In-Depth
Safe Waters
How do you dive into the sea of networks in an efficient and secure way? We look at four firewall products—both hardware and software—that will help keep the sharks at bay.
In the past, a solution that separated “secure” and “un-secure” networks was labeled with a term—firewall. It’s a concept that’s gone through quite an evolution since its introduction. In the beginning, a packet-filtering router had the intelligence to look at each TCP/IP packet header and make decisions on whether to pass or drop the packet. Such a solution was often called a plain-packet filtering router. For the most part, dedicated packet-filtering firewalls are no longer used. Instead, access control lists (ACLs) can be configured on layer 3 devices (routers), which serve as
packet-filtering firewalls.
Following packet-screening routers, application-level firewalls were developed. These devices examine both headers and packet payloads to determine the packet’s fate. The policy rules in such firewalls can be applied at the application level—for example, to examine HTTP requests and block the ones looking for access to specific URLs or containing “cmd.exe” within the URL. Many proxy servers—also known as SOCKS firewalls—rely on this concept.
At about the same time, the concept of keeping “session state” was developed. Stateful firewalls allow the tracking of protocols that were traditionally considered “connectionless,” such as UDP. Stateful inspection is critical to ensure the integrity of requests for communication between network nodes. If the packet is “unsolicited” (the network host never wanted to see such packets in the first place), the firewall can make an intelligent decision to block it. UDP packets don’t carry SYN, ACK or any other flags, which is why it’s crucial for the firewall to know if the host it’s protecting ever requested the UDP packet. For example, if a host wants to resolve an IP address to a name and performs a DNS query, it sends a UDP packet addressed to port 53 of its DNS server; the DNS server then replies to the request. In the absence of stateful inspection, attackers can masquerade as DNS servers and send unsolicited UDP “replies” from source port 53 to various hosts behind firewalls. In TCP sessions, stateful inspection helps firewalls keep track of TCP flags in each session.
As network applications grew in complexity, firewalls had to become more intelligent and begin making decisions related to specific traffic patterns. For example, remote procedure call (RPC) technology or applications such as Network File System (NFS) would be difficult (or impossible) to securely configure via a firewall, as the traffic rules are too complex for a basic, stateful-inspection firewall to examine. Thus, a new generation of firewalls was created to provide support for widely utilized standards such as RPC and H.323 or included interfaces, allowing users to program dynamic packet-filtering rules. The firewalls can examine control and handshake sessions of some applications, understand which virtual circuits applications require and dynamically configure necessary rules.
Many vendors started combining firewall features with other network applications or services. Indeed, security threats grew in number and complexity, and each security problem seemed to require a separate security solution. For example, controlling users’ Web browsing behavior needed software such as that offered by companies like Websense. The desire to speed up the loading of Web pages required a dedicated server for proxy and caching. The addition of new network security devices made network architectures more complex, creating single points of failure—that is, until designers of security products created feature-packed appliances.
An example of this “all-in-one” type of appliance is the firewall/virtual
private network (VPN) appliance combination, which has grown in popularity.
Now, secure connections can be established with either remote clients
or other networks (perpetual connectivity with a parent corporate network
or business partners). One thing to note: By introducing the VPN component
to a firewall solution, many administrators find that their software solutions
slow down, although appliances relying on hardware acceleration (hardware
chips performing the encryption function) are less affected.
The performance degradation occurs in software solutions because the more work the product performs, the slower the platform becomes. For example, if you’re simply running a firewall, the product will only be concerned with the TCP header. If you add to this a VPN, proxy server and layer 7 (application) packet inspection, the product will need to perform encryption, decryption, HTTP filtering/blocking and caching as well as deeper packet inspection.
The tradeoff for having many features in one solution is that complexity eventually reduces security. If a vulnerability is discovered in any one of the components supporting your security solution, the strength of the entire solution may be diminished and you may lose all layers of protection simultaneously.
On the other hand, if the firewall, proxy server and VPN solution are kept separate, a failure in one allows the others to continue functioning, thus maintaining some of the layers in your security architecture.
