol-stack clients can be implemented to get around the IP-only nature of the Internet and of IP firewalls, but this is complex to implement and manage and is likely to be a nightmare for network administrators.
Only NetRoad provides a true firewall today running on NetWare, and also on any platform - NetWare, Windows NT or other - that provides both an integrated IP firewall and an IPX/IP gateway. No other product family offers integrated firewall support for both IP and IPX clients, and also offers this firewall on both NetWare and Windows NT servers. Figure 14.127 illustrates this concept.
As previously discussed, the most secure form of firewall is a 'multi-level firewall' - one which combines packet filtering, a circuit-level gateway, and an application-level gateway firewall to provide defense in depth (see figure 14.128). Since security attacks can and will come at any level that exposes security vulnerabilities, the combination of multiple levels of security is the only way to have a fighting chance against the determined attacker.
For IPX clients, FireWALL provides an IPX/IP gateway, supporting any Winsock 1.1 compliant TCP-based application such as Web browsers, FTP and Telnet, as well as UDP applications such as RealAudio, most real-time services, DNS, and SNMP.
It also supports ICMP-based ping. It’s simple and inexpensive to install, since it doesn't require any changes to IP or IPX stacks, and you don’t have to install or manage a TCP/IP stack on IPX clients!
Simple Management and NDS Integration
FireWALL integrates with Novell Directory Services (NDS). According to the vendor, LDAP-based directory service is soon to be released. This means that FireWALL can execute policies based on users that have already been defined! Additionally, all FireWALL's configuration information can be maintained in a single repository, or replicated across multiple repositories for greater fault tolerance. Besides offering NDS integration, FireWALL for Windows NT can also be managed on a stand-alone basis, without a directory service.
Other management features include:
- Alarms through
- SNMP trap,
- NDS log entry, and
- On-screen messages.
- Statistics that keep tabs on security threats and user activity.
- Remote management, including encryption and authentication, are built into the FireWALL solution.
Multi-level Firewall Security and User Authentication
FireWALL is a multi-level firewall, enforcing security at the network, circuit and application level. Application level inspection modules are provided for the most common applications: HTTP, FTP, Telnet, SMTP, Real Audio, and so on. This architecture provides the highest level of security against the broadest array of security threats.
The multi-level approach also ensures a very flexible degree of control and security policies can be tailored as precisely as required to control traffic. Network traffic passing through the firewall can be filtered based on the following criteria:
- time of day,
- individual application commands, and
- file types and and even right down to the level of individual Web pages.
The addition of three different forms of user authentication (NDS and MD4/MD5 One Time Password) make FireWALL a robust security solution.
NetWare and NT Firewall Support
FireWALL runs on Windows NT 4.0, IntranetWare, and NetWare 4.x. A common feature set is implemented on both the NT and NetWare platforms, so that implementing multiple firewalls on different platforms is transparent to the administrator. Both offer common capabilities, and are managed in a common fashion through NDS. This ensures a strong security system in mixed protocol and mixed platform environments. Whether your long term goal is simply co-existence, or migration to a single protocol and platform, FireWALL offers you a choice.
NetRoad FireWALL can be used in a wide variety of network configurations, as seen on figure 14.129, including:
- IPX clients only
- TCP/IP clients only
- Mixed protocol configurations (the most common network configuration)
The platform on which FireWALL runs can be either NetWare 4.x or IntranetWare, or Windows NT. Access from the firewall to the Internet can be provided via a stand-alone router (such as Cisco, Bay Networks etc.) or the multi-protocol routing (MPR) capability in NetWare itself.
A highly efficient application implementation delivers high throughput and hence maximum performance for client applications. With 95% throughput efficiency, FireWALL has the performance edge for Internet and high-speed intranet connections.
Future Evolution of the NetRoad FireWALL Platform
According to Ukiah, the NetRoad FireWALL platform is designed to be just that: a platform. Its robust design will allow it to continue to evolve over the long term, adding new capabilities through the simple integration of third-party products, such as encryption and user authentication applications, as well as through new features and modules added by Ukiah itself, as shown on figure 14.130.
