Asbestos for the network
These eight products can cloak your network in fireproof insulation
By Joel Snyder
The firewall market can be summed up in five words: different strokes for different folks. Every firewall has a built-in security philosophy. To find the right firewall for your organization, you must first decide on your security policy and philosophy. Only then will you be able to nail down the most appropriate product.
Out of the eight firewalls we tested that run on multiple platforms and allow application-level proxies, we found four favorites that fill different niches and solve different problems.
For small organizations that want to protect themselves from assailants, yet allow internal users freedom to roam the Internet, Digital Equipment Corp.'s AltaVista Firewall proved to be a suitable cost-effective solution. On Windows NT, it offers an easy-to-use management console that took us less time than any other product to install and configure.
But AltaVista Firewall is too inflexible for large networks. For example, it treats everyone inside the firewall identically, regardless of who they are. A larger organization would probably feel more comfortable with Raptor Systems, Inc.'s Eagle, which has greater flexibility in defining services, users and groups that can pass through the firewall.
Businesses that want to make multiple systems inside the firewall available to outside users should consider Milkyway Networks Corp.'s Black Hole. It offers a wider menu of choices than Raptor's Eagle to the security manager who wants to let some traffic through the firewall, albeit in a controlled way.
Some network managers prefer packet filtering, either for performance or flexibility reasons. The most impressive product in this area is CheckPoint Software Technologies, Inc.'s Firewall-1, which also boasts the best multifirewall management. All the packet filtering products we tested maintain some state information about packets that pass through them.
Picking a platformWe only tested products that run on multiple platforms, because we believe that users should be able to choose which platform fits best in their environments. We looked at Microsoft Corp. Windows NT versions whenever possible. Our experience with the NT versions contrasted sharply with the Unix-based firewalls. Early firewall vendors included hardware with their software, and we learned why: /Ssetting up the Unix platform to run these products on generic Intel Corp. hardware was a major chore. In contrast, they were trivial to install on NT platforms.
As firewalls move from specially constructed fortresses built by Unix and security gurus to more of a commodity item, Windows NT will become the platform of choice. Most of the products we tested offer the NT option. These include Digital's AltaVista Firewall, Trusted Information Systems, Inc.'s (TIS) Gauntlet, Network-1 Firewall/Plus, CheckPoint's Firewall-1, Global Internet's Centri and Raptor's Eagle.
On the other hand, Windows NT has its own problems. For NT-based firewalls that depend on the Microsoft-provided TCP/IP stack (all but Network-1 Firewall/Plus), we discovered that simply bringing up another system with the same IP address as the firewall (an accidental operation that could easily happen) can lock up Windows NT - and the firewall.
Livermore Software Laboratories International Inc.'s (LSLI) PORTUS firewall, which we tested on Sun Microsystems, Inc.'s Solaris, was the only Unix-based entry we were able to bring up in our test labs. Even then, we had to do a considerable amount of hardware fiddling to find a configuration acceptable to Solaris.
The other Unix-based vendors Secure Computing Corp.'s Borderware, Milkyway Networks' Black Hole, and TIS' Gauntlet, all run on Berkeley Software Design, Inc.'s BSDI Internet Server. This Unix operating system was so picky we were simply unable to get it running on any of three systems in our test lab.
After BSDI support was unable to make its operating system work on our hardware, all three vendors shipped us preconfigured hardware. Unfortunately, Secure Computing's system wouldn't boot Unix off of the floppy, so we were unable to evaluate the Borderware product in time to meet our deadline.
Security philosophy and capabilitiesWe ran Internet Security Systems, Inc.'s Firewall Scanner and failed to find weaknesses in any of these firewalls. This isn't surprising, since all are certified by the National Computer Security Association. Still, it bears noting that just because we didn't find any holes, it doesn't mean there aren't any.
The traditional firewall taxonomy starts with packet filters, such as are built into most routers, and works its way up to application-level proxies that understand and filter at the highest level.
To help sort out the different firewalls, consider how traffic moves through them. In general, firewalls divide the world into two camps: trusted and untrusted. The manner and ease with which connections are allowed to go from the trusted side to the untrusted often differs greatly from the reverse path.
Firewall/Plus has the most black-and-white view of what is trusted and what is not. A Firewall/Plus system has exactly two LAN interfaces. The icon for one is a devil, for the other, an angel. Digital's AltaVista Firewall also has a very strong inside/outside orientation, supporting only two LAN connections. All the other products can handle at least three LAN interfaces.