Security decisions should be made with consideration to both performance
and risk of failure. This approach can also help you assess the importance
of every component in your network’s firewall solution.
Implementing a Firewall/VPN Solution
The days of dial-up are dwindling. Today’s dynamic, “always-on-the-road”
user requires access to the LAN from anywhere in the world. With broadband
and LAN access widely available in homes, hotels and even airplanes, the
ability to reach a remote network via IP becomes a must. While performance
may be an issue, a good candidate to fulfill this need is a firewall/VPN
appliance, which relies on IPSec standards.
Several IPSec standards allow different ways of implementing a VPN solution. For example, the security associations within VPNs can be set up either manually or using IKE with either certificates or preshared secrets (such as passwords). These standards are described in RFCs 2401 through 2409. IPSec inside of Layer Two Tunneling Protocol (L2TP) is popular for client-server remote-access solutions (RFC 3193), and many vendors have successfully integrated these standards into their products for easy interoperability.
VPNs have also been effectively implemented with wireless networks. Due to the security weaknesses of the WEP algorithm in the 802.11b Wi-Fi standard, many organizations use VPNs with their wireless networks to ensure the confidentiality of transmitted information. The products reviewed in this article can be used to secure the networks with 802.11b wireless access points by forcing all wireless traffic to use IPSec.
Other features that administrators of small networks (as well as large enterprises,
but in combination with other units) may be looking for in firewall/VPN
appliances are secure Web browsing, the ability to set up an internal and/or
external Web server, virus scanning and URL blocking.
Keeping up Your Defenses
It’s important to keep track of vulnerabilities that may be discovered
in your security mechanisms. Some hardware solutions use Intel architecture,
closely resembling a PC sealed in a box. Sometimes, the software these
firewalls rely upon (such as Windows servers or Linux) become vulnerable—thus
jeopardizing the security of the whole network. Network administrators
who work with firewalls should keep up on the latest news to respond to
any vulnerabilities discovered in the software packages powering their
security gateways. Also, hard drives or other system components may fail
with these types of firewalls, as sometimes happens in simple PC architectures.
Features such as Web proxy and caching rely upon system resources, such
as hard drives, to accomplish these tasks.
Another important note relates to firewall access, password configuration and administration features. Detailed firewall manuals and guides are available online, offering fairly easy access to default firewall passwords and features. This highlights the importance of always changing default passwords and configuring your units for secure administration, for example, limiting which IP addresses can manage the firewall.
As the demand for external access from internal networks increases and plain-old
DMZs become too cumbersome or overloaded, organizations are forced to look
for more granular, flexible security solutions and create layers of security
with special-purpose devices. A plain-packet filtering firewall is still
an effective protection from general network attacks, but each network node
becomes subject to its own security requirements. You can meet the special
security needs of individual workstations and servers by using a special-purpose
device (a dedicated proxy) or by extending protection from the network perimeter
to the host itself, via a personal firewall.
Personal Firewalls
Personal firewalls are another crucial component of end-to-end defense (see
“Protecting the Desktop”). Regardless of how many
protection layers exist around the perimeter of your network, there’s still
the chance of an internal security problem. Therefore, as networks grow
in size, all network nodes may need a basic level of protection.
Consider the outbreak of the “SQL Slammer” (Sapphire) virus this year. One of the most challenging obstacles administrators faced was the fact that more than 20 widely deployed desktop applications use Microsoft SQL Server Desktop Engine (MSDE) 2000. Therefore, packets addressed to UDP port 1434 propagated the worm faster than anyone could count the applications that ended up vulnerable to that virus. With a personal desktop firewall, such ODBC features of applications could have been blocked (for the most part), as these features aren’t widely used by the applications themselves (and give users the ability to decide on their own if such traffic should be allowed).
Many other products protect specialized network servers. For example, Microsoft’s URLscan tool for IIS 4.0-5.0 examines and blocks unwanted HTTP requests directly on the IIS server.