FireWALL has many advantages that make it singularly well-suited to play the platform role over the long term. Examples of these advantages include:
- Multi-protocol architecture that supports complex networks
- Portability across operating system platforms, both stand-alone and embedded
- Multi-layered security that ensures maximum flexibility to meet the security threats of today and tomorrow
- Integration into directory services and network management platforms that ensures a cohesive, easy to manage system for organizations large and small
- Extensibility of NetRoad FireWALL's policy-based architecture that allows the incorporation of other application modules that add new facets to the platform, beyond network security.
The following are the requirements for FireWALL Server for NetWare:
- NetWare 4.x or IntranetWare
- Novellis TCP/IP stack
- At least 2 network interface cards
- Pentium 133 or higher
- 20MB free disk space
- 16MB RAM
As for FireWALL Server for Windows NT the requirements are:
- Windows NT 4.0 or later (workstation or server)
- TCP/IP stack
- At least 2 network interface cards
- Pentium 200 or higher
- 20MB free disk space
- 200MB swapfile size
- 32MB RAM
For the Remote Administrative Console, these are the requirements:
- FireWALL for NetWare and Windows NT: If NDS integrated, the requirement is Windows 3.x, Windows95 or Windows NT 3.51 or later.
- FireWALL for Windows NT: Also manageable locally without a remote console.
Secure Computing’s Sidewinder Firewall: a Type Enforcement Security
Headquartered in St. Paul, Minn., Secure Computing is one of the largest network security companies in the world. Secure Computing's services and comprehensive suite of interoperable products address every aspect of enterprise network security including consulting services, firewalls, Internet monitoring and filtering, identification, authentication, authorization, accounting and encryption technologies. The only network security company that provides end-to-end network solutions encompassing all universal enterprise security standards, Secure Computing has more than 4,000 customers worldwide, ranging from small businesses to Fortune 500 companies and government agencies.
Figure 14.131 is a screenshot of Secure Computing’s Web site.
For more information, contact Secure Computing at 2675 Long Lake Road, Roseville, MN 55113. Tel +1.612.628.2700 Fax +1.612.628.2701. Or via e-mail at email@example.com or via the Web at http://www.securecomputing.com.
The Sidewinder Security Server
The Sidewinder Security Server is a network security gateway that stands between your internal computer network and the Internet and protects your network from unauthorized access. The Sidewinder uses Secure Computing's patented Type Enforcement security to ensure that attackers cannot infiltrate your protected network. For the past several years, the Sidewinder has been setting the industry standard in perimeter security.
The Sidewinder software runs on a Pentium-based computer with separate connections to a trusted and an untrusted network. Because it runs on standard hardware platforms and uses standard network interfaces, the Sidewinder can be integrated into almost any network configuration, as shown on figure 14.132.
The Sidewinder can give your organization the flexibility to implement and enforce even the most complex security policies. Sophisticated access controls and advanced filtering mechanisms allow you to control exactly who can access services through the firewall and what types of information they can transmit and receive. Encryption and authentication options provide even tighter security and allow organizations to create a virtual private network across the Internet.
An easy-to-use interface provides you, as an administrator, with a variety of tools for configuring and managing the Sidewinder, and the system can be administered locally or remotely. You can monitor network activity to detect unusual events that might indicate someone is trying to circumvent the security measures. You can also direct the Sidewinder to automatically gather information on these attempts and to try to identify the intruder.
By providing advanced technologies and filtering, the Sidewinder goes beyond traditional firewalls. It allows your organization to safely connect to an untrusted network and provides a gateway to help maximize an organization's Internet productivity.
The Patented Type Enforcement Security
Secure Computing's patented Type Enforcement technology, a key component of the Sidewinder Security Server, provides network security protection that is unique to the industry. Type Enforcement is software that greatly tightens security in the BSD UNIX operating system (BSD/OS) kernel, which is used on the Sidewinder. Implementing Type Enforcement within the operating system itself assures the highest level of security. It is impossible for any program executing on a Sidewinder with Type Enforcement to bypass the security features it provides.
