From the Network World Archive

A Flurry of Firewalls

By Joel Snyder

01/29/96
     An Internet firewall is like a newly divorced person: It's happy to be 
out on the network but won't let anybody get too close. In this day and 
age, you'll want to run a background check before you enter a relationship 
with one of these devices, and that's just what we did, checking out 13 
products designed to control access to TCP/IP networks. 
     Products from vendors Livingston Enterprises, Inc. and Network Systems 
Corp. (NSC) excel at low-end, router-based firewalls for sites with simple 
security policies. 
     If you want to tinker with their insides, you'll be most interested in 
firewalls from Trusted Information Systems, Inc. (TIS) and Network-1 
Software and Technology, Inc. These products are the ultimate in 
do-it-yourself kits. 
     Those of you who want an easy-to-configure product will be happiest 
with systems from Digital Equipment Corp. and CheckPoint Software 
Technologies, Ltd. CheckPoint is also a clear leader in managing multiple 
firewalls from a single interface and mixing packet filtering and 
application proxying technologies. 
     Border Network Technologies, Inc. provides the most complete 
all-in-one solution, a combination firewall and Internet server that kills 
many birds with a single box. 
     The application proxy firewall from Milkyway Networks Corp. showed the 
most innovative features, while Harris Computer Systems Corp., IBM, Secure 
Computing Corp. and SOS Corp. all turned in credible results.
     For high-powered and speedy network address translation (NAT), Network 
Translation, Inc. managed to combine NAT and some firewall features into a 
powerful and easy-to-configure package.
     In our last review of firewalls (NW, July 31, 1995, page 1), we found 
products that fit into textbook categories of packet filter, circuit 
gateway or application proxy. (For a more complete discussion of these 
categories, see the related stories on Network World Fusion.) Today, among 
products we looked at that were introduced or significantly revised since 
then, almost all are a hybrid of different firewall technologies and 
techniques. 
     Firewall routers
     The combination router/firewall systems built into Livingston's 
Firewall IRX and NSC's The Security Router are primarily network routers 
that also include firewall functionality. Both of these augment the 
functions of simple routers by providing a way to log security-related 
information such as attacks to a local host. These products can also do 
limited filtering on other protocols. Livingston's Firewall IRX is limited 
to NetWare's IPX protocol, while NSC's Security Router can also handle 
AppleTalk, DECnet, XNS and VINES. 
     Firewall IRX is limited to filtering and monitoring network traffic, 
while The Security Router also provides secure IP tunnels.
     The main distinguishing characteristic of these two products is their 
lack of state information; that is, they cannot decide to pass or drop 
traffic flowing through them based on past information. This restricts the 
complexity and power of the security policies these products can support, 
particularly with connectionless protocols such as User Datagram Protocol 
(UDP).
     Firewalls also need state information to work with certain TCP 
protocols, such as File Transfer Protocol (FTP), that use two connections 
for data transfer. Firewall IRX and The Security Router examine each packet 
individually without any knowledge of packets that have been seen before. 
For example, it isn't possible to permit Domain Naming System (DNS) 
responses - which use connectionless UDP - to pass through the firewall 
only in response to DNS queries. If you're making heavy use of UDP-based 
services, such as Network File System (NFS), that you want to extend into 
the Internet, a stateless firewall won't work for you.
     A variation on the router-as-firewall approach is an innovative 
firewall from Network-1 Software and Technology. FireWall/Plus does not 
route packets; instead, it bridges them across two Ethernet interfaces and 
appears invisible to any higher level protocols. FireWall/Plus examines 
each Ethernet frame it receives and decides to pass or drop the frame based 
on content in the frame itself - such as frame type, media access control 
address or subfield, or length - or in higher level protocol data in the 
frame. 
     FireWall/Plus can be used for simple filtering of non-TCP/IP protocols 
but has the greatest utility for protocols that operate on top of IP 
because it includes prewritten rules for most IP-based protocols and 
security scenarios. FireWall/Plus handles not just traditional TCP and UDP 
but also other protocols that run over IP, such as the Open Shortest Path 
First routing protocol. FireWall/Plus can also maintain some types of state 
information to securely handle protocols such as DNS, NFS and FTP.