In general, each layer of security on the network should be designed to
accommodate a separate class of hosts protected by that layer, but shouldn’t
disrupt the whole network.
| Protecting
the Desktop |
| Although ZoneAlarm isn't a network tool,
it still warrants consideration as additional defense
for your enterprise. Unlike network security appliances,
ZoneAlarm is designed to protect individual PCs—not
entire network segments. ZoneAlarm's basic version is
free but for $40 to $50, ZoneAlarm offers Plus and Professional
versions. ZoneLab's enterprise solution allows
for the implementation of personal firewalls across
all user workstations to manage them centrally. ZoneAlarm
supports Windows 98/Me/NT/2000/XP and is able to:
- Inspect all incoming and outgoing network traffic
(stateful inspection).
- Monitor all outbound traffic with a "program
control" feature to prevent rogue applications
from establishing network sessions. This feature allows
users to examine system components attempting to communicate
on the network (see the figure).
- Operate in stealth mode, suppressing automatic
RST and ICMP responses, thus making the workstation
invisible to scans.
- Integrate with Microsoft services (such as NetBIOS).
- Support zones to allow the firewall to differentiate
between the Internet (untrusted) and local (or VPN)
traffic.
- Time-out all sessions with untrusted networks after
a period of inactivity.
- Support wireless interfaces.
- Block ads, cookies and mobile code.
 |
| ZoneAlarm keeps a record of
every system component that tries to communicate
on the network. (Click image for larger version.) |
ZoneAlarm installs with preconfigured security settings,
giving less skilled users immediate protection from
Internet threats. These default settings can be changed
if greater security is required. The basic default settings
are:
- Firewall-Internet Zone—(High) Traffic
to and from the Internet zone is blocked unless initiated
by a program residing on your computer that's been
granted permission to communicate with the Internet
zone.
- Firewall-Trusted Zone—(Medium) This
setting enables file and print sharing on your home
or local network.
- Program Control Authentication—(Medium)
Programs must ask for permission and be authenticated
before initiating communication with the Internet.
- Alerts and Logs—(On) All alerts are
shown and logged.
- E-mail Protection—(On) Quarantines
e-mail attachments bearing .vbs extension.
ZoneAlarm Plus, $39.95;
Pro, $49.95; ZoneLabs, 415-341-8200; www.zonelabs.com
—Matthew Knehans and Greg Saoutine |
|
|
Building a Wall
When it comes to protecting your network from the dangers of the “network
ocean,” the choices abound. The advantages of a hardware solution include
the ease of installation and configuration. Typically, the units are shipped
pre-configured, which allows network administrators to get them up and
running within minutes. However, if the requirements change (for example,
a DMZ is desired), you’re stuck with the same hardware. There’s only so
much reconfiguration you can do.
Software solutions tend to be more tedious and time-consuming to implement, as they require the installation of an operating system, various firewalls and other applications, as well as general tuning and configuration. It’s critical for the firewall designer to harden the operating system, leaving only those services and components necessary to support the firewall software (such as ISA Server). On the positive side, you can substitute hardware used in a standard server platform when you use a software-based firewall.
We tested the effectiveness of four firewalls, three hardware and one software,
each with unique capabilities.
 |
| Figure 1. EdgeForce's cache can store up to 4GB
of Web content locally and deliver it to users at LAN speeds. |
ServGate EdgeForce
ServGate’s EdgeForce is based upon a combination of open-source technologies
(including Linux and Apache) and the integration of several vendor solutions,
such as NetIQ’s WebTrends for URL filtering and Network Associates’ McAfee
for virus scanning.
One of EdgeForce’s attractive features is Web caching, which allows users to increase network performance and contributes to an organization’s security. With limited bandwidth, EdgeForce’s cache can store up to 4GB of Web content locally and deliver it to users at LAN speeds. EdgeForce also can check the URL in each user’s request. Local storage components (hard drives) allow the appliance to store the Web content. The only other product with Web-caching functionality is Microsoft’s ISA Server.