While two interfaces is often enough for an Internet-oriented firewall, many organizations need three: one for the Internet, one for ''public'' servers for such items as WWW, News and File Transfer Protocol (FTP), and one for the inside. When firewalls are used internally, more than three LAN connections may be required to implement the corporate security policy.
The most transparent path from the inside to the outside world is provided by packet filtering firewalls such as CheckPoint's Firewall-1. Packet filters allow unadulterated TCP/IP connections to go from the inside of the firewall to the outside, subject only to the security policy and rules set in the firewall. A key feature of these firewalls is that they do not change IP addresses passing through. This means any application-layer protocol that has knowledge of IP addresses will work through these firewalls without changes or special programming.
Firewalls that support application- or transport-level proxies are not as transparent. They perform some sort of Network Address Translation (NAT) on packets moving through the firewall.
Generally, the address of the system inside the firewall is replaced with the address of the firewall itself. The problem with this approach is that some application protocols have an intimate knowledge of IP addresses and will only work with special processing. The most common of these is FTP. Because FTP is so popular, all firewalls that perform NAT also have an FTP-specific application-layer proxy.
Milkyway's Black Hole supports both modes of operation: it normally acts as an NAT but can behave like a proxy server without changing addresses (what Milkyway calls a white hole) if the application requires it. CheckPoint's Firewall-1, Global Internet's Centri and TIS' Gauntlet can do both to some extent, as well.
Of course, if you use private addresses and you want to connect to the Internet, having a complete NAT may not be just a good thing, it may be a requirement.
Not all proxies behave the same way. Application- and transport-level proxy service can be more or less intrusive to the client.
In the nonintrusive case, the client system attempts to connect through the firewall to an IP address on the outside. The firewall intercepts the connection and forms a second connection on behalf of the client, bringing the two together with a proxy. The nonintrusive proxy firewalls include Global's Centri, Raptor's Eagle and Milkyway's Black Hole. Don't use the term ''transparent'' to describe this configuration -each firewall vendor has a different definition of that term, and one vendor's transparent connection is another vendor's opaque one.
For intrusive connections, the client must make an explicit connection to the firewall. The client then has to tell the firewall where to make the final connection. Intrusive proxies include LSLI's PORTUS, Digital's AltaVista Firewall and TIS' Gauntlet.
Although an intrusive connection may sound like a bad thing, many casual Internet users will not even know what is happening. The popular WWW browsers, including Netscape Communications Corp.'s Navigator and Microsoft's Internet Explorer, have built-in support for working with intrusive proxies. With a few clicks, you can configure the browser to work with the firewall proxy. Proxies are only a problem when trying to use uncommon protocols through the firewall.
Even nonintrusive proxies do not guarantee success. For example, when testing Raptor's Eagle, we found that its proxy does not properly synchronize both ends of the connection, which can cause data loss and other communications failures.
In general, we observed that none of the firewall proxies properly handled TCP option negotiation. For plain-vanilla applications such as Internet WWW browsing, this is not a big deal. But when firewalls are deployed within a company where more esoteric protocols are used, this could lead to performance problems.
Management interface and GUIFirewalls have come a long way from the first Unix-based conglomerations. Sophisticated security policies can now be created with relative ease - on some systems. A good configuration interface is an important part of a firewall, since few organizations set a security policy that never changes.
Having a pretty graphical user interface (GUI) is no guarantee of configuration ease, though. For example, Network-1's Firewall/Plus has a GUI that handles all configuration issues, yet is completely unusable. For example, there is no simple way to say, ''Let this range of ports through in both directions.'' Global Internet's Centri also looked nice, but the user interface crashed on us several times. Fortunately, this did not in any way affect security, just the ability to change configurations.
The firewalls we were most comfortable configuring were LSLI's PORTUS, Raptor's Eagle, Milkyway's Black Hole and Digital's AltaVista Firewall. For all of these, even a clumsy network manager would have a hard time making an error that would allow unintended access.
Raptor's Eagle and Milkyway's Black Hole both do a good job of simplifying the firewall environment so that you can easily implement the security policy without worrying about making an error that will allow insecure access.