     Private Internet Exchange (PIX) from Network Translation is a special 
type of packet-filtering router. It performs NAT and also has many security 
features built in. PIX helps organizations hide their internal IP 
addresses. PIX security features include some state information for 
protocols such as FTP, rules based on TCP/IP protocol flavor - such as 
Telnet, Simple Mail Transfer Protocol or Network News Transport Protocol 
(NNTP) - and IP tunneling. 
     Flexibility of filters
     CheckPoint's Firewall-1, Harris' CyberGuard Firewall and IBM's 
Internet Connection Secured Network Gateway (SNG) use a combination of 
techniques, including application proxies, circuit-level gateways and 
simple IP-based packet filters to implement a network security policy. 
These three products allow network managers the greatest flexibility to 
support a completely open internal environment with no software changes on 
client systems.
     Because of their concentration on packet filtering techniques, 
Firewall-1, CyberGuard and SNG are strongest in that area, although they 
all support either application proxies, circuit gateways or both. 
     TIS' Gauntlet Internet Firewall comes from a company with a long 
history of firewall research. Gauntlet includes the second generation of 
TIS' free tool kit with a simple integrated administrative user interface 
and other proprietary tools. TIS is unique in providing full source code 
with its software.
     SOS' Brimstone Firewall Package is more a collection of public tools 
than original software, although SOS does add some proprietary pieces, most 
notably in the user interface and monitoring areas. SOS' main contribution 
has been to collect, package, document and certify the products in its 
firewall. However, its tool kit approach encourages network managers to 
modify the firewall.
     If you don't want to learn the ins and outs of Unix or network 
security and safe firewall configuration, check out Milkyway's Black Hole, 
Digital's Firewall for Unix, Secure Computing's Sidewinder and Border's 
BorderWare Firewall Server.
     These products all simplify the task of building a firewall by 
reducing the possible options. They depend on application-level proxies and 
circuit gateways to lock down the most commonly used TCP/IP applications. 
Other limitations have been put in place to simplify the administrative 
user interface. For example, all but Milkyway's Black Hole strictly limit 
the number of IP interfaces (usually Ethernet cards) supported. This in 
turn significantly simplifies the user interface.
     These products also link other common system management tasks, such as 
backups, reporting and logging, and system configuration into a single user 
interface, freeing you, in principle, from having to descend to the 
squirrelly passageways of the Unix command line. 
     Interfaces and orientation 
     The largest market for firewalls is in protecting corporate networks 
from public networks such as the Internet. An Internet-oriented firewall 
typically has two LAN interfaces, one for the insecure side (sometimes 
called 'dirty' or 'red') of the network and one for the secure side 
(sometimes called 'clean' or 'blue'). All of the firewalls we looked at 
support at least two LAN interfaces; a few can support only two. 
     A restricted configuration with only two interfaces has a big 
advantage for a part-time security manager: The user interface can be very 
explicit about what is being allowed and what is being filtered. For 
example, in Network-1's FireWall/Plus, the inside network is shown with an 
angel icon, while the outside network is shown as a devil. Digital's 
Firewall for Unix, Secure Computing's Sidewinder, Network Translation's 
PIX, TIS' Gauntlet and Harris' CyberGuard share the same configuration 
restriction: two interfaces, with a heavy orientation toward Internet 
environments. 
     Border's BorderWare allows three interfaces, but with the same 
strictly defined roles: one is dirty and insecure; one is clean and 
internal; and one is for Internet-accessible servers that are not to be 
trusted, a subnet often called a demilitarized zone or a lobby. 
     For more complex environments with multiple firewalls, organizations, 
LANs or other webs of trust and distrust, two interfaces are not 
sufficient. The problem with more interfaces, of course, is that more 
complex management interface and configuration options offer greater 
opportunities to build a firewall with other-than-intended security 
policies.
     Milkyway's Black Hole, IBM's SNG, CheckPoint's Firewall-1 and SOS' 
Brimstone all support multiple interfaces, all but IBM on a SPARC platform.