In addition, outbound user requests for most applications—such as WWW, FTP and telnet—can be authenticated. Users are presented with a pop-up box requesting a user ID and password. EdgeForce can integrate with RADIUS and LDAP technologies to support the user-management process.
EdgeForce has three network interfaces, which allow the creation of a DMZ to secure access to the shared resources available to external (public) and internal networks. Another important feature is the ability to work in transparent mode. In this mode, the firewall acts as a bridge, works on the TCP/IP layer 2 and is virtually invisible to everyone on the network. The decision on whether or not to build your security solution in an invisible or stealth mode depends on which functions you want your security solution to perform. In bridge mode, the unit can’t do much more than filter traffic. In transparent mode, you can introduce a firewall to your network without changing any of the host or network IP addresses, which is useful for filtering traffic on internal network segments. It’s important to note that DMZ and QoS features aren’t available in transparent mode.
For additional flexibility, EdgeForce allows scheduling for specific firewall
policy rules. This allows administrators to enable or disable individual
rules dynamically, based upon the time of the day or day of the week. However,
it’s critical to ensure that the firewall’s clock is accurate. You may have
to use Network Time Protocol (NTP), supported by EdgeForce, to ensure accuracy.
SonicWALL SOHO3
SonicWALL’s line of products has been reviewed in print many times and won
several awards. SOHO3 is one of the more basic, inexpensive SonicWALL solutions,
but still boasts a number of unique features. The design is based upon proprietary
hardware and software architectures and includes a VPN-accelerator chip.
 |
| Figure 1. EdgeForce's cache can store up to 4GB
of Web content locally and deliver it to users at LAN speeds. |
SOHO3 has two network interfaces and is a great solution for protecting
small networks’ outbound user traffic, while providing a number of valuable
security services to the internal network. Even though both SOHO3 and Symantec’s
200R allow administrators to configure restricted inbound access from the
Internet directly into the internal network, remember that publicly accessible
resources should reside in a DMZ. SonicWALL’s PRO 100 unit provides capabilities
for a secure DMZ configuration.
Inspecting URLs in users’ Web browsing requests is a powerful feature to control browsing behavior. The URL-filtering feature relies on the built-in Websense software, which automatically classifies each Web site and updates its URL databases daily.
Administrators of small networks will find SOHO3 to be a great, low-cost solution. The unit is capable of enforcing many network security policies while providing client-to-server and LAN-to-LAN VPN connectivity for remote users and partner networks. Similar to EdgeForce, SOHO3 can scan network traffic for known viruses using Network Associate’s McAfee software. Taking virus control a step further, the SOHO3 can serve as a distribution point for virus signature files and can be configured to refuse an Internet connection to clients unless their antivirus software is updated.
SonicWALL’s unit (similar to EdgeForce) uses licensing for several of the enhanced features. To enable these features (URL-blocking, antivirus-scanning or other licensed software), users must contact SonicWALL to purchase the license and upload the corresponding license keys.
Other features of SOHO3 are similar to other products. The unit supports
transparent bridge configuration, managed bandwidth and DHCP server functions.
SOHO3 can be managed via a Web interface with SSL, a serial console or
a dial-up modem attached to a serial port. SonicWALL provides ViewPoint
Reporting Software for the centralized monitoring and reporting of a large
number of firewalls.
Symantec Firewall/VPN Appliance (Model 200R)
Symantec Firewall/VPN (Model 200R) includes a number of unique features,
along with a powerful VPN solution and other conventional filtering capabilities.
It’s based upon proprietary hardware and software architectures with a
hardware VPN accelerator chip; attractive features include bandwidth aggregation
and load-balancing of network traffic between two broadband connections.
 |
| Figure 3. Symantec's 200R provides the ability
to apply rules dynamically, allowing administrators to define custom
policies. |
The device contains two WAN ports for independent connections. When both
lines are up, the firewall aggregates network traffic, providing nearly
double the bandwidth for internal users. However, should one of the lines
fail, the 200R will gracefully redirect all traffic to the working line.
