NWC | Review | Security | Application-Level Firewalls: Smaller Net, Tighter Filter |


				HOT PICKS • U.S. IT Salary Survey 2008 • Rolling Review: SOA Appliances • XKL Brings New Life To Dark Fiber

IMMERSE YOURSELF:

Storage & Servers

R E V I E W

Application-Level Firewalls: Smaller Net, Tighter Filter

March 21, 2003
By Mike Fratto

>> continued from previous page

Other Products Reviewed

	Issue TOC
	Print full article
	Print this page
	Download as PDF
	E-Mail this URL
	Discuss this article
	Flame the author

	In this article
	Introduction
	Testing App-Level Firewalls
	Secure Computing Corp.
	Check Point Software Technologies FireWall-1 NG FP3
	Other Products Reviewed
	Executive Summary
	How We Tested
	Glossary & Web Links
	Report Card

Symantec Enterprise Firewall with VPN 7.0 | Microsoft Internet Security & Acceleration Server 2000 | WatchGuard Technologies Firebox 4500

Symantec Enterprise Firewall with VPN 7.0

Symantec Enterprise Firewall (SEF) offers somewhat better protection for HTTP traffic than Sidewinder but lacks NetMeeting filtering options. Its performance was much slower compared with the other firewalls we tested. SEF performed at well below 100 Mbps with HTTP application scanning enabled. The management station is on par with Check Point's and its logging is some of the best we have seen.

Regarding application-proxy protection, SEF is no slouch. It blocked all our attempts to pass malformed HTTP, DNS and SMTP traffic. SEF also can block traffic based on URL filtering on a per-rule basis by adding the http.urlpattern directive into the Advanced Services tab of the rule. Once that was done, we saved and reconfigured the firewall and it began to block URLs matching the pattern. For example, to block Unicode traversal on our unpatched IIS5 Web servers, we entered Unicode patterns, such as scripts/..%c0%af.., that we wanted to block. Likewise, any URI string can be matched. Both features are welcome stopgap measures for known attacks. SEF comes with a sample pattern file that contains most of the common patterns.

Like the Sidewinder, SEF also blocks SMTP relay attempts as well as SMTP source routing. SEF in unique in that it can detect what appear to be telnet connections to Port 25 and drop the connection. This is probably because telnet connections send one character at a time whereas real SMTP clients send all the strings at once.

As for performance, SEF was comparatively slow. Once we started loading the firewall with connections, SEF's CPU utilization hit 100 percent and stayed there. We started seeing failures at around 67 Mbps with 330 connections per second, and the failure rate was dramatic. Once the firewall was saturated, it stopped accepting new connections.

Test Results

click to enlarge

Symantec Enterprise Firewall with VPN 7.0, Symantec Corp., (800) 441-7234, (541) 335-7000. www.symantec.com

Microsoft Internet Security and Acceleration Server 2000

Micrsoft's ISA is a full-featured HTTP proxy. However, it lacks support for some key protocols. ISA is unique in that it can be installed on a Web or Exchange server and offers tight integration with Windows 2000 and Outlook Web Access (OWA). We did find a DoS problem with the DNS filtering, which Microsoft patched (you can find more details on this problem in Microsoft's Knowledge Base, article number Q331065). Our testing also revealed that you cannot create stateful packet-filtering rules between multiple internal networks nor can you install the proxy transparently for inbound traffic. These important implementation features are available in the other firewalls we tested. ISA was the fastest HTTP application proxy in the review, operating at 170 Mbps.

ISA's HTTP proxy takes URL filtering one step further than the other firewalls we tested. When a URL is sent to ISA, before it passes the URL to the destination host, it decodes any Unicode or ASCII encoded strings. To block directory-traversal attacks, we simply entered the string "../.." into the URLScan filter--we didn't have to monkey with regular expressions.

While testing ISA with Cenzic's Hailstorm, we noted that the POP3 intrusion-detection filter only looked for long strings in the user-name field during login. We informed Microsoft and the company confirmed that the POP3 is working as designed, but there may be other fields susceptible to attack besides the user field and the filter supplies limited detection. Finally, we found ISA's SMTP application filtering only works one way--inbound. We put a Netcat listener on Port 25 inside the firewall and telnetted to the SMTP proxy on ISA. Although we weren't able to send arbitrary data from the client to the server, we could send arbitrary data from the server to the client.

Supplied Hardware for App-Level Firewalls

click to enlarge

Microsoft Internet Security and Acceleration Server 2000, Microsoft Corp., (800) 426-9400, (425) 882-8080. www.microsoft.com

WatchGuard Technologies Firebox 4500

The Firebox is a good firewall if most of your HTTP traffic is headed outbound from internal clients. But we simply cannot recommend it to protect a Web server because the Web proxy doesn't perform any HTTP protocol enforcement on traffic originating from the external network. It's no better than a stateful packet-filtering firewall. We did find the SMTP application proxy top notch. Limited to fast Ethernet ports, the Firebox easily handled the HTTP traffic we threw at it, operating at about 90 Mbps.

The SMTP proxy blocked our attempts to relay mail and can silently strip header fields that are not in the approved list. Any errors the destination message-transfer agent encounters are sent back to the sender. However, when the Firebox is under load, it stops responding to the management station. Although WatchGuard made a design decision to put traffic performance ahead of management, losing management control is not acceptable.

Firebox 4500, WatchGuard Technologies, www.watchguard.com

Mike fratto is a senior technology editor based in Network Computing's Syracuse University Real-World Labs®; he covers all security-related topics. Prior to joining this magazine, Mike worked as an independent consultant in central New York. Write to him at mfratto@nwc.com.

Post a comment or question on this story.