An Internet firewall is like a newly divorced person: It's happy to be out on the network but won't let anybody get too close. In this day and age, you'll want to run a background check before you enter a relationship with one of these devices, and that's just what we did, checking out 13 products designed to control access to TCP/IP networks. Products from vendors Livingston Enterprises, Inc. and Network Systems Corp. (NSC) excel at low-end, router-based firewalls for sites with simple security policies. If you want to tinker with their insides, you'll be most interested in firewalls from Trusted Information Systems, Inc. (TIS) and Network-1 Software and Technology, Inc. These products are the ultimate in do-it-yourself kits. Those of you who want an easy-to-configure product will be happiest with systems from Digital Equipment Corp. and CheckPoint Software Technologies, Ltd. CheckPoint is also a clear leader in managing multiple firewalls from a single interface and mixing packet filtering and application proxying technologies. Border Network Technologies, Inc. provides the most complete all-in-one solution, a combination firewall and Internet server that kills many birds with a single box. The application proxy firewall from Milkyway Networks Corp. showed the most innovative features, while Harris Computer Systems Corp., IBM, Secure Computing Corp. and SOS Corp. all turned in credible results. For high-powered and speedy network address translation (NAT), Network Translation, Inc. managed to combine NAT and some firewall features into a powerful and easy-to-configure package. In our last review of firewalls (NW, July 31, 1995, page 1), we found products that fit into textbook categories of packet filter, circuit gateway or application proxy. (For a more complete discussion of these categories, see the related stories on Network World Fusion.) Today, among products we looked at that were introduced or significantly revised since then, almost all are a hybrid of different firewall technologies and techniques. Firewall routers The combination router/firewall systems built into Livingston's Firewall IRX and NSC's The Security Router are primarily network routers that also include firewall functionality. Both of these augment the functions of simple routers by providing a way to log security-related information such as attacks to a local host. These products can also do limited filtering on other protocols. Livingston's Firewall IRX is limited to NetWare's IPX protocol, while NSC's Security Router can also handle AppleTalk, DECnet, XNS and VINES. Firewall IRX is limited to filtering and monitoring network traffic, while The Security Router also provides secure IP tunnels. The main distinguishing characteristic of these two products is their lack of state information; that is, they cannot decide to pass or drop traffic flowing through them based on past information. This restricts the complexity and power of the security policies these products can support, particularly with connectionless protocols such as User Datagram Protocol (UDP). Firewalls also need state information to work with certain TCP protocols, such as File Transfer Protocol (FTP), that use two connections for data transfer. Firewall IRX and The Security Router examine each packet individually without any knowledge of packets that have been seen before. For example, it isn't possible to permit Domain Naming System (DNS) responses - which use connectionless UDP - to pass through the firewall only in response to DNS queries. If you're making heavy use of UDP-based services, such as Network File System (NFS), that you want to extend into the Internet, a stateless firewall won't work for you. A variation on the router-as-firewall approach is an innovative firewall from Network-1 Software and Technology. FireWall/Plus does not route packets; instead, it bridges them across two Ethernet interfaces and appears invisible to any higher level protocols. FireWall/Plus examines each Ethernet frame it receives and decides to pass or drop the frame based on content in the frame itself - such as frame type, media access control address or subfield, or length - or in higher level protocol data in the frame. FireWall/Plus can be used for simple filtering of non-TCP/IP protocols but has the greatest utility for protocols that operate on top of IP because it includes prewritten rules for most IP-based protocols and security scenarios. FireWall/Plus handles not just traditional TCP and UDP but also other protocols that run over IP, such as the Open Shortest Path First routing protocol. FireWall/Plus can also maintain some types of state information to securely handle protocols such as DNS, NFS and FTP. Private Internet Exchange (PIX) from Network Translation is a special type of packet-filtering router. It performs NAT and also has many security features built in. PIX helps organizations hide their internal IP addresses. PIX security features include some state information for protocols such as FTP, rules based on TCP/IP protocol flavor - such as Telnet, Simple Mail Transfer Protocol or Network News Transport Protocol (NNTP) - and IP tunneling. Flexibility of filters CheckPoint's Firewall-1, Harris' CyberGuard Firewall and IBM's Internet Connection Secured Network Gateway (SNG) use a combination of techniques, including application proxies, circuit-level gateways and simple IP-based packet filters to implement a network security policy. These three products allow network managers the greatest flexibility to support a completely open internal environment with no