The firewall can even re-register its domain name for a new IP address
for the remaining line in environments where dynamic DNS registration
is supported. This feature is ideal for ensuring that remote VPN clients
can always access the home network (if their VPN software is set up to
search for the VPN gateway by its DNS name). The 200R comes with unlimited
VPN client licenses.
If the device detects a connectivity failure on its single WAN port, it can automatically dial out to the ISP via a modem. This offers additional protection against short-term problems with broadband providers.
The firewall also provides support for nonfirewall-friendly protocols, al-lowing it to program dynamic applications of rules. Some multimedia and collaboration applications aren’t friendly to most firewalls. The 200R’s capability to apply rules dynamically allows administrators to define custom policies that can handle replies on a port other than the original request.
Similar to EdgeForce and SOHO3, Symantec’s 200R is capable of generating its own certificates for VPN configuration.
The unit supports the ability to pass multiple VPN sessions through the
firewall while in NAT mode. Because the IP layer doesn’t have port numbers
associated with it, it’s quite difficult to negotiate multiplexing of these
connections. With the 200R, multiple users on the internal network can establish
VPN sessions with hosts on remote networks using one broadband connection
and one IP address. Not all firewalls support this functionality.
Microsoft ISA Server 2000, Standard Edition
Microsoft Internet Security and Acceleration Server 2000 is built on the
Windows 2000 Server platform and incorporates several other Microsoft
technologies, such as Routing and Remote Access and Proxy Server (similar
to Microsoft Proxy 2.0, but with enhanced features and performance). ISA
Server comes in two main editions: Standard and Enterprise. The Standard
Edition is the only enterprise-level software solution reviewed in this
article and requires a standalone Windows 2000 Server. The advantage of
a software solution is the freedom to control the number of network cards,
hard disk space and other system components.
 |
| Figure 4. The ISA Server console allows users
to define protocols to configure complex packet-filtering rules. (Click
image to view larger version.) |
ISA Server provides stateful, multilayer traffic filtering at the circuit,
packet and application levels. Circuit-layer filtering inspects the entire
session—not just the connections and packets. Microsoft supplies several
smart application filters to analyze and control application-specific traffic.
(An application filter ensures analysis, blocking, modification and redirection
of application-specific data passing through the firewall.) The ISA Server
firewall includes filters for HTTP, FTP, SMTP e-mail, DNS, H.323 conferencing,
streaming media and RPC. The streaming media filter supports industry-standard
media protocols, including Windows Media Technologies, RealAudio/RealVideo
(PNM) and RTSP (used by RealNetworks and Apple QuickTime). This solution
also offers the ability to split live Windows Media streams for sharing
between internal clients requesting the same stream, thus saving bandwidth.
Similar to other products, ISA Server provides limited intrusion detection
based upon technology licensed from Internet Security Systems. The primary
types of intrusions it can detect include WinNuke, land attack, UDP bomb,
IP half scan, port scan and ping of death. Unlike other solutions, however,
triggers can be set up within ISA Server to perform certain tasks like running
scripts and programs, stopping the firewall service, sending e-mail alerts,
and writing to the system log when intrusions are detected.
Interestingly, ISA Server still supports SOCKS filtering (the SOCKS 4.3a
standard), transparently routing client traffic from SOCKS-compatible
applications through the firewall SOCKS proxy service. This is a unique
feature compared to other products.
The solution supports caching and acceleration of proxy-enabled traffic.
