Cover Story

Firewalls

As Security Issues Heat Up, A New Cold War Begins. We Test Six WeaponsTo Stop Intruders Cold

by Peter Morrissey

Do you ever wake up at night in a cold sweat, wondering if people are sittingin their living rooms figuring out how to break into your corporate networkthrough the Internet? If you're protecting critical assets, and you don'tthink you have the knowledge and control of your hosts to secure them adequately,your fears might be warranted. While a firewall can provide little morethan a false sense of security, it can certainly be critical in enforcingthe security policy that governs what can traverse your Internet link.

Although the router on your Internet link can filter packets, it probablywasn't designed to provide the level of control that the firewall productswe tested can. A router examines one packet at a time and forwards the packet.In fact, if you could apply a security philosophy to a router it would be:"That which is not expressly forbidden is permitted." Since routersonly examine one packet at a time, they have difficulties providing a fine

level of control over such TCP-based protocols as FTP (see "How FirewallRouters Solve the FTP Security Problem," page 68) and just about allUDP-based protocols.

Firewalls, on the other hand, are designed specifically to control unwarrantedaccess to your network, and usually embrace a much more conservative securityphilosophy: "That which is not expressly permitted is denied."They can also deal with some of th e trickier protocols. Besides providingstronger logging capabilities, many firewalls can provide features likenetwork address translation, authe ntication and virtual private networks.

If you're on top of all the security issues on all your hosts, it is morelikely that a router, by itself, will be an adequate firewall. However,securing your network still requires an abundance of knowledge about yourhosts' vulnerabilities and regulating the network traffic that passes throughthem. The tricky part is turning off the risky traffic without turning offlegitimate communications. While firewall products can usually do this moreeffectively and with less administrator effort than routers, there's stillno guarantee that it's being done correctly. It often comes back to howmuch better you think you'll sleep at night.

Putting Products to the Fire CheckPoint's FireWall-1 was both easyto administer and powerful in its ability to provide a very fine level ofInternet traffic control. While Harris' CyberGuard didn't do as well inour performance tests, it offered many of the same features. CyberGuardalso lacked FireWall-1's good graphical in terface but should have o ne bythe time you read this.

Some of the products offer features that go well beyond packet filtering.If you have multiple sites on the Internet that need private communications,you should consider the virtual private network capabilities of the CheckPointFireWall-1, Harris CyberGuard and Network Systems Security Router products.This feature makes sure that designated communications between differentsites will always be encrypted. The KarlBridge product also offers a lesssecure level of encryption that is probably adequate for prohibiting casualsnooping.

CheckPoint FireWall-1 and Harris CyberGuard also offer network address translation,which provides an even higher level of security by completely hiding theinternal network from the Internet. Nothing has to be addressed directlyto any internal network device. It could also be useful if y ou want Internetaccess but aren't using approved IP addresses. The network address translationfeature will save you the hardship of converting all your existin g addressesto approved addresses.

All of the products, including the Mazama Software Labs' Mazama Packet Filterand Network-1 Firewall/Plus, offered some reporting and logging features,which can help you log attacks and, in some cases, notify you when theyare occurring. You may even be able to use the logs if you pursue legalaction. On the other hand, you may simply want to find out what types ofsites and services are using up the bandwidth on your Internet link.

CheckPoint Software Technologies FireWall-1 v2.0

FireWall-1's ease of use, power, flexibility and performance impressed us.It goes way beyond the capabilities of a mere packet filtering firewall.Even though it does not implement proxies in the traditional sense, theability to process much more than netwo rk protocol headers is built intoits architecture. Rather than feed packets up to a proxy application, thecode that examines packets is embedded in the kernel. This eliminates theneed to run a separate proxy application for every service and allows formore efficient processing. Firewall-1 comes with a list of other functionssuch as network address translation, virtual encrypted networks, user authenticationwith "one time" passwords and excellent logging.