software changes on client systems. Because of their concentration on packet filtering techniques, Firewall-1, CyberGuard and SNG are strongest in that area, although they all support either application proxies, circuit gateways or both. TIS' Gauntlet Internet Firewall comes from a company with a long history of firewall research. Gauntlet includes the second generation of TIS' free tool kit with a simple integrated administrative user interface and other proprietary tools. TIS is unique in providing full source code with its software. SOS' Brimstone Firewall Package is more a collection of public tools than original software, although SOS does add some proprietary pieces, most notably in the user interface and monitoring areas. SOS' main contribution has been to collect, package, document and certify the products in its firewall. However, its tool kit approach encourages network managers to modify the firewall. If you don't want to learn the ins and outs of Unix or network security and safe firewall configuration, check out Milkyway's Black Hole, Digital's Firewall for Unix, Secure Computing's Sidewinder and Border's BorderWare Firewall Server. These products all simplify the task of building a firewall by reducing the possible options. They depend on application-level proxies and circuit gateways to lock down the most commonly used TCP/IP applications. Other limitations have been put in place to simplify the administrative user interface. For example, all but Milkyway's Black Hole strictly limit the number of IP interfaces (usually Ethernet cards) supported. This in turn significantly simplifies the user interface. These products also link other common system management tasks, such as backups, reporting and logging, and system configuration into a single user interface, freeing you, in principle, from having to descend to the squirrelly passageways of the Unix command line. Interfaces and orientation The largest market for firewalls is in protecting corporate networks from public networks such as the Internet. An Internet-oriented firewall typically has two LAN interfaces, one for the insecure side (sometimes called 'dirty' or 'red') of the network and one for the secure side (sometimes called 'clean' or 'blue'). All of the firewalls we looked at support at least two LAN interfaces; a few can support only two. A restricted configuration with only two interfaces has a big advantage for a part-time security manager: The user interface can be very explicit about what is being allowed and what is being filtered. For example, in Network-1's FireWall/Plus, the inside network is shown with an angel icon, while the outside network is shown as a devil. Digital's Firewall for Unix, Secure Computing's Sidewinder, Network Translation's PIX, TIS' Gauntlet and Harris' CyberGuard share the same configuration restriction: two interfaces, with a heavy orientation toward Internet environments. Border's BorderWare allows three interfaces, but with the same strictly defined roles: one is dirty and insecure; one is clean and internal; and one is for Internet-accessible servers that are not to be trusted, a subnet often called a demilitarized zone or a lobby. For more complex environments with multiple firewalls, organizations, LANs or other webs of trust and distrust, two interfaces are not sufficient. The problem with more interfaces, of course, is that more complex management interface and configuration options offer greater opportunities to build a firewall with other-than-intended security policies. Milkyway's Black Hole, IBM's SNG, CheckPoint's Firewall-1 and SOS' Brimstone all support multiple interfaces, all but IBM on a SPARC platform. Firewall-1's multiple-interface philosophy extends even further than the limits of a single hardware platform. Its administrative user interface lets a set of Firewall-1 systems and routers with many LAN and WAN interfaces be managed as a single entity with a single security policy and logging point. Brimstone provides a similar, although less comprehensive, capability. Getting out through the firewall Each firewall we tested has a slightly different way of handling access through the firewall. In general, external access to internal services is simply turned off; the firewall acts as a one-way valve, letting users inside originate traffic going out but preventing any outside traffic from getting in. Some firewalls provide special holes that allow particular systems on the outside to connect to particular systems on the inside, such as an external NNTP feed to an internal Usenet news server. If all you want is a one-way valve, then almost any firewall will support your security policy. If you have a more complex security policy, you need to be a little more discriminating. We divided the products into two rough categories: ones that are fundamentally IP address-based and ones that are fundamentally user authentication- based. Products in the first category generally care most about what IP address a particular user is coming from and don't have strict authentication requirements. Products in the second category keep a strict tie between users and access through the firewall and are generally considered to be harder for illegitimate users to get around. There are also hybrid products that do a little of both or mix multiple techniques; these tend to be the most attractive. (See Network World Fusion for a related story, Authentication methods.) Digital's Firewall for Unix and Border's BorderWare have the most restrictive access requirements: All authenticated access must use a onetime password