The Sidewinder runs two different UNIX kernels that are used for different purposes. When the system is running and connected to its networks, it uses the operational kernel. When the operational kernel is booted, the Type Enforcement controls described in this section are in effect and cannot be disabled by any program running on the system. When an administrator needs to perform special tasks, such as restoring files, the Sidewinder runs in the administrative kernel. When the administrative kernel is running, the Sidewinder's network connections are disabled, so the system is isolated and protected.
The operational kernel divides the entire Sidewinder system into process domains and file types, as shown on figure 14.133.
Process domains are execution environments for applications such as FTP and Telnet. A process domain is set up to handle one kind of application, and each application runs in its own domain. File types are named groups of files and subdirectories. A type can include any number of files, but each file on the system belongs to only one type.
Type Enforcement is based on the security principle of least privilege: any program executing on the system is given only the resources and privileges it needs to accomplish its task. On the Sidewinder, Type Enforcement enforces the least privilege concept by controlling the interactions between domains and file types, where,
- Each process domain on the Sidewinder is given access to only specific file types. If a process attempts to reference a file belonging to a type that it does not have explicit permission to access, the reference fails as though the file does not exist.
- Applications must usually collaborate with applications in other domains in order to do their job. On a typical system, this collaboration is done using the system's interprocess communications facility, which also opens up opportunities for breaching security. Type Enforcement eliminates this security risk by strictly controlling any communication between process domains. If a program in the process domain attempts to signal, or otherwise communicate with, a domain it does not have explicit permission to access, the communication attempt will fail.
- Most applications need to call operating system functions at times, but this can enable malicious users to access the kernel directly and compromise the system. To prevent this, Type Enforcement explicitly specifies which system functions can be called from each domain.
- One of the greatest security risks on a typical UNIX system is system administration, because of the high level of privileges needed to successfully manage and configure system resources. UNIX allows a user to log in as "super-user" (root), which gives the user access to all files and applications on the system. Under Type Enforcement, there is no super-user status. Each process domain is administered separately and is assigned its own administrative role. Each role is assigned only the privileges needed to administer a specific process domain. For example, if a user logs in using an account that is assigned the Web administrator role, that user cannot perform administrative tasks for mail or FTP.
Figure 14.134 illustrates how Type Enforcement controls a domain's access to files of different types. Any time a process tries to access a file, the Type Enforcement controls determine whether the access should be granted; these controls cannot be circumvented. In Figure 14.134, for example, a process running in Domain A is attempting to access File Type X; Type Enforcement denies this request. A process in domain B is permitted access to File Type X and File Type Z, while the process in domain C is granted access to File Type Y.
You can see the effects of Type Enforcement by looking at an example, such as mail services (mail services are notorious for security risks). Type Enforcement controls the mail server process by:
- Providing the mail process with access to only those files it needs to save and obtain mail.
- Permitting the mail process to communicate only with those processes it needs to transfer mail.
- Allowing the mail process to make only the system calls that are necessary for mail handling.
- Restricting mail administration capabilities to only those accounts that have been assigned the mail administration role.
Using the mail example, you can see how Type Enforcement provides restriction and containment. Even if an attacker managed to discover and exploit a weakness in the mail server, the attacker is restricted from entering another domain. Any resulting damage is contained within the mail domain, and applications executing in other domains are not affected. There is no way to gain access to the root directory, for example, or to break into any other part of the system.
The Sidewinder's remote management capability is crucial for solving the network administration concerns of large organizations with remote or branch offices. The ability to configure remote systems from a centralized location provides an additional layer of information security control. By adding strong authentication and virtual private network (VPN) capabilities to a Sidewinder, secure remote management becomes a reality.
The Sidewinder provides all of the basic Internet services your site needs, along with sophisticated controls that allow your organization to easily allow or deny user access to these services.