     Firewall-1's multiple-interface philosophy extends even further than 
the limits of a single hardware platform. Its administrative user interface 
lets a set of Firewall-1 systems and routers with many LAN and WAN 
interfaces be managed as a single entity with a single security policy and 
logging point. Brimstone provides a similar, although less comprehensive, 
capability. 
     Getting out through the firewall
     Each firewall we tested has a slightly different way of handling 
access through the firewall. In general, external access to internal 
services is simply turned off; the firewall acts as a one-way valve, 
letting users inside originate traffic going out but preventing any outside 
traffic from getting in. Some firewalls provide special holes that allow 
particular systems on the outside to connect to particular systems on the 
inside, such as an external NNTP feed to an internal Usenet news server. 
     If all you want is a one-way valve, then almost any firewall will 
support your security policy. If you have a more complex security policy, 
you need to be a little more discriminating.
     We divided the products into two rough categories: ones that are 
fundamentally IP address-based and ones that are fundamentally user 
authentication-
based. Products in the first category generally care most about what IP 
address a particular user is coming from and don't have strict 
authentication requirements. Products in the second category keep a strict 
tie between users and access through the firewall and are generally 
considered to be harder for illegitimate users to get around. There are 
also hybrid products that do a little of both or mix multiple techniques; 
these tend to be the most attractive. (See Network World Fusion for a 
related story, Authentication methods.)
     Digital's Firewall for Unix and Border's BorderWare have the most 
restrictive access requirements: All authenticated access must use a 
onetime password mechanism. For example, if you want to give vendors 
temporary access through your firewall to diagnose a problem, you have to 
either set them up with a handheld token or have them call while someone 
who has a token can generate the proper response to the onetime password 
challenge. All the other authenticating firewall vendors also allow the 
less secure reusable passwords. 
     If your policy distrusts all outsiders and trusts most insiders, then 
IP-based filtering may be sufficient. It is nonintrusive, so users will see 
little, if any, change in how they use the Internet. For traffic 
originating from inside your network, this kind of filtering works pretty 
well. 
     IP-based filtering for outside users who wish to come into your 
network is another story; this is asking for trouble. As the Internet is 
security-free, no IP addresses can be trusted because they can be easily 
changed or spoofed. User authentication doesn't necessarily help, since a 
malicious attacker could conceivably 'hijack' an existing TCP session, 
given the right circumstances and access.
     Products that have no user-based authentication and rely on IP 
addresses - along with other criteria, such as service requested - to 
decide whether to allow traffic through the firewall include the routers we 
tested: Livingston's Firewall IRX, NSC's Security Router, Network 
Translation's PIX and Network-1's FireWall/Plus. 
     Digital's Firewall for Unix and Border's BorderWare are slight 
variations on this theme: All internal users are filtered based on IP 
address when sending outgoing traffic, and external users attempting to get 
in must be authenticated using a onetime password scheme. 
     Secure Computing's Sidewinder has a more limited and obscure approach. 
Sidewinder filters based on IP address but can use authentication for 
traffic originating from World-Wide Web browsers, such as Netscape 
Communications Corp.'s Netscape Navigator.
     Other products let a user poke a temporary hole for a particular IP 
address for some period of time. For example, if you want to establish a 
telnet connection through the firewall, you must first authenticate 
yourself with a user name and password to the firewall itself. Once the 
firewall sees a valid user name and password coming from a particular IP 
address, it allows access.
     The best example of this technique is Milkyway's Black Hole. Proxies 
built into Black Hole detect unauthorized traffic and request 
authentication before letting the traffic pass through. This is 
particularly nice for protocols such as HyperText Transfer Protocol (HTTP) 
and Gopher because the firewall authentication is relatively nonintrusive. 
As an alternative to using semitransparent authentication, users could 
specifically telnet to the firewall to open up their hole (and to later 
close it). 
     When a tighter handle is necessary, firewalls such as TIS' Gauntlet 
and SOS' Brimstone require authentication for each and every TCP access 
through the firewall. This means that each telnet or FTP command stops at 
the firewall for a user name and password before being passed through. 