CheckPoint makes excellent use of the OpenWin graphical interface to providea logical, intuitive interface. The rule editor window is the central pointof control. From here you can set up filtering rules by clicking on iconsin a template. The rules are laid out in the order in which you apply them.We also discovered that if you attempt to insert a rule that negates allthe rules below it, an informative warning message notifies you. The ruleeditor always adds a rule at the bottom that explicitly denies any p acketsthat don't come under any of the preceding rules. Finally, with the ruleeditor, you can classify a list of devices, and when you're building rules,you can apply them to all the devices in a particular class.

The rule editor window is also where you launch windows to configure manyof FireWall-1's other features. For example, you can configure encryptionservices, based on DES or Firewall-1's proprietary scheme.

In the unlikely event that you cannot implement your security policy asprecisely as you'd like with the extensive point-and-click options, a powerfulmacro language is available for further customization. Since all the rulesare written in this language, it also makes it easy for CheckPoint to makeenhancements.

We were impressed that CheckPoint added filtering support for the RealAudioport, which requires state tracking (see "How Firewall Routers Solvethe FTP Security Problem," page 68). There's a script on CheckPoint'sWeb server that you can add to the FireWall- 1 code.

FireWall-1 was one of our top performers. Even though it was running ona Sun SPARC10, we never saw the CPU utilization go above 50 percent. IfFireWall-1 has any downfall, it's that it requires a Unix platform.

Harris Computer Systems Corp. CyberGuard Firewall

CyberGuard has all of the basic services and advanced features you couldexpect, and only CheckPoint's FireWall-1 matches its functionality. It lacksa graphical user interface and fell short in our performance tests, however.The next release, which will be shipping by press time, will address bothissues, according to Harris.

Although CyberGuard has no graphical interface, setup and configurationare fairly straightforward. Text-based menus help simplify the process.You can change rules by editing a text file. Alternatively, there's an applicationthat gives a split screen view. The top half of the scre en has a form youcan fill out to create eac h rule. The bottom half shows the actual correspondingchanges to the configuration file as you fill out the form. The form alsolets you comment out a change for later use, which can get you off to aquicker start.

CyberGuard runs on a proprietary version of Unix that was designed to besecure. It employs a multilevel, secure operating system that limits thecommunication between user processes and system processes, making it difficultto compromise the integrity of the system via the network.

A set of proxy applications that look beyond the network protocol levelof the packet enhance the basic packet-filtering features. The SMTP proxyfor example, intercepts all mail and strips off the header information thatcan otherwise reveal details about the internal network that a hacker couldpotentially exploit.

The FTP proxy lets you distinguish between "gets" and "puts"in an FTP application. So, for example, you could specify that e mployeescan move information from the Internet to the internal network, but disallowany information from leaving the internal network. This can be done on aper-user basis, since FTP users are authenticated at the gateway. An HTTPproxy authenticates users for HTTP access.

These features, combined with network address translation and virtual privatenetwork capabilities round out the whole package. Given the performanceproblems we observed, however, we suggest that you keep performance penaltiesin mind as you implement new features.

KarlNet KarlBridge

KarlBridge performed extremely well in our performance tests, and althoughit isn't a full-featured firewall, it provided quite a bit for the $1,695price tag, which included the software preconfigured on a compact PC platform.With the router option, it can also be used as an Internet router for upto T1 speeds. Even though the KarlBridge is based on a PC platform, theheadless case is compact and designed to withstan d environmental condit ions.

Although the KarlBridge is a lower-en d product, we were impressed that,unlike Network Systems' Security Router, it can filter FTP sessions withoutopening up the higher range of ports. It can also create an encrypted virtualnetwork. Although the proprietary encryption scheme would probably not besuitable to protect corporate secrets on the Internet, it should be quiteeffective for frustrating casual snooping on your internal network.

KarlBridge is also the only product that allows filtering on four majorprotocols. All the others could only filter on the TCP/IP suite, with afew very limited exceptions. We had a situation on our network recentlythat would have been perfect for such a product. A Novell server runningAppleTalk had started answering Zone Information Protocol (ZIP) querieson one of our networks with erroneous information whenever a local Mac userwould use Chooser to search for network services. The only way to correctthe problem was to bring down the server and install a pat ch. Unfortunately,other users on the server, unaffecte d by the ZIP problem, were not interestedin losing use of the server while the problem was corrected. We could haveplaced the KarlBridge in front of the server, allowing it to filter outthe offending packets and let the local router answer all the ZIP queries.