ISA Server also allows organizations to build client-to-server and LAN-to-LAN
VPNs using L2TP protocol. However, the server is known to not interoperate
with other VPN gateways (in other words, those powered by hardware solutions
such as the ones described in this article). Also, the product can be
implemented in firewall, caching or integrated mode; both VPN and caching
features are available in integrated mode only. ISA Server is a great
solution for predominantly Windows-based LANs and WANs.
| Table 1. Comparison
of firewall products. |
| Appliance
Model |
ServGate
EdgeForce |
SonicWall
SOHO 3 |
Stateful
inspection |
Yes |
Yes |
MDZ
Interface |
Yes |
No |
No.
of interfaces |
3 |
2 |
Bridging
mode ("transparent mode") |
Yes |
Yes |
Web
proxy and caching |
Yes, up to 4 GB of caching
space |
No |
URL
filtering |
Yes |
Yes |
Virus
scanning |
Yes (Network Associates) |
Yes (Network Associates) |
User
authentication (RADIUS/LDAP) |
Yes (for VPN, unit adminstrator
and access to external network) |
Yes (for VPN and unit
administration) |
Bandwidth
management |
Yes |
Yes |
Management |
Web (SSL), SSH, serial
console |
Web (SSL), serial console,
dial-up modem |
VPN |
Client-to-server, LAN-to-LAN |
Client-to-server, LAN-to-LAN |
Basic
IDs |
Yes |
Yes |
Scheduling
of rules |
Yes |
No |
Built-in
DHCP server |
Yes |
Yes |
Load
balancing |
No |
No |
Redundancy
(high availability) |
Yes (with another unit) |
Yes (with another unit) |
Real-time
alarms |
Yes (SNMP v3, syslog,
e-mail) |
Yes (SNMP v1, v2, syslog,
e-mail) |
Software
upgrades |
Yes (from Web interface) |
Yes (from Web interface
or directly from vendor) |
| Appliance
Model |
Symantec
Firewall/VPN Model 200R |
Microsoft
ISA Server Standard Edition |
| Stateful inspection |
Yes |
Yes |
| MDZ Interface |
No |
Yes |
| No. of interfaces |
2 WAN
8 LAN |
Installed by user |
| Bridging mode ("transparent mode") |
No |
No |
| Web proxy and caching |
No |
Yes |
| URL filtering |
No |
Yes (supports third-party
tools via ASAPI) |
| Virus scanning |
No |
No |
| User authentication (RADIUS/LDAP) |
No |
Yes (for VPN, unit administration
and access to external network) |
| Bandwidth management |
No |
Yes |
| Management |
Web, serial console |
Locally or remotely
via MMC |
| VPN |
Client-to-server, LAN-to-LAN |
Client-to-server, LAN-to-LAN |
| Basic IDs |
Yes |
Yes |
| Scheduling of rules |
No |
Yes |
| Built-in DHCP server |
Yes |
Yes (Windows 2000 Server) |
| Load balancing |
Yes |
No |
| Redundancy (high availability) |
Yes (multiple lines
within the same unit) |
No (requires Enterprise
Edition) |
| Real-time alarms |
Yes (SNMP v1, syslog,
e-mail) |
Yes (console, Win2K
event log, e-mail) |
| Software upgrades |
Yes (via TFTP) |
Yes (vendor patches) |
|
|
Safe Swimming
Clearly, all modern firewall appliances are feature-packed. Most capabilities
are similar, yet the units aren’t quite the same. The choice of a product
should always depend on clearly defined network requirements, as well as
a feasibility study to evaluate all needs and limitations. Each product
reviewed has different features and is therefore better suited for a certain
type of environment, implementation and architecture. In general, products
that support layer 2 bridging protocols and layer 7 packet inspection are
well-suited for DMZ-based architectures requiring inbound access from the
Internet. Products supporting VPN, proxy services and intrusion detection
can provide greater perimeter security. Ideally, the product chosen will
represent the primary needs required by the security architecture, networking
environment and operational needs of the business while remaining within
budget.
Note that some products (such as the one from Symantec) are specifically designed to protect the network perimeter and act as a gateway between an ISP and the network. To add to the challenge of making a decision, vendors typically have a line of firewall solutions widely ranging in features, performance, reliability and cost. All vendors (except Microsoft) offer a wide range of security appliances.
So gear up with your best defenses and dive into the network ocean. The
waters can be safer than you think. But bear in mind that even a shark cage
won’t provide complete safety.