Gauntlet can also operate in transparent mode, which doesn't require 
authentication by internal users.
     This model runs into a problem with protocols such as HTTP, which can 
open up hundreds of TCP sessions as users click from page to page. 
Authenticating each of those sessions would be impractical, so the 
alternatives offered are to either allow such traffic unfettered and 
unauthenticated, or simply disallow all such sessions. 
     IBM's SNG, CheckPoint's Firewall-1 and Harris' CyberGuard are all 
hybrid systems that allow a combination of techniques. All offer IP-based 
filtering, as well as per-connection authentication for telnet and FTP 
sessions. Firewall-1 also allows authenticated temporary holes such as 
those provided by Black Hole, although the technique is less flexible and 
not as well integrated. 
     Incoming access to network services, such as Web, SMTP and DNS 
servers, varies from vendor to vendor. Firewalls such as TIS' Gauntlet, 
Digital's Firewall for Unix, Secure Computing's Sidewinder and SOS' 
Brimstone prohibit any direct access, requiring everything to pass 
nontransparently through the firewall. These products expect 
Internet-accessible services to be outside of the firewall.
     Although this can increase the security of a domain, it also raises 
problems. For example, most Unix-based firewalls use sendmail as their mail 
system, a program notoriously difficult to configure. When an organization 
wants to use a real electronic mail backbone, the firewall gets in the way 
by providing a difficult-to-track stopping point for messages into and out 
of the network. For example, a bug in Digital's Firewall for Unix mail 
implementation prevented us from sending many kinds of mail from strictly 
compliant mail agents through the firewall, something we were unable to 
work around because we couldn't disable the mail proxy. 
     Other firewalls allow limited access - for example, to allow 
connecting incoming NNTP packets to a single system inside the firewall. 
Packet-filtering firewalls are the most generous, giving you the 
flexibility to identify internal systems that are available directly from 
the outside world. 
     Most circuit-gateway firewalls implicitly provide a restricted NAT 
function. For example, Digital's Firewall for Unix, Secure Computing's 
Sidewinder, TIS' Gauntlet, Border's BorderWare and SOS' Brimstone all have 
nonnegotiable NAT: Nothing outside gets to see IP addresses inside the 
firewall. 
     The king of NAT is Network Translation's PIX, which combines NAT and 
some firewall functions such as filtering rules. PIX allows static mapping 
of IP addresses, which lets you designate specific and controlled holes 
through the NAT hardware. PIX can also use a pool of IP addresses to 
randomly and dynamically give access to systems inside the firewall trying 
to get out. PIX's NAT includes adaptive security, which prevents a 
potential intruder from trolling for insecure systems by randomly picking 
addresses and trying to connect to them.
     Milkyway's Black Hole, IBM's SNG, CheckPoint's Firewall-1 and Harris' 
CyberGuard all have some optional NAT functionality. 
     Managing firewalls
     Early adopters of firewall technology were, of necessity, both 
security and operating system experts. Public domain tool kits became the 
base on which highly customized firewall systems were built. Fortunately, 
this level of expertise and homegrown modification is no longer necessary. 
Several of the firewalls we tested provide excellent user interfaces, which 
allow any network manager to easily configure a firewall securely. 
     Digital's Firewall for Unix has the best thought-out and most powerful 
management interface of all the products we examined. The firewall and 
operating system are managed using Netscape Navigator on a locally attached 
X Window System display, which makes configuration modifications simple. 
Digital also includes all of its documentation on-line as hypertext, which 
is a tremendous help.
     Border's BorderWare also has an easy-to-use interface. Because the 
interface is screen-based via curses, a Unix-based screen library, rather 
than X Window-based, it has fewer frills, but it was seldom difficult to 
understand.
     Both of these products employ a single interface to handle operating 
system and firewall configuration tasks, something we appreciated. Writing 
this review exposed us to seven Unix flavors, so not having to deal with 
the nitty-gritty of network configuration on each operating system was a 
blessing. 