While this was not exactly a security issue, the same type of filteringcan be applied to hide hosts and services from other users on the networkusing any of the four supported protocols. Our performance tests indicatedthat inserting the KarlBridge into an Ethernet network shouldn't producea noticeable penalty to users.

Setting up the configuration program to communicate with the bridge wasmore frustrating than with any other product. If you have the KarlBridgeversion with flash ROM, the only way to configure it is to run the softwareon a network-connected PC running a packet driver. We would recommend thatyou consider getting the version with a bootable diskette, which you canconf igure on any DOS PC, then simply insert it into the KarlB ridge. KarlNetalso said that it was working on a WinSock version of the software thatwould eliminate this.

Mazama Software Labs Mazama Packet Filter v1.2

The Mazama Packet Filter, which runs on Linux, performed well, despite runningon a 33-MHz 486 machine. It may be a little intimidating for those withoutUnix experience, but it does come installed on the PC with one year of freetechnical support. It's a solid package for those seeking basic firewallfunctionality, with just a few extras.

Mazama comes with a security policy that opens all access from the internalnetwork to the Internet or external network. All services coming into theinternal network come turned off.

The Mazama proprietary graphical interface resembles X Windows and, asidefrom being a bit spongy, it makes coherent use of graphical symbols andis fairly easy to navigate. If a feature does not appear in this interface,you can customize it using the C-lik e scripting language.

If you want to open services bac k into your network, you have to go to theservices window. Here you'll find a series of icons representing TCP andUDP port-based services that you can open. Clicking on an icon reveals aform you can fill out to allow or deny the service, as well as limit itto specific source and destination IP addresses.

Another application has a list of "hostile ports"--a dozen knowndangerous ports that are explained in the manual. If anyone on the externalnetwork attempts to access any of the ports on this list, it is logged andthen the device is automatically added to a "hostile site" list,which denies any traffic from the offending IP address for a predefinedamount of time. Mazama is adding a port scanning device.

Network-1 Software and Technology Firewall/Plus

Network-1 has designed an excellent user interface and incorporated basicfirewall functionality on a DOS platform that should be appealing to organizatio nsthat don't have lots of Unix expertise. We also believe this pro duct isworth watching as Network-1 attempts to execute its aggressive upgrade plans.For now, however, we find it difficult to recommend a product this costlygiven its performance problems. We could only recommend it for a 56-Kbpsconnection or a lightly used T1 link. Keep an eye on Network-1's WindowsNT product, scheduled for release this spring.

We found the Firewall/Plus user interface unique and refreshing. The mainmenu consists of large, tiled icons that were easy to read and navigate.You can navigate to any configuration screen from the file folder-like tabsalong the top of the screen.

Firewall/Plus comes with a half dozen default security policies that governthe use of common services. If none of the defaults are adequate, you'llhave to customize. The user interface does plenty to simplify this process,giving many point-and-click options for all the major TCP and UDP services.Graphical queues are used liberally to help you understand the consequencesof all your actions. When a service is turned on, a green check mark appearsover an arrow indicating the direction. When a service is turned off, ared circle and slash appears. An angel and a devil clearly mark the trustedand suspicious sides of the network.

Services can be opened and closed at the application, transport, networkand frame layers. This can cause some confusion, since turning off a serviceon one layer affects the other layers. In some cases, one layer can overrideanother layer, and in other cases, it does not. Each layer is also on aseparate screen. Having a map that shows the status of all the layers togetherwould be useful.

The user interface also shines in the time configuration screen, which consistsof a grid with the days of the week along the horizontal axis and hourlyintervals along the vertical axis. Clicking on a corresponding grid givesyou a list of all of the prepackaged security policies, as well as any customizedones. This makes set ting up security p olicies based on the time of day apoint-and-click task .

