Firewalls<@VM>Firewalls include filters, scanners, VPN features

Hardware and software tools combine to help you build a line of defense

By Pete Loshin

Special to GCN

If your organization connects to the Internet, you should pay attention to your firewalls. You wouldn't leave your office door unlocked at night; neither should you leave your office's systems open to attack via the Internet.

Securing an intranet is no simple task; just installing a piece of software won't cut it. A firewall, by itself, is not enough to protect a network, any more than even the strongest dead bolt is all that's needed to protect a building from intruders. But a firewall is an essential component of a successful security strategy.

Firewalls come in both hardware and software forms. Although all firewalls are programmed, some are marketed as software products that can be installed on the hardware platform of your choice. Others are sold as standalone hardware units or as features of hardware routers. This guide includes firewalls of both types.

Organizations started developing firewall devices in the early days of the Internet, when routers were set up to filter packets based on source and destination.

A firewall box compares the addresses of all inbound and outbound IP packets with lists of addresses. If the addresses are OK, the packet goes through; if either of the addresses is restricted, the packet is dropped.

Inbound packets must be scrutinized to make sure they are not coming from the wrong networks, while outbound packets are checked to make sure no one inside is trying to access an 'enemy' system. What might look like a user establishing a Telnet session could be a Trojan horse program readying an unauthorized link.

Packet filtering firewalls also look at the packet's TCP or User Datagram Protocol ports. The ports numbered from 0 through 1,023, commonly referred to as well-known ports, are associated with specific actions'port 80 for Hypertext Transfer Protocol packets, port 20 for File Transfer Protocol, and so on. Transient ports, numbered higher than 5,000, are assigned by applications for ad hoc use.

Interceptor, a firewall appliance from eSoft, uses application proxies to check every connection crossing a firewall. It's priced at $3,745 for unlimited users.

Combined with IP addresses, ports give firewall implementers an excellent tool for filtering out unauthorized access. For example, you can set up a firewall rule that excludes all packets sent to port 80 except those sent to the public Web server. Or you could exclude all packets sent to port 80 from a network address known to be used by hackers.

Packet filtering is a good first pass for security, but it's not enough. If it's the only firewall security you have, you leave plenty of opportunity for attackers who can forge packet headers to look as if they are authorized.

More troubling is that a packet filtering firewall could still leave your network assets uncovered by letting attackers gather information about specific hosts and subnets within your intranet'the first step in any attack.

One way to shield your internal systems is to use application gateways, also known as proxies. Instead of looking at the lower-layer packet headers, application gateways act as intermediaries between users' systems and external systems.

When someone attempts to download a Web page, for example, that user's system makes the request of the application gateway. The gateway scrutinizes the request to make sure it is not for a forbidden destination, type of data or transaction. Then, if the requesting system passes muster, the gateway submits that request to the destination Web site.

The destination Web site interacts with the application gateway, treating the gateway as the source of the request; the gateway then passes along any requested material to the original requesting user. In this way, it acts on behalf of the user, so it is often called a proxy.

If you use this approach, you need a different proxy for every application that is permitted across the firewall. Usually, this means a proxy for HTTP for Web interaction, FTP for file transfers and Telnet for terminal emulation, as well as for e-mail protocols and several other applications.

Proxies are useful because a security manager can control precisely what type of applications can be used across the firewall; if there is no proxy for a specific application, that application can't be used.

So packet filtering keeps tabs on what happens at the lower protocol layers, and application gateways control what happens at the application layer. But something fishy still could get past both functions.

For example, a packet might seem harmless in its source and destination IP addresses and ports, but it could contain an attack inside the packet's application data. By the same token, a packet might be coming from an unauthorized host but have perfectly acceptable application data.

SonicWall's SonicWall Pro, priced at $2,995 for unlimited users, is configured to
detect and thwart denial-of-service attacks and can be updated through the company's software.

Inspection stickers

This problem prompted development of another approach to firewall security: stateful packet inspection.

Some firewalls include a packet inspection module that is applied to all packets and can analyze the entire packet in the context of all applicable protocols. An extension of this approach is to add 'statefulness' to the module, in which the state of the connections is taken into consideration when analyzing packets.

For example, such a module can detect an attempt to send a packet representing itself as a protocol response when in fact no connection had been set up in the first place.

NetScreen Technologies' NetScreen 10 firewall provides network address translation, user authentication and dynamic filtering. It's priced at $995 for 10 users and $1,795 for 25 users.