     A close runner-up is CheckPoint's Firewall-1, which also uses X Window 
but has a more opaque interface. Some of this complexity is due to the 
product's wider range of capabilities; that is, many things you can do in 
Firewall-1 are not possible in Firewall for Unix or BorderWare.
     Milkyway's Black Hole and IBM's SNG also have competent X Window-based 
management interfaces, but they're more difficult to use than the others. 
Both made up for this with good documentation, Milkyway's on paper and 
IBM's on-line. 
     TIS' Gauntlet, Secure Computing's Sidewinder and Harris' CyberGuard 
provide screen (curses) based management interfaces that are also simple 
enough to use. However, all of these required us to dip into Unix more than 
we liked for command-line configuration of either firewall or operating 
system options. Sidewinder's interface was rather unstable: It crashed 
several times while we attempted to configure the software. 
     Even worse, when we were forced to manually edit a configuration file 
- because the documentation told us to - a single misplaced space in a file 
made the firewall unusable and took more than two hours to recover from. 
     Command-line interfaces on NSC's Security Router and Livingston's 
Firewall IRX were also unexciting, although the types of operations 
required made them easy enough to configure. In this case, though, the 
margin for error was significantly higher. These systems require far more 
expertise and knowledge of network security than most of the other 
firewalls.
     Our worst experiences were with the management interfaces on SOS' 
Brimstone and Network-1's FireWall/Plus. Both of these need significant 
human reengineering before they'll be ready for mere mortals. FireWall/Plus 
hinted at amazing power and a fascinating command language, but the design 
of the firewall was such that only an expert could feel comfortable and 
then only after a lot of practice and testing.
     Documentation generally followed user interface in terms of 
thoughtfulness and completeness. Milkyway and SOS get special kudos for 
including a separate user manual for end users inside and outside the 
firewall, while Digital and IBM had the best on-line documentation. 
     Reporting, logging and alarms
     One basic requirement of firewalls is that they squeak when pressure 
is applied. If someone is probing a network for weaknesses, a good firewall 
should log the attempt and provide an immediate alarm should the attack be 
serious. You may also want the firewall to provide general reports of 
TCP/IP traffic for capacity planning and other administrative purposes.
     The only product we looked at that provides no logging, reporting or 
alarm capabilities is Network Translation's PIX. Livingston's Firewall IRX 
and NSC's Security Router are only a little better. They provide logging 
information - via the network - to a host; it's up to you to write custom 
software to set alarm conditions. Neither router provides traffic 
statistics for general reports. 
     The best alarm, logging and reporting capabilities were in TIS' 
Gauntlet, Digital's Firewall for Unix and Secure Computing's Sidewinder. 
These three products provide good all-around capabilities to capture 
statistics, notice problem situations and generate readable logs of probes 
and attacks. 
     Digital's reports are outstanding. With the product's hypertext 
documents, you can drill down through reporting data using the supplied 
Netscape browser to see more information about how the firewall is being 
used. Digital's alarm conditions are comprehensive. Firewall for Unix moves 
from a green state, as shown by the background on the user interface, 
through yellow, orange and red, with different actions occurring at each 
time. Firewall for Unix's ability to intelligently shut down some or all 
traffic flowing through it in response to a probe was a unique feature.
     If summary reports are not important, the logging and alarm facilities 
in IBM's SNG, CheckPoint's Firewall-1 and Harris' CyberGuard are all 
satisfactory. Network-1's FireWall/Plus looked as if it had good reporting 
capabilities, but it crashed every time we tried to generate a report. 
     We found Milkyway's Black Hole, SOS' Brimstone and Border's BorderWare 
difficult to set up and manage for alarms. It was not obvious how to best 
configure the firewall to alert us when something bad was happening. 
     Other features
     Firewalls come with a variety of additional bells and whistles to 
assist the security manager. Some are simple yet valuable additions, such 
as time-of-day rules. Others are more specialized, such as encrypted IP 
tunnels, and may not be useful in all environments. For more on these 
features, see Tunneling and encryption on Network World Fusion.
     Network managers interested in restricting Internet access to 
off-hours can use time-of-day and day-of-week rules to enable, for example, 
unrestricted outgoing Web access after hours while keeping the lid on it 
during the day. 