These controls are configured in the Access Control List (ACL), a database of configurable rules. Each rule determines whether or not a user program may open a connection to a network service proxy or a server application on the Sidewinder. The connection request may originate from either an internal network or the Internet. When a network connection is requested, the Sidewinder checks the ACL entries to determine whether to allow or deny the connection.
For example, your organization may want to allow all internal users to access the World Wide Web at any time, or you might want to allow Web access by only specific users on certain internal systems at certain times of the day. You may want to allow Internet users to access an FTP server located on the Sidewinder, or you may want to allow certain Internet users to access an internal system situated behind the Sidewinder.
The Sidewinder's interface provides an easy way of configuring ACL entries, as shown below. When the Sidewinder is installed, the initial ACL database contains entries that allow certain connections from the internal network to the Internet. You can then add, modify, or delete individual Access Control List entries and configure them as necessary according to the requirements of your organization's security policy. At any time, as shown on figure 14.135 you can quickly change the ACL entries to make new services available and to loosen or tighten access restrictions based on your organization's unique needs.
The ACL is extremely flexible and allows organizations to restrict connections based on the following criteria:
- Source or destination burb - A burb is a type-enforced network area used to isolate network interfaces from each other. You can allow or deny connections based on the source burb, the destination burb, or both.
- Source or destination network object type or group - You can allow or deny connections based on a source network object, a destination network object, or both, as shown on figure 14.136. A source or destination object can be an IP address, a host name, a domain name or a subnet. In addition, you can set up network groups composed of any combination of these objects. For example, you may want to allow Telnet access from several specific host computers and IP addresses residing on your internal network. You can easily create a group comprising these host names and IP addresses. Then, you can quickly create an ACL entry allowing Telnet access for this group rather than creating separate ACL entries for each host name and IP address.
- Type of connection agent - You can configure an ACL entry to allow or deny connections based on the software agent in the Sidewinder that is providing the connection. One type of agent is a proxy, which allows communication through the Sidewinder without any direct contact between systems on opposite sides of the firewall. A second type of agent is a server, which provides a service on the Sidewinder itself, such as FTP. The third type of agent is a Network Access Server (NAS), which provides dial-up connectivity from a bank of modems.
- Type of requested network service - You can allow or deny connections based on the type of service that is being requested. The Sidewinder provides proxies for most popular Internet services. These are pre-configured and set up to use standard port numbers. These include AOL, FTP, Web (http), Real Audio and Telnet. In addition, you can set up your own UDP or TCP proxy by configuring a port for a specific service. For example, you can set up a UDP proxy to allow you to route Simple Network Management Protocol (SNMP) messages through the Sidewinder.
You can also set up rules that are unique to some network services. For example, FTP can be controlled by a rule that allows only GET operations, thus preventing it from writing to the server. Similarly, you can control access to Web services based on a Web site's content using Secure Computing's SmartFilter™ technology.
- User requesting the connection - For services that support authentication (such as Web and FTP), you can restrict access based on the user requesting the connection. Authentication
You can set up a rule requiring the Sidewinder to authenticate the requester's identity before granting the connection request. You can use standard password authentication, or you can implement strong authentication to provide tighter security. Strong authentication methods that are supported include LOCKout DES, LOCKout FORTEZZA and the SafeWord Authentication Server, which are all premium features available for the Sidewinder. (See the "Premium Features" section for more information.) You can also use strong authentication provided by a Defender Security Server or an ACE/Server.
- Time and day of the connection request - You can specify the day and/or time of day when a connection is permitted. For example, you could allow internal access to certain Internet services during the times when your site's network traffic is lightest.
- Encryption - You can configure an ACL entry that requires the incoming connection request to be encrypted. This is a premium feature available when you purchase the Sidewinder's IPSEC software option. See the "Premium Features" section for more information.
- Redirection - For added security on external-to-internal connections, you can redirect a connection. Setting up an ACL entry for redirection tells the Sidewinder to route the requested connection to a different address or a different port on the internal network. For example, if you wanted to allow external access to an internal FTP system, you would publish the Sidewinder's address as the address of that internal system. When someone attempts the connection, the Sidewinder would route it to the appropriate internal destination.