Packet inspection is more efficient than running application gateway proxies. Inspecting packets is simpler than having to run two separate processes for each packet'one acting as a server to the internal user and one as a proxy client connecting to the external server. As a result, stateful packet inspection can provide security to more users.

The more an attacker knows about your network, the easier it is to mount an attack. Just knowing the IP addresses of a host or a server can open that system'and others'to denial-of-service attacks as well as unauthorized-user hacks. One mechanism often used to keep private networks private is the network address translator, or NAT.

The IP defines a set of private network addresses that are not intended to be forwarded to the global Internet. Anyone can use these addresses internally. A NAT serves as a sort of routing proxy for these private addresses. The NAT box has a single IP address, by which it connects to the Internet, and a private address by which it is connected to the private intranet.

Mother, may I?

When a host inside the private intranet wants to connect to a Web site, it sends its request to the NAT box, which translates the packet so that the request appears to be coming from the NAT box itself. When a response comes in, the packet goes directly to the NAT box, which again translates the packet and resends it within the private intranet.

NAT originated as a stopgap remedy for the shortage of IP addresses, but it is often used as a security remedy. It is far from a security panacea, as it can introduce as many problems as it solves, but it is often incorporated into firewall products.

Basic firewalls all do essentially the same things: filter packets, provide proxy services and do stateful packet inspection. The market is sufficiently mature to require greater product differentiation, so firewalls now frequently include content filtering modules capable of detecting viruses and malicious Java or ActiveX code.

The rising tide of distributed denial-of-service attacks has spurred development of countersecurity measures as well. NetScreen Technologies, for instance, last month introduced a software update, ScreenOS 1.66, to its NetScreen 100 hardware firewall that supplies a tenfold increase in the product's ability to repel attacks. With the update, NetScreen 100 can, for example, inspect 20,000 SYN packets per second, the company said.

Many firewalls also include virtual private network features, letting remote nodes and networks establish secure connections across the Internet. But strictly speaking, VPN capability is a separate function from the firewall.

A firewall's platform also can be an important buying consideration: If you have expertise in Microsoft Windows NT, you might prefer an NT-based firewall.

Unix-based firewalls often are touted as being more secure than NT's, particularly those based on open-source versions of Unix such as Berkeley Software Distribution. In most cases, the firewall hardens the operating system by closing security holes and by eliminating unnecessary services that are used by attackers.

Ease of use is a frequent though hard-to-pin-down feature often touted by vendors. Regardless of any claims, buyers should be aware that firewall security can be complex and that a simple interface could give users an unrealistic sense of security if the firewall is improperly configured.

In deciding whether to buy a hardware device or software, you should weigh the relative factors of performance and flexibility. Firewall appliances can be easier to set up and may also be optimized for improved performance. But software firewalls can be installed on whatever hardware platform is available, and the platform can be upgraded relatively easily or moved into a different function later. Firewall appliances can be used only as firewalls.

It is important to understand that installing a firewall is only one part of a security strategy: User authentication, VPNs, a public-key infrastructure and resource management should all be parts of that strategy as well.

With that in mind, however, you can define requirements for your firewall as you evaluate your network's needs. For example, an entire department might require a high-volume system of hardware or software.

When determining requirements, consider the number of systems behind the firewall, the number of concurrent users, the type of Internet connection in use, the degree to which internal systems must be protected, the resources available to maintain the firewall, and what security functions you want the firewall to perform.

Choosing an adequate firewall can be relatively simple. The difficult part begins after it is installed: Security is an ongoing process, and firewall systems must be managed closely if they are to be effective.

Pete Loshin of Arlington, Mass., is the author of several books about networking and Internet protocols.