mechanism. For example, if you want to give vendors temporary access through your firewall to diagnose a problem, you have to either set them up with a handheld token or have them call while someone who has a token can generate the proper response to the onetime password challenge. All the other authenticating firewall vendors also allow the less secure reusable passwords. If your policy distrusts all outsiders and trusts most insiders, then IP-based filtering may be sufficient. It is nonintrusive, so users will see little, if any, change in how they use the Internet. For traffic originating from inside your network, this kind of filtering works pretty well. IP-based filtering for outside users who wish to come into your network is another story; this is asking for trouble. As the Internet is security-free, no IP addresses can be trusted because they can be easily changed or spoofed. User authentication doesn't necessarily help, since a malicious attacker could conceivably 'hijack' an existing TCP session, given the right circumstances and access. Products that have no user-based authentication and rely on IP addresses - along with other criteria, such as service requested - to decide whether to allow traffic through the firewall include the routers we tested: Livingston's Firewall IRX, NSC's Security Router, Network Translation's PIX and Network-1's FireWall/Plus. Digital's Firewall for Unix and Border's BorderWare are slight variations on this theme: All internal users are filtered based on IP address when sending outgoing traffic, and external users attempting to get in must be authenticated using a onetime password scheme. Secure Computing's Sidewinder has a more limited and obscure approach. Sidewinder filters based on IP address but can use authentication for traffic originating from World-Wide Web browsers, such as Netscape Communications Corp.'s Netscape Navigator. Other products let a user poke a temporary hole for a particular IP address for some period of time. For example, if you want to establish a telnet connection through the firewall, you must first authenticate yourself with a user name and password to the firewall itself. Once the firewall sees a valid user name and password coming from a particular IP address, it allows access. The best example of this technique is Milkyway's Black Hole. Proxies built into Black Hole detect unauthorized traffic and request authentication before letting the traffic pass through. This is particularly nice for protocols such as HyperText Transfer Protocol (HTTP) and Gopher because the firewall authentication is relatively nonintrusive. As an alternative to using semitransparent authentication, users could specifically telnet to the firewall to open up their hole (and to later close it). When a tighter handle is necessary, firewalls such as TIS' Gauntlet and SOS' Brimstone require authentication for each and every TCP access through the firewall. This means that each telnet or FTP command stops at the firewall for a user name and password before being passed through. Gauntlet can also operate in transparent mode, which doesn't require authentication by internal users. This model runs into a problem with protocols such as HTTP, which can open up hundreds of TCP sessions as users click from page to page. Authenticating each of those sessions would be impractical, so the alternatives offered are to either allow such traffic unfettered and unauthenticated, or simply disallow all such sessions. IBM's SNG, CheckPoint's Firewall-1 and Harris' CyberGuard are all hybrid systems that allow a combination of techniques. All offer IP-based filtering, as well as per-connection authentication for telnet and FTP sessions. Firewall-1 also allows authenticated temporary holes such as those provided by Black Hole, although the technique is less flexible and not as well integrated. Incoming access to network services, such as Web, SMTP and DNS servers, varies from vendor to vendor. Firewalls such as TIS' Gauntlet, Digital's Firewall for Unix, Secure Computing's Sidewinder and SOS' Brimstone prohibit any direct access, requiring everything to pass nontransparently through the firewall. These products expect Internet-accessible services to be outside of the firewall. Although this can increase the security of a domain, it also raises problems. For example, most Unix-based firewalls use sendmail as their mail system, a program notoriously difficult to configure. When an organization wants to use a real electronic mail backbone, the firewall gets in the way by providing a difficult-to-track stopping point for messages into and out of the network. For example, a bug in Digital's Firewall for Unix mail implementation prevented us from sending many kinds of mail from strictly compliant mail agents through the firewall, something we were unable to work around because we couldn't disable the mail proxy. Other firewalls allow limited access - for example, to allow connecting incoming NNTP packets to a single system inside the firewall. Packet-filtering firewalls are the most generous, giving you the flexibility to identify internal systems that are available directly from the outside world. Most circuit-gateway firewalls implicitly provide a restricted NAT function. For example, Digital's Firewall for Unix, Secure Computing's Sidewinder, TIS' Gauntlet, Border's BorderWare and SOS' Brimstone all have nonnegotiable NAT: Nothing outside gets to see IP addresses inside the firewall. The king of NAT is Network Translation's PIX, which combines NAT and some firewall functions such as filtering