Extensive Event Monitoring
Event monitoring is the process of auditing security-related events and responding to them. Event monitoring is one of the most important Sidewinder features, because it provides you with both the means to detect possible intruders and the information you need to respond to the intrusions.
In Sidewinder terminology, an event is an abnormal security-related incident. For example, as shown on figure 14.137, a connection request from the Internet to an address on the internal network is abnormal, because the Sidewinder does not allow internal network addresses to be made public. An event such as this may mean that someone is probing in an attempt to gain access to the internal network.
The Sidewinder monitors seven different types of events:
- service denials
- attack attempts
- authentication failures for Telnet or FTP proxies
- mail messages that are rejected by a mail filter
- attempted network probes
- exceeded network traffic threshold
- attempts to circumvent Type Enforcement
When the Sidewinder detects one of these events, it responds based on controls set by the administrator. Since most events are unintentional, it isn't practical to respond to every one. When a particular event is repeated during a short time interval, however, it may indicate malicious intent that warrants action.
The Sidewinder administrator specifies when an event will trigger an alarm and when it will be ignored by setting up thresholds. For example, the administrator might specify that five network probe attempts in one hour will trigger an alarm.
Even after authenticating users and restricting access to network resources, an enterprise's security may still be in jeopardy if unauthorized content is allowed to pass between connections. The Sidewinder provides what most security systems do not: advanced filtering technology that lets an organization prevent undesirable messages from flowing between networks.
The Sidewinder contains filtering mechanisms for three major areas of vulnerability:
- electronic mail
- Web pages
- Java applets
An enterprise's email system can be critical to its success. On the other hand, there can be disastrous consequences if an organization's mail system is misused. To further secure the mail system, the Sidewinder provides three kinds of mail filters:
- A binary filter blocks mail that contains binary data such as MIME (multipurpose Internet mail extension) attachments.
- A key word filter blocks mail containing words the administrator specifies.
- A size filter blocks mail messages that are too long.
Using the Sidewinder's interface, an administrator can set up each mail filter individually. A mail map like the one shown below specifies the mail filters to use, the order of filtration and the actions that should be taken when a message passes or fails the filter test. The interface provides a handy tool for visually configuring mail maps, as shown on figure 14.138.
Web page filtering
In addition to being a valuable source of information, Web pages are becoming increasingly important for Internet commerce and remote education. Indiscriminate access to Web pages, however, can lower productivity or even cause legal problems in an organization. The Sidewinder's SmartFilter™ technology allows your organization to capitalize on the Web's benefits while controlling Web access.
SmartFilter allows a Sidewinder administrator to specify which Web pages from the list provided should be inaccessible, as seen on figure 14.139. For example, you might choose to block access to Web sites dealing with crime, games or gambling. Note that you can combine this filtering with access control options to narrowly define when specific types of Web sites can be accessed. You might allow game sites to be available on weekends or during evenings, for instance.
Java applet filtering
Java applets are essentially executable programs referenced by Web pages. While they are extremely useful for expanding the Web page capabilities, they can also be put to malicious uses, such as tying up a client machine's resources or duping a user into providing authentication passwords. To combat this threat, the Sidewinder allows you to deny download requests for Java files
IBM’s Internet Connection Secure Server Firewall: a Type Enforcement Security
Who doesn’t know IBM? IBM creates, develops and manufactures the industry's most advanced information technologies, including computer systems, software, networking systems, storage devices and microelectronics.
IBM has two fundamental missions: they strive to lead in the creation, development and manufacture of the most advanced information technologies, and they translate advanced technologies into value for customers as the world's largest information services company. Their professionals worldwide provide expertise within specific industries, consulting services, systems integration and solution development and technical support..
Figure 14.140 is a screenshot of IBM’s Web site.