VendorProductTypeSpecial featuresPlatformsSystem requirementsVPNProxyPacket inspectionNATPrice
Axent Technologies Inc.
Rockville, Md.
Raptor Firewall 6.5SoftwareIncludes option for objectionable content filteringNT, Tru-64 Unix, Solaris, HP-UX64M of RAM (NT); 128M of RAM (Solaris/HP-UX); 256M of RAM (Tru64 Unix)OptionalYesNoYes$1,995
BorderWare Technologies Inc.
Mississauga, Ontario
BorderWare Firewall Server 6.1.1Software Based on hardened open BSD OSIntel PentiumIntel Pentium II with 64M of RAM, 1G of hard drive spaceYesYesNoYes$2,400 for 25-user license
Check Point Software Technologies Inc.
Redwood City, Calif.
FireWall-1Software security suiteIncludes virus and other content scanning features, access control and authenticationHP-UX, IBM AIX, Solaris, NT, Red Hat Linux64M of RAM (128M recommended), 40M of hard drive spaceYesNoYesYes$2,995 for 25 IP addresses
Cisco Systems Inc.
San Jose, Calif.
PIX Firewall 515, 520Hardware Includes cut-through proxy that authen- ticates on connec- tion and then passes security to lower layersN/AN/AYesNoYesYes$5,000 up for PIX 515; $9,000 to $22,000 for PIX 520
CyberGuard Corp.
Fort Lauderdale, Fla.
CyberGuard Firewall for Unixware (also for NT)Software Incorporates static packet filtering, proxy and stateful inspectionSCO Unix, NTPentium or Pentium Pro, 64M of RAM OptionalYesNoYes50-user license with proxies: $5,995 for NT, $9,995 for Unix
eSoft Inc.
Broomfield, Colo.
InterceptorHardware Firewall appliance using a hardened BSD OSN/AN/ANoYesNoYes$3,745 up for unlimited users; $749 for annual maintenance
IBM Corp.
Armonk, N.Y.
SecureWay FirewallSoftwareSupports Socks Version 5 protocolNT, AIX400-MHz Pentium, 128M of RAM, 1G of hard drive space for NT; RS/6000 for AIXYesYesYesYes$2,031 for one user; $15,199 for unlimited users
Internet Dynamics Inc.
Westlake Village, Calif.
Conclave SESoftware Part of an extensive security suiteNTNT 4.0YesYesNoNo$219 up for 10 users
NetGuard Inc.
Carrollton, Texas
Guardian FirewallSoftware Includes bandwidth management and user authenticationNTNT 4.0YesNoYesYes$2,480 for 25 users
NetScreen Technologies Inc.
Santa Clara, Calif.
NetScreen 5Hardware and appliance/VPNIncludes traffic- shaping capabilityN/AN/AYesNoYesYes$995 for 10 users; $1,795 for 25 users
NetScreen 10SameSameN/AN/AYesNoYesYes$3,995
NetScreen 100SameSameN/AN/AYesNoYesYes$9,995
Network Associates Inc.
Santa Clara, Calif.
Gauntlet Firewall 5.5Software Includes OS hardening to improve securityHP-UX, Solaris, NT128M of RAM, 2G of hard drive spaceYesYesNoYes$6,000 for 1,000-user license
Novell Inc.
Provo, Utah
BorderManager Firewall Services 3.5Software Firewall services running on top of NetWare OSNetWare 4.11 or higher486 or Pentium processor, 128M of RAM, 500M of hard drive spaceNoYesNoYes$995 for five-user license
Progressive Systems
Columbus, Ohio
Phoenix Adaptive FirewallSoftwareLinux-based firewallIntel, Alpha, ARMRed Hat, SuSE, Caldera or TurboLinux Linux distributionOptionalNoYesYes$2,995 for unlimited users
Secure Computing Corp.
San Jose, Calif.
Sidewinder Security Server Software Based on hardened version of BSD OS IntelPentium, 64M of RAM, 4G of hard drive spaceNoYesYesYes$6,900 up for 100 users
Sunnyvale, Calif.
SonicWall Pro Hardware and VPN applianceStrongARM processor- based enterprise small and midsize products also availableN/AN/AYesNoYesYes$2,995 up for unlimited users
Sun Microsystems Inc.
Palo Alto, Calif.
SunScreen SecureNet 2.0SoftwareIncludes SunScreen EFS, SKIP support for 250 users, and Security Manager for IntranetsSun Sparc/ Solaris32M of RAM, 1G of hard drive spaceYesNoYesYes$9,995 for unlimited users
3Com Corp.
Santa Clara, Calif.
OfficeConnect Internet Firewall 25, DMZHardware with proprietary OSDHCP, Web-filtering option availableN/AN/ANoNoYesYes$565 for Firewall 25; $1,220 for Firewall DMZ
WatchGuard Technologies Inc.
Firebox IIHardware Midsize entry, based on minimal Linux implementation; others available for enterprise and small- office useN/AN/ANoYesNoYes$4,995 for up to 500 authenticated users on a T1 link

inside gcn

  • artificial intelligence (ktsdesign/

    Machine learning with limited data

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group