From the Network World Archive

Is it a firewall or a server?

By Joel Snyder

     Many of the firewalls we tested also include Internet service 
software, such as File Transfer Protocol (FTP) or World-Wide Web servers. 
All but the router-based firewalls from Livingston Enterprises, Inc., 
Network Systems Corp. (NSC), Network Translation, Inc. and Network-1 
Software and Technology, Inc. are based on the Unix operating system, so 
adding public domain (or proprietary) service software is not difficult. 
     If you want an all-in-one solution to Internet connection needs. A 
single box can run not just the security application, but FTP, NNTP, SMTP 
and POP, Domain Naming Service (DNS), Web and Gopher. Border Network 
Technologies' BorderWare goes the furthest in this direction. BorderWare is 
designed as a combination security firewall and Internet server, with all 
services integrated into the base system. 
     To keep its firewall safe, Border locks out all interactive access. In 
an earlier review of BorderWare, we took the vendor to task for not 
providing an escape if you want to separate out security and service 
applications. In the newest version of its software, Border has partially 
answered that complaint by allowing the connection of a separate network 
segment just for handling Internet information servers. 
     If you're uneasy about the security of public domain products for Web, 
FTP and SMTP service, you may want to look at Secure Computing Corp.'s 
Sidewinder and Harris Computer Systems Corp.'s CyberGuard. 
     Both of these servers include heavily modified versions of Unix 
designed to contain any security breach that might be created by a poorly 
written application. Sidewinder's type enforcement keeps even privileged 
applications and users from modifying data or processes outside of their 
own security domain. Similarly, Harris' simpler multilevel secure Unix 
partitions the operating environment and presents a barrier to an 
out-of-control or insecure application. 
     While products such as Sidewinder and CyberGuard are specifically 
designed to run services on the firewall, some other vendors discourage 
this practice, including Milkyway Networks Corp., Digital Equipment Corp., 
Trusted Information Systems, Inc. (TIS) and Checkpoint Software 
Technologies, Ltd. 
     DNS configurations give firewall vendors (and net managers) more 
trouble than any other aspect of firewall configuration. In some cases, a 
split DNS, which uses two DNS servers to hide internal information from the 
outside, makes the most technical sense --- for example, when you have two 
mail servers, one for external users sending messages in and one for 
internal users sending out, both with the same name. 
     Some vendors provide both internal and external DNS servers from the 
firewall, such as Secure Computing, Border, SOS Corp. and Harris. Other 
vendors, including Milkyway, Digital, TIS, IBM and Checkpoint, provide only 
     Because products from Milkyway, Harris and Checkpoint support packet 
filtering, they are the only Unix-based firewalls that do not require at 
least one DNS server to be located near the firewall. Livingston, NSC, 
Network Translation and Network-1 do not support any services (including 
DNS) on their firewalls. Since DNS configuration information changes 
constantly in many organizations, we felt most comfortable with firewalls 
that let us move the DNS away from the security perimeter.
     --- Joel Snyder