rules. PIX allows static mapping of IP addresses, which lets you designate specific and controlled holes through the NAT hardware. PIX can also use a pool of IP addresses to randomly and dynamically give access to systems inside the firewall trying to get out. PIX's NAT includes adaptive security, which prevents a potential intruder from trolling for insecure systems by randomly picking addresses and trying to connect to them. Milkyway's Black Hole, IBM's SNG, CheckPoint's Firewall-1 and Harris' CyberGuard all have some optional NAT functionality. Managing firewalls Early adopters of firewall technology were, of necessity, both security and operating system experts. Public domain tool kits became the base on which highly customized firewall systems were built. Fortunately, this level of expertise and homegrown modification is no longer necessary. Several of the firewalls we tested provide excellent user interfaces, which allow any network manager to easily configure a firewall securely. Digital's Firewall for Unix has the best thought-out and most powerful management interface of all the products we examined. The firewall and operating system are managed using Netscape Navigator on a locally attached X Window System display, which makes configuration modifications simple. Digital also includes all of its documentation on-line as hypertext, which is a tremendous help. Border's BorderWare also has an easy-to-use interface. Because the interface is screen-based via curses, a Unix-based screen library, rather than X Window-based, it has fewer frills, but it was seldom difficult to understand. Both of these products employ a single interface to handle operating system and firewall configuration tasks, something we appreciated. Writing this review exposed us to seven Unix flavors, so not having to deal with the nitty-gritty of network configuration on each operating system was a blessing. A close runner-up is CheckPoint's Firewall-1, which also uses X Window but has a more opaque interface. Some of this complexity is due to the product's wider range of capabilities; that is, many things you can do in Firewall-1 are not possible in Firewall for Unix or BorderWare. Milkyway's Black Hole and IBM's SNG also have competent X Window-based management interfaces, but they're more difficult to use than the others. Both made up for this with good documentation, Milkyway's on paper and IBM's on-line. TIS' Gauntlet, Secure Computing's Sidewinder and Harris' CyberGuard provide screen (curses) based management interfaces that are also simple enough to use. However, all of these required us to dip into Unix more than we liked for command-line configuration of either firewall or operating system options. Sidewinder's interface was rather unstable: It crashed several times while we attempted to configure the software. Even worse, when we were forced to manually edit a configuration file - because the documentation told us to - a single misplaced space in a file made the firewall unusable and took more than two hours to recover from. Command-line interfaces on NSC's Security Router and Livingston's Firewall IRX were also unexciting, although the types of operations required made them easy enough to configure. In this case, though, the margin for error was significantly higher. These systems require far more expertise and knowledge of network security than most of the other firewalls. Our worst experiences were with the management interfaces on SOS' Brimstone and Network-1's FireWall/Plus. Both of these need significant human reengineering before they'll be ready for mere mortals. FireWall/Plus hinted at amazing power and a fascinating command language, but the design of the firewall was such that only an expert could feel comfortable and then only after a lot of practice and testing. Documentation generally followed user interface in terms of thoughtfulness and completeness. Milkyway and SOS get special kudos for including a separate user manual for end users inside and outside the firewall, while Digital and IBM had the best on-line documentation. Reporting, logging and alarms One basic requirement of firewalls is that they squeak when pressure is applied. If someone is probing a network for weaknesses, a good firewall should log the attempt and provide an immediate alarm should the attack be serious. You may also want the firewall to provide general reports of TCP/IP traffic for capacity planning and other administrative purposes. The only product we looked at that provides no logging, reporting or alarm capabilities is Network Translation's PIX. Livingston's Firewall IRX and NSC's Security Router are only a little better. They provide logging information - via the network - to a host; it's up to you to write custom software to set alarm conditions. Neither router provides traffic statistics for general reports. The best alarm, logging and reporting capabilities were in TIS' Gauntlet, Digital's Firewall for Unix and Secure Computing's Sidewinder. These three products provide good all-around capabilities to capture statistics, notice problem situations and generate readable logs of probes and attacks. Digital's reports are outstanding. With the product's hypertext documents, you can drill down through reporting data using the supplied Netscape browser to see more information about how the firewall is being used. Digital's alarm conditions are comprehensive. Firewall for Unix moves from a green state, as shown by the background on the user interface, through yellow, orange and red, with different actions occurring at each