Gate your network with a firewall to keep out Net threats
Today's buzzword among security-conscious government computer professionals is
""firewall.'' If your agency has an Internet connection, I hope there's a
firewall between your desktop computer and the outside world. If not, some hacker probably
acts as your pseudo-network administrator.
A firewall really is nothing more than software or hardware to define and control
network access to inside computers from outside computers. It's a one-way gateway (or
router) that watches everything going in or out.
We're seeing some world-class firewall products emerge for Microsoft Windows NT from
companies such as Raptor Systems Inc.( http://www.raptor.com
) and CheckPoint Software Technologies Ltd. ( http://www.checkpoint.com
Raptor was first with NT-based firewall and network security management, including
real-time monitoring of suspicious activity and security management of remote sites from a
Raptor's Eagle NT 3.05, due in September, integrates better with the NT operating
system, directly querying the NT domain controller for user names and attributes. That
will make the firewall more efficient and easier to administer--security managerd no
longer will have to re-enter names and attributes.
Eagle NT 3.05 boasts standards-based, interoperable virtual private networking (VPN)
support and very high firewall performance on Digital Equipment Corp.'s 64-bit Alpha
processors. The VPN packet filtering gives extra security across the public network.
In the past, all protocols could pass through the VPN tunnel, though packets were
encrypted. New packet filtering restricts specific applications from passing through the
VPN, which means Telnet sessions could be denied and network management information could
EagleRemote NT extends network security to remote sites, with the same security
requirements as at headquarters. EagleRemote NT and EagleLAN NT will make it possible to
manage even global networks from one central location, dramatically reducing
administrative costs. And token-ring and 100-megabit/sec Fast Ethernets are supported,
The firewall's Domain Name Service (DNS) proxy protects internal names from the public.
For internal requests, DNS resolves internal and external names into their IP addresses.
It automatically determines a server's internal names, freeing the user from re-entering
the names in Eagle NT.
Eagle supports the Data Encryption Standard and RC2, an RSA Data Security Inc.
algorithm licensed for export and for LAN-to-LAN and client-to-LAN connections.
Encrypted clients run Eagle Mobile software for Windows for Workgroups, NT and Windows
95. For authentication, Eagle supports passwords and S/Key, SecurID and CryptoCard Inc.'s
CryptoCard tokens. However, authentication is available only for preconfigured protocols.
Eagle NT 3.05 seals off the network by shutting down after sending an alert. There's a
Suspicious Activity Monitor and a tool called Vulture to kill intruding processes on the
CheckPoint Software's FireWall-1 for NT extends a proven package available until now
only for Unix platforms. It also has VPN support, user authentication and client
authentication. Users have consistently recognized FireWall-1's flexibility,
extensibility, high security and performance.
This package has both NT and Windows 95 management interfaces--the administrator can
install, configure and manage the firewall either locally via an NT interface or remotely
via a Win95 GUI. FireWall-1 for NT is interoperable with FireWall-1 installations on
SunSoft Solaris and Hewlett-Packard HP-UX platforms, so the administrator could manage all
FireWall-1 installations networkwide from any Win95 or NT desktop.
That eliminates the need for Unix expertise to manage security policy.
If you're serious about increasing your firewall knowledge, the National Computer
Security Association is the premier provider of security, reliability and ethics
information and services, as well as independent certification for firewalls.
Study NCSA's Web site at http://www.ncsa.com.
It's time to get up to speed on firewalls. Don't wait until your agency network has
been attacked. Arm yourself now with as much knowledge as possible, and then keep your
fingers tightly crossed.
Charles S. Kelly is a computer systems analyst at the National Science Foundation.
You can e-mail him on the Internet at firstname.lastname@example.org.
This column expresses his personal views, not the official views of NSF.