For more information, contact IBM North America, 1133 Westchester Avenue, White Plains NY 10604, telephone (520) 574 4600 or toll free number (for use within the United States)1 800 IBM 3333. You can also contact them via e-mail at firstname.lastname@example.org or visit their Web site at http://www.ics.raleigh.ibm.com/
The IBM Firewall V3.1 for AIX
IBM Firewall Version 3 Release 1.1 for AIX is the latest release of IBM's award-winning firewall. It is available for RS/6000 machines running AIX. This product reflects IBM's commitment to delivering versatile security solutions, implementing not just one of the firewall technologies but several. The flexibility of the IBM Firewall, the addition of an innovative graphical user interface, and powerful administration and management tools make the IBM Firewall a leader in Internet security offerings.
For over a decade, IBM has used the IBM Firewall to protect its own corporate networks. With access to the Internet from internal IBM networks, IBM can be confident that with the IBM Firewall in place those internal, secure networks will stay that way.
The IBM Firewall stops network intruders in their tracks. It combines all three leading firewall architectures (application proxies, SOCKS circuit gateway, and filtering) in one flexible, powerful security system. It runs on an IBM RS/6000 workstation with AIX Version 4.1.5 or 4.2. And, as an e-business enhancer, it supports the IBM Network Computing Framework for e-business.
The Java-based graphical user interface (GUI) offers an easy-to-use and safe tool for administrators. Easy-to-use because the interface is interactive and dynamic. Safe because Java applets are installed on the administrator's workstation instead of on the network.
Navigation through the interface itself is easy, thanks to a navigation tree that is always visible for guidance. Through this navigation tree, administrators can easily find their way around the GUI and move from one task to another. Help with using the GUI is available in several different forms, from context-sensitive help to immediate access to the online documentation. Figure 14.141 shows the main panel of the GUI.
The IBM Firewall also eases your administrative tasks. The Enterprise Firewall Manager allows several firewalls to be administered from a central location. And with administrators authorized for only specific tasks, you can maintain control over who does what.
Great Level of Protection
The 56-bit data encryption standard (DES) is one of the strongest encryption techniques on the market. With federal government approval, the IBM Firewall is a leader in exporting this 56-bit key, enhancing the security of your networks and data.
In addition, the IBM Firewall offers a tool for scanning your networks, servers, and firewalls, looking for potential security gaps. This advanced tool, called Network Security Auditor, is a proactive means of maintaining a vigilant eye on your system.
Virtual private networks (VPNs) provide secure communication across the Internet. You can give remote users the same accessibility to internal networks while protecting their communication across the Internet. Client-to-firewall VPNs allow remote users to have private and secure communication even when the traffic travels over the Internet. These users can change ISP-assigned IP addresses without losing access.
The IBM Firewall uses state-of-the-art technology to deliver a flexible and versatile firewall solution, with application gateways, a Socks server, and advanced filtering capabilities. In one product, you have the choice of firewall technologies that best suit your needs. These technologies, combined with an innovative graphical user interface and powerful administration and management tools, make the IBM Firewall a leader in Internet security offerings.
IBM Firewall Filtering
Filters are one way the IBM Firewall controls traffic from one network to another. The filters operate on criteria such as IP source or destination address range, TCP ports, UDP responses, Internet Control Message Protocol (ICMP) responses, and TCP responses.
IBM Firewall as an Application-Level Proxy
The IBM Firewall application-level proxy is referred to as the proxy server. If a proxy server does not prompt a user for a password or other authentication, it is considered transparent. The IBM Firewall implements full proxy servers for Telnet and FTP as well as transparent proxy servers for Telnet, FTP, and HTTP.
A full proxy server is a secure server that runs on the firewall and performs a specific TCP/IP function on behalf of a network user. The user contacts the proxy server using one of the TCP/IP applications (Telnet or FTP). The proxy server makes contact with that remote host on behalf of the user, thus controlling access while hiding your network structure from external users. Figure 14.142 illustrates a proxy Telnet server intercepting a request from an external user.
The IBM Firewall FTP and Telnet proxy servers can authenticate users with a variety of authentication methods, including password verification, SecurID cards, S/Key, and SecureNet Key cards.