time. Firewall for Unix's ability to intelligently shut down some or all traffic flowing through it in response to a probe was a unique feature. If summary reports are not important, the logging and alarm facilities in IBM's SNG, CheckPoint's Firewall-1 and Harris' CyberGuard are all satisfactory. Network-1's FireWall/Plus looked as if it had good reporting capabilities, but it crashed every time we tried to generate a report. We found Milkyway's Black Hole, SOS' Brimstone and Border's BorderWare difficult to set up and manage for alarms. It was not obvious how to best configure the firewall to alert us when something bad was happening. Other features Firewalls come with a variety of additional bells and whistles to assist the security manager. Some are simple yet valuable additions, such as time-of-day rules. Others are more specialized, such as encrypted IP tunnels, and may not be useful in all environments. For more on these features, see Tunneling and encryption on Network World Fusion. Network managers interested in restricting Internet access to off-hours can use time-of-day and day-of-week rules to enable, for example, unrestricted outgoing Web access after hours while keeping the lid on it during the day. Milkyway's Black Hole has the most complete time-based access controls, including time-of-day, day-of-week, day-of-month, week-of-year and month-of-year rules. Digital's Firewall for Unix, Network-1's FireWall/Plus, Border's BorderWare and SOS' Brimstone also have time-based rules, with somewhat less flexibility. Our favorites After looking at 13 products, we came to the conclusion that no one product is appropriate for all security environments. However, we did have some favorites among the crowd. For a low-cost entry into the firewall market, Livingston's Firewall IRX router is hard to beat. For about $3,000, you get a simple firewall that does what Cisco Systems, Inc., Bay Networks, Inc. and 3Com Corp. routers don't: It makes a racket when someone tries to break in. The simple addition of logging facilities makes it worthwhile to use the Firewall IRX as a replacement for your Internet connection router. We also liked the power of NSC's Security Router, but this product clearly fits another niche - one where multiple parts of a large organization need restricting routers between them. For a company that needs some internal security to keep the manufacturing department's programmers out of the accounting department's system, Security Router fits the bill. Network-1's FireWall/Plus is for the true network expert. You need to really understand TCP/IP and Ethernet to properly configure the FireWall/Plus, but you can do things with it that no other firewall lets you do, including easy filtering of unusual IP protocols, IPX, AppleTalk, DECnet, and even less popular protocols such as Digital's Local Area Transport or Local Area VAX Cluster. Like Security Router, FireWall/Plus is most appropriate for sites with a simple security policy or for internal protection. Similarly, Network Translation's PIX isn't a general-purpose firewall, but, in certain situations, it can provide firewall-like functions and solve addressing problems. CheckPoint's Firewall-1 remains a favorite, even if security czars don't like packet filters as much as application proxy gateways. In our first review, this was a clear leader. The competition has come a long way since then, and, in reponse, CheckPoint has added a few knobs so it can say its product does everything. It's fundamentally a good product with a fantastic management interface. Firewall-1 also offers what no other firewall has: centralized configuration and administration of multiple firewalls from a single point. If your network requires multiple firewalls, Firewall-1 is a must-buy. If you want a firewall but don't want to play with Unix, you should definitely investigate Digital's Firewall for Unix. The best management interface of all the firewalls we looked at makes this easy to configure. The reporting capabilities are also great. Although there are limitations on the possible configurations, Firewall for Unix hits squarely in the middle of most corporate requirements for an Internet gateway system. Managers who like the all-in-one approach need to look at Border's BorderWare Firewall Server. This is the ultimate black box: It comes up running firewall, FTP, Gopher, Web, News, Post Office Protocol, SMTP and Telnet gateways. For midsize companies that don't want to fool around, BorderWare is an excellent choice. Of the remaining application proxies, Milkyway's Black Hole is our favorite. With a generally clear management interface, you can make the Black Hole do almost anything you want - act as a NAT, handle multiple interfaces, require authentication, be transparent and support Internet access by inside users with more finesse than any other product. TIS' Gauntlet, although fundamentally old technology, has an advantage all its own: source code. If you like to play with software, Gauntlet is the ultimate foundation on which to build your own firewall and therefore the product of choice for many security experts. We didn't have any complaints about Secure Computing's Sidewinder, IBM's SNG, SOS' Brimstone or Harris' CyberGuard, but they didn't stand out like some of the others. IBM's IP tunneling is well thought-out, and both Harris' and Secure's 'secure' Unix looked like they would be invaluable in some environments. In the absence of specific requirements, though, they wouldn't make it to our short list.
Is it a Firewall or a Server?
Steps for making the right selection