CheckPoint's Firewall-1 also has a well-designed GUI, but the oversimplification of certain concepts implemented as check boxes in Firewall-1 can have enormous repercussions. This is actually more of a documentation than a GUI issue, as Firewall-1's online documentation is exceptionally poor.
However, Firewall-1's configuration has something that no other firewall we tested offers: the ability to configure a group of firewalls as a single entity. Using the GUI, you can build rules that are installed on multiple firewalls and packet filtering routers within your enterprise. (Cisco Systems, Inc. and Bay Networks, Inc. routers are supported.) That makes it easy to keep cooperating security domains consistent, which in turn makes Firewall-1 an excellent choice if you need multiple internal firewalls.
Digital's AltaVista Firewall also has a nicely designed user interface that complements the product's relative simplicity. AltaVista Firewall is the easiest to configure and control of all the firewalls we looked at.
Mired in the world of editing text files are LSLI's PORTUS and TIS' Gauntlet. To build or change configurations on either of these requires a text editor. Plus, you have to know which of the many configuration files must be changed.
PORTUS, which is a relatively simple firewall, does not suffer too much from its minimalist management interface. Gauntlet, however, has no excuse. As one of the oldest and most richly featured of the firewalls, it resembles a Unix-based erector set more than an integrated firewall.
TIS provides a screen-based GUI that manages some files, but even a simple customization requires groveling through additional configuration files using the complex syntax and semantics built into the product. Some network managers will enjoy having the internals so exposed for poking and prodding, but when contrasted with Black Hole or Eagle, the Gauntlet has a long way to go.
We reserve a special place in our hearts for the Firewall/Plus GUI. As a firewall vendor, Network-1 has chosen an approach thatmore closely resembles a network protocol analyzer than a firewall. The software reaches into each frame, pokes around and decides whether to pass it. The nice part of this approach is that Firewalll/Plus can handle non-IP protocols such as IPX, Appletalk or DECnet.
Unfortunately, Network-1 hides none of this complexity from the network manager. Making simple changes to the Firewall/Plus configuration is beyond the ken of any but the most determined and educated security managers. By contrast, CheckPoint's Firewall-1 has similar complexity, but it is internal and well hidden, so the security manager need uncover it only when necessary.
While Firewall/Plus starts with a Configuration Wizard that sets up a basic configuration predicated on an undocumented set of generic policies such as ''liberal outgoing,'' touching an existing policy is asking for trouble. It took us longer to modify a running Firewall/Plus for our tests than any other product.
Flexibility and featuresWith a firewall, the term ''flexibility'' can imply insecurity. Some firewalls, such as Digital's AltaVista Firewall and LSLI's PORTUS, don't give you a lot of flexibility. On the other hand, this makes it almost impossible to screw up and build an insecure configuration.
Firewalls are as susceptible to feature creep as any Microsoft product. For example, CheckPoint's Firewall-1 started out as a sophisticated packet filter. Today, it is a packet filter, part-time application proxy, NAT, and encrypted virtual private network (VPN) gateway.
The king of the features is certainly TIS' Gauntlet. As the oldest continually enhanced product, it includes more application-level proxies than any other. It also has a range of authentication options for users, including four kinds of onetime passwords.
You can add encrypted VPN support, packet filtering, an integrity checker, and content filtering of HTTP queries to get a complex but flexible full-featured system. Gauntlet's feature list will appeal to any network manager who has to satisfy a broad security policy and who wants to get into the bowels of the firewall.
Gauntlet has good competition in Raptor's Eagle. Eagle has many of the features Gauntlet provides, but with fewer proxies, no packet filtering and no VPN in the Windows NT version we tested. (VPN is available in the Unix version.) Eagle provides a much better management and configuration interface, along with built-in real-time reporting of intrusion attempts.
Eagle, however, suffers from a lack of maturity in some of its proxies. For example, its SMTP relay does not support any well-accepted RFC extensions, including PIPELINING, SIZE or 8BIT, and its FTP proxy was unacceptably intolerant of our test client.
Other products vary in how effectively they handle SMTP relays, VPN and other features.
None of the SMTP relays in the firewalls was especially intelligent or useful. Handling E-mail in firewalls by running it through sendmail a Unix command that handles mail - which is what all SMTP relays we tested do, except for AltaVista Firewall - is a little like handling no eggs by giving them to a small child. Our advice is to use a secure mail server in the first place and pipe your mail through the firewall via proxy rather than relay.