     Milkyway's Black Hole has the most complete time-based access 
controls, including time-of-day, day-of-week, day-of-month, week-of-year 
and month-of-year rules. Digital's Firewall for Unix, Network-1's 
FireWall/Plus, Border's BorderWare and SOS' Brimstone also have time-based 
rules, with somewhat less flexibility.
     Our favorites
     After looking at 13 products, we came to the conclusion that no one 
product is appropriate for all security environments. However, we did have 
some favorites among the crowd. 
     For a low-cost entry into the firewall market, Livingston's Firewall 
IRX router is hard to beat. For about $3,000, you get a simple firewall 
that does what Cisco Systems, Inc., Bay Networks, Inc. and 3Com Corp. 
routers don't: It makes a racket when someone tries to break in. The simple 
addition of logging facilities makes it worthwhile to use the Firewall IRX 
as a replacement for your Internet connection router. 
     We also liked the power of NSC's Security Router, but this product 
clearly fits another niche - one where multiple parts of a large 
organization need restricting routers between them. For a company that 
needs some internal security to keep the manufacturing department's 
programmers out of the accounting department's system, Security Router fits 
the bill.
     Network-1's FireWall/Plus is for the true network expert. You need to 
really understand TCP/IP and Ethernet to properly configure the 
FireWall/Plus, but you can do things with it that no other firewall lets 
you do, including easy filtering of unusual IP protocols, IPX, AppleTalk, 
DECnet, and even less popular protocols such as Digital's Local Area 
Transport or Local Area VAX Cluster. Like Security Router, FireWall/Plus is 
most appropriate for sites with a simple security policy or for internal 
protection.
     Similarly, Network Translation's PIX isn't a general-purpose firewall, 
but, in certain situations, it can provide firewall-like functions and 
solve addressing problems. 
     CheckPoint's Firewall-1 remains a favorite, even if security czars 
don't like packet filters as much as application proxy gateways. In our 
first review, this was a clear leader. The competition has come a long way 
since then, and, in reponse, CheckPoint has added a few knobs so it can say 
its product does everything. It's fundamentally a good product with a 
fantastic management interface.
     Firewall-1 also offers what no other firewall has: centralized 
configuration and administration of multiple firewalls from a single point. 
If your network requires multiple firewalls, Firewall-1 is a must-buy. 
     If you want a firewall but don't want to play with Unix, you should 
definitely investigate Digital's Firewall for Unix. The best management 
interface of all the firewalls we looked at makes this easy to configure. 
The reporting capabilities are also great.
     Although there are limitations on the possible configurations, 
Firewall for Unix hits squarely in the middle of most corporate 
requirements for an Internet gateway system.
     Managers who like the all-in-one approach need to look at Border's 
BorderWare Firewall Server. This is the ultimate black box: It comes up 
running firewall, FTP, Gopher, Web, News, Post Office Protocol, SMTP and 
Telnet gateways. For midsize companies that don't want to fool around, 
BorderWare is an excellent choice. 
     Of the remaining application proxies, Milkyway's Black Hole is our 
favorite. With a generally clear management interface, you can make the 
Black Hole do almost anything you want - act as a NAT, handle multiple 
interfaces, require authentication, be transparent and support Internet 
access by inside users with more finesse than any other product. 
     TIS' Gauntlet, although fundamentally old technology, has an advantage
all its own: source code. If you like to play with software, Gauntlet is 
the ultimate foundation on which to build your own firewall and therefore 
the product of choice for many security experts.
     We didn't have any complaints about Secure Computing's Sidewinder, 
IBM's SNG, SOS' Brimstone or Harris' CyberGuard, but they didn't stand out 
like some of the others. IBM's IP tunneling is well thought-out, and both 
Harris' and Secure's 'secure' Unix looked like they would be invaluable 
in some environments. In the absence of specific requirements, though, they 
wouldn't make it to our short list.

Related Articles

How We Did It

Is it a Firewall or a Server?

Steps for making the right selection


Copyright 1995 Network World, Inc