IBM Firewall as a Circuit-Level Proxy
The IBM Firewall implements circuit-level proxies in two ways: as a Socks server and through network address translation (NAT).
The Socks server can intercept all outbound TCP/IP requests that would cross between your network and the Internet. The Socks server provides a remote application program interface so that the functions executed by client programs in secure domains are piped through secure servers at the firewall workstations, hiding the client's IP address. Access is controlled by filters that are associated with the Socks rules.
The Socks server is similar to the proxy server. But while the proxy server actually performs the TCP/IP function at the firewall, the Socks server just identifies the user and redirects the function through the firewall. The actual TCP/IP function is performed at the client workstation, not at the firewall. (This saves processing in the firewall.) The users in the secure network can use the many TCP/IP products that support the socks standard. Figure 14.143 illustrates the Socks server intercepting an HTTP request from a client within the secure network.
The other implementation of circuit-level proxy is network address translation (NAT) which can be used for both TCP- and UDP-based applications. With the explosive growth of the Internet, IP address depletion becomes a problem. NAT provides a solution.
The IBM Firewall manages a pool of IP addresses that can be used to communicate on the Internet. NAT translates secure IP addresses to temporary, external registered IP address from the address pool. This allows trusted networks with privately assigned IP addresses to have access to the Internet. This also means that you don't have to get a registered IP address for every machine in your network.
Both the Socks server and NAT effectively hide your internal IP addresses from the outside world.
Use of Encryption
The IBM Firewall provides secure communication across a public network like the Internet through virtual private networks (VPNs). A VPN is a group of one or more secure IP tunnels. When two secure networks (each protected by a firewall) establish a VPN between them, the firewalls at each end encrypt and authenticate the traffic that passes between them. Likewise, when a VPN is established between a remote client and a firewall, the traffic between them is encrypted and authenticated. The exchange of data is controlled, secure, and validated.
Managing the IBM Firewall
Implementing these firewall techniques helps you establish a perimeter defense around your network. You also need to monitor this defense and analyze events that take place at the firewall, watching for suspicious activity.
The IBM Firewall has sophisticated management capabilities that make creating and distributing your security policies through your organization secure yet simple. Key features for the administrator include a Java-based graphical user interface (GUI), the ability to manage multiple firewalls from a central location, the ability to assign different levels of authority so that administrators are authorized to do specific activities, and a tool that scans your firewall configuration looking for potential security exposures.
The IBM Firewall also provides logging, alerting, monitoring, and reporting facilities. For example, tools can monitor unauthorized attempts to access your system and perform an action you have defined when a certain threshold is reached (such as paging an administrator if more than five unauthorized attempts are recorded within a certain time limit). The reporting facilities build tables for a relational database tool, allowing you to generate reports.
Main IBM Firewall Features
The IBM Firewall features can be grouped into these categories:
- Using firewall technology and security features
- Communicating through virtual private networks
- Using the Network Security Auditor
- Administering the firewall
- Logging, monitoring, alerting, and reporting
- Ensuring availability of the firewall
Network Address Translation
Network address translation (NAT) solves the problem of Internet IP address depletion by allowing addresses inside your local IP network to be shared across your network.
When a user sends information to the Internet, the request goes to the firewall first. The firewall changes the internal IP address to a registered external IP address before the information goes out. When information comes back addressed to that external IP address, the IBM Firewall translates it back to the corresponding internal address. This translation process is shown in Figure 14.144.
Hiding your internal IP addresses from the outside world helps you in a few ways. It's tougher for hackers to get to your internal network because the structure of your internal network is hidden. For example, you might set up a numbering convention for IP addresses within your company. You don't have to worry about a competitor figuring out the convention and knowing more about your company than you want to reveal. Using NAT also keeps you from having to obtain registered IP addresses for every machine in your network, which would be extremely time consuming and costly.
NAT supports both UDP- and TCP-based applications.