VPNs (sometimes called encrypted tunnels) are also on the hot list. Using VPNs, you can build a secure communications path either internally or across a public network such as the Internet. VPN support is built into CheckPoint's Firewall-1, the Unix version of Raptor's Eagle, Milkyway's Black Hole and TIS' Gauntlet. Digital offers VPN support using a separate layered product, AltaVista Tunnel.
VPNs are most often used between two firewalls for encrypted communications. However, the new feature people are clamoring for is personal tunneling, which gives a single user on an insecure network such as the Internet the ability to connect securely through the firewall. Only Digital and Raptor offer personal tunneling at this time.
Firewalls also differentiate themselves in the breadth of their authentication capabilities. Most network managers are turning to onetime passwords to increase security when authenticating users for remote - and sometimes local - access.
Popular choices authentication include the free S/Key system Security Dynamics Technologies, Inc.'s time-based SecurID, and DES-based systems from Digital Pathways, Inc. or CryptoCard Corp. The widest choices come in TIS' Gauntlet, LSLI's PORTUS and Milkyway's Black Hole, which support all three of these.
Certain newer features are just making it into firewall product lines. For example, HTTP URL and content-based filtering is a hot topic in the security community; firewalls are just beginning to add this capability. Currently, content-based filters can be used to keep Java and ActiveX programs from entering the local network. Global Internet's Centri, TIS' Gauntlet and CheckPoint's Firewall-1 were the first to add this feature.
Reporting and accountingThe most neglected area in the firewalls we tested is alerting and reporting. We contend that any firewall that cannot send out an alert when it detects an attack is deficient. Raptor's Eagle and Digital's AltaVista Firewall have the most sophisticated features in this area.
Eagle offers a series of alerting capabilities based on frequency. For example, it is simple to define ''If someone tries to telnet in more than 100 times in 5 minutes, we've got a problem.'' Once an alert is triggered, Eagle can play a sound, send mail or otherwise notify you.
AltaVista Firewall has a different strategy. It has a series of states: green, yellow, orange and red. At each level, you can define events that move the firewall up to the next level and take some action.
For example, you may decide that if the firewall detects too many telnet failures, it should move to ''yellow alert,'' disable the telnet proxy for two hours and send yourself mail. You can even have AltaVista Firewall shut down the firewall if warranted, as when running out of disk space. After a period of time (two hours under Windows NT), the firewall lowers its alert status.
AltaVista Firewall shows its current state graphically by changing the background color of the console to match the state. We enjoyed watching our test AltaVista Firewall move to orange alert as we probed it with ISS' Firewall Scanner.
The Unix-based firewall vendors, including PORTUS, Gauntlet and Black Hole, hand-wave away this issue by suggesting that the network manager could write some tool to analyze the logs and make alerts based on that.
Similarly, most products do a poor job of handling the task of summarizing reports and distributing them to the network manager. Global's Centri, for example, sends by E-mail long, verbose, hard-to-read summaries at regular intervals. Any network manager subjected to the barrage of output from Centri would soon ignore it and miss any problems reported.
The reporting software Raptor bundles with Eagle is substandard, but the company sells an add-on package to help analyze traffic.
Exceptions to the poor reporting rule are TIS' Gauntlet, Digital's AltaVista Firewall and Milkyway's Black Hole. Both Gauntlet and AltaVista Firewall have nice reporting strategies that can automatically generate and send reports at selected intervals. Milkyway has gone overboard in reporting capabilities. Its Black Hole stores logging information in a relational database (Postgres) and lets you use either prewritten scripts or SQL queries to generate reports.
Nailing it downIn closing, we must emphasize again that firewalls are not general-purpose products. Each is designed with a particular security style in mind. Configurations that are simple in one product are impossible in another. You cannot pick the right firewall until you decide how you are going to install it, configure it, maintain it and manage it. Considering the points we tested should help you hammer down your security lid.
How to Advertise | Copyright
Scorecard and NetResults - How we ranked them.
Firewalls buyer's guide - What to look at before you buy.
Computer Operations, Audit, and Security Technology (COAST) research program - At Purdue University. Liist of books and technical papers about firewalls, links to sites where you can download tools for creating your own firewall or documents that help you set up your own firewall tests. A listing of firewall related mailing lists, newsgroups and interactive conferences is also hosted here.
Free firewall evaluation checklist From security consulting firm Fortiefied Networks, Inc. .