Network Computingwww.networkcomputing.com

Like the Sidewinder, SEF also blocks SMTP relay attempts as well as SMTP source routing. SEF in unique in that it can detect what appear to be telnet connections to Port 25 and drop the connection. This is probably because telnet connections send one character at a time whereas real SMTP clients send all the strings at once.

As for performance, SEF was comparatively slow. Once we started loading the firewall with connections, SEF's CPU utilization hit 100 percent and stayed there. We started seeing failures at around 67 Mbps with 330 connections per second, and the failure rate was dramatic. Once the firewall was saturated, it stopped accepting new connections.

Test Results click to enlarge

Microsoft Internet Security and Acceleration Server 2000

Micrsoft's ISA is a full-featured HTTP proxy. However, it lacks support for some key protocols. ISA is unique in that it can be installed on a Web or Exchange server and offers tight integration with Windows 2000 and Outlook Web Access (OWA). We did find a DoS problem with the DNS filtering, which Microsoft patched (you can find more details on this problem in Microsoft's Knowledge Base, article number Q331065). Our testing also revealed that you cannot create stateful packet-filtering rules between multiple internal networks nor can you install the proxy transparently for inbound traffic. These important implementation features are available in the other firewalls we tested. ISA was the fastest HTTP application proxy in the review, operating at 170 Mbps.

ISA's HTTP proxy takes URL filtering one step further than the other firewalls we tested. When a URL is sent to ISA, before it passes the URL to the destination host, it decodes any Unicode or ASCII encoded strings. To block directory-traversal attacks, we simply entered the string "../.." into the URLScan filter--we didn't have to monkey with regular expressions.

While testing ISA with Cenzic's Hailstorm, we noted that the POP3 intrusion-detection filter only looked for long strings in the user-name field during login. We informed Microsoft and the company confirmed that the POP3 is working as designed, but there may be other fields susceptible to attack besides the user field and the filter supplies limited detection. Finally, we found ISA's SMTP application filtering only works one way--inbound. We put a Netcat listener on Port 25 inside the firewall and telnetted to the SMTP proxy on ISA. Although we weren't able to send arbitrary data from the client to the server, we could send arbitrary data from the server to the client.

Supplied Hardware for App-Level Firewalls click to enlarge

WatchGuard Technologies Firebox 4500

The Firebox is a good firewall if most of your HTTP traffic is headed outbound from internal clients. But we simply cannot recommend it to protect a Web server because the Web proxy doesn't perform any HTTP protocol enforcement on traffic originating from the external network. It's no better than a stateful packet-filtering firewall. We did find the SMTP application proxy top notch. Limited to fast Ethernet ports, the Firebox easily handled the HTTP traffic we threw at it, operating at about 90 Mbps.

The SMTP proxy blocked our attempts to relay mail and can silently strip header fields that are not in the approved list. Any errors the destination message-transfer agent encounters are sent back to the sender. However, when the Firebox is under load, it stops responding to the management station. Although WatchGuard made a design decision to put traffic performance ahead of management, losing management control is not acceptable.

Firebox 4500, WatchGuard Technologies, www.watchguard.com

Mike fratto is a senior technology editor based in Network Computing's Syracuse University Real-World Labs®; he covers all security-related topics. Prior to joining this magazine, Mike worked as an independent consultant in central New York. Write to him at mfratto@nwc.com.

Post a comment or question on this story.