SafeMail is an IBM mail gateway. The SafeMail function does not store mail on the gateway or run under the root user ID. The firewall gateway name is substituted for the user's name on outgoing mail so that mail appears to be coming from the firewall's address instead of the user's address. SafeMail supports Simple Mail Transfer Protocol (SMTP) and Multipurpose Internet Mail Extensions (MIME).
The IBM Firewall lets you choose from many methods for authenticating users. You can use just a password, but in certain situations this may not be secure enough. Particularly when logging in from the non-secure network, a password could easily be intercepted by a would-be intruder. The IBM Firewall provides a strong authentication method, Security Dynamics SecurID** card, plus the opportunity to implement your own unique authentication method.
The method from Security Dynamics includes a user ID and a SecurID card. When you're logging in remotely, you get your password from the SecurID card. The password changes every 60 seconds and is good for one-time use only. So, even if someone does intercept your password over the open network, the password is not valid by the time the hacker gets it.
You can also customize a user exit to support any other authentication mechanism. The IBM Firewall includes an application programming interface (API) to help you define your own authentication technique.
When you install the IBM Firewall, there are some non-secure services and protocols embedded within UNIX and TCP/IP, along with accounts that could create a hole in your security policy. The IBM Firewall installation process disables these applications and non-secure UNIX accounts on the firewall machine. (This process is also known as hardening your operating system.)
Once you have completed the installation and configuration, a background program periodically checks for altered configuration files. A message is sent to the syslog and an alarm is generated when this program detects that the protected files were changed.
Communicating through Virtual Private Networks
Suppose you want to use the Internet instead of leased lines to communicate with your suppliers or business partners who don't have direct access into your corporate network. The IBM Firewall virtual private network offers you protection against eavesdropping.
A virtual private network (VPN) is a group of one or more secure IP tunnels. A secure IP tunnel permits a private communication channel between two private networks over a public network such as the Internet. The two private networks are each protected by a firewall. The two firewall machines establish a connection between them. They encrypt and authenticate traffic passing between the private networks. The IBM Firewall follows IPSec standards, and therefore is interoperable with other firewalls. Figure 14.145 shows a client-to-firewall tunnel as well as firewall-to-firewall tunnels.
Using the Network Security Auditor
The Network Security Auditor scans your network for security holes or configuration errors. The Network Security Auditor scans your servers and firewalls for a list of problems or vulnerabilities, such as open ports and other exposures, and compiles a list so you can make corrections. The Network Security Auditor can be used as a periodic scanner of critical hosts or as a one-time information gathering tool. Administration of the Network Security Auditor is done through an easy-to-use HTML interface. With the Network Security Auditor, you maintain vigilance over your firewall.
Features of the Network Security Auditor include:
- Scanning TCP and UDP ports
- Recognizing servers on non-standard ports
- Reporting dangerous services, known vulnerabilities, obsolete server versions, and servers or services in violation of customized site policy
- Generating reports in HTML for easy browsing
Figure 14.146 shows Network Security Auditor sample output.
Administering the Firewall
The IBM Firewall presents a Java- and HTML-based graphical user interface (GUI) to administer a firewall. You can administer the firewall from Netscape 3.0 for AIX, which is included in the IBM Firewall package.
The GUI is easy for the firewall administrator to use. A navigation tree always appears on the left side so you can move around the GUI and easily go from one task to another. Figure 14.147 shows the main panel of the GUI.
Enterprise Firewall Manager
The Enterprise Firewall Manager (EFM) allows you to administer multiple firewalls from one place. You can administer each firewall individually, or you can designate one firewall to be the central server to maintain the configuration files for all the firewalls. You can clone firewalls to create new ones, and you can replace configuration files with updated files whenever needed. In Figure 14.148, EFM is used to administer two firewalls (A and B) that are within the same secure network as the EFM and one remote firewall (C) that is in a different secure network.
The following is a list of system requirements to run IBM the Firewall:
- A RISC System/6000
- At least two communication adapters, supported by the TCP/IP protocol stack
- 64MB of memory
- 800-1000MB of disk space
- AIX, Version 4.1.5 or 4.2