Network Systems Security Router

The Security Router comes with a powerful filtering language: Packet ControlFacility (PCF). Unfortunately, the only way to configure any filters isto learn the nuances of this complex scripting language. On the other hand,Security Router was equaled in performance only by KarlBridge--probablybecause it's a router and, thus, optimized to route packets. The downsideof this, however, is that Security Router only considers each packet individually,and does not keep any state information for related packets.

The PCF language allows for five different types of filters that you canapply at different points in the packet's path through the router. Thisgives you a lot of flexibility when applying filters and is especially usefulif you have more than two interfaces involved. Even though we developedan appreciation for the power of PCF, we found the task of configuring filtersto be a bi t daunting compared with all the other products. On the otherhand, it wasn't any more difficult than the Cisco routers we're used todealing with, yet it was much more flexible.

After deciding what type of filter to use, you have to create the scriptand compile it on the Security Router. You only get a line editor for thistask on the router. Fortunately, the boot disk is DOS compatible, so youcan use your favorite text editor on your PC and save the filter files directlyto the Security Router's boot diskette. Nesting filters within filters assubroutines is possible, which helps to make the filter creation processmore manageable. Because Security Router can't track state sessions, allowingservices like FTP is impossible without opening up the higher ranges ofTCP ports.

Netstalker, which is optional software, runs on a Unix host. We did nottest Netstalker, but it does add lots of functionality to help the SecurityRouter do much more than a typical router. For example, it can page, e-mailand ev en make the router take specifi c actions based on logged information.Like Cyber Guard and CheckPoint, the Security Router supports virtual encryptednetworks, which can be used in conjunction with Network Systems' lower-cost,branch office version, Border Guard.

Peter Morrissey is a network systems programmer at Syracuse University.He can be reached on the Internet at ppmorris@mailbox.syr.edu.

How We Tested Firewall Performance

o test performance, we transferred a 1.7-MB binary file from a Sun SPARC2Workstation to a Dell 486/50 client using FTP. This took just less thanfour seconds. Then we inserted each firewall and repeated the process.

To simulate network load, we captured a Telnet Connection Request packet(with TCP SYN bit turned on) with our Network General Sniffer. We used aLANQuest FrameThrower to resend the packet through each firewall at variousrates. We used a packet that the firewall's security policy would pass andused our Network General Sniffer to verify that the packets were gettingthrough the firewall. We also verified that the l ocal network bandwidthgenerated by the packets had no measurable effect on the transfer.

On each firewall, we attempted to add an equal amount of load by settingup a security policy that required it to look through a list of 10 TCP portfilters. But having a completely apples-to-apples comparison was impossible,since the architecture and approaches varied so greatly. Harris' CyberGuardand Network-1's Firewall/Plus keep track of each TCP session in real timeand watch for its completion. Each of the background packets that we sentwould have counted as a new TCP session, generating a tremendous amountof overhead. Neither could complete our test.

CyberGuard and Firewall/Plus had the slowest FTP throughput, even beforewe blasted them with packets. We retested both products with another Telnetpacket that had the SYN bit turned off. At 800 pps, CyberGuard had a throughputrate of 2.26 Mbps. Firewall/Plus still could n't complete the test at 300pps. We did not re test the other products, which also might have done evenbetter in this version of the test.

Keeping in mind that some of the products we tested were designed to handlethe bandwidth of a T1 connection is also important. Although the theoreticallimit of a T1 connection is more than 2,000 pps in each direction using64-byte packets, larger packets are much more typical. Even a fully loadedT1 might be more likely to have closer to 500 pps in each direction of afull duplex connection.

How Firewall Routers Solve The FTP Security Problem

Looking at the corresponding destination port that identifies it in theTCP header can regulate much firewall traffic. The destination port forTelnet, for example, is 23. To prohibit Telnet traffic from getting throughthe firewall, it drops every packet with destination port 23 in the TCPheader.

FTP operates differently. The initial connection from the client to theserver uses destination port 21. Then, when a request is made to move thedata, another session is initiated. As part of this process, the clientchooses a random port between 1,024

and 65,535 and tells the server to use this port number as the destinationport back to the client. Since it is a random number, a typical router cannottell which number it will use.

The only way to deal with this on a router is always to allow destinationports of 1,024 through 65,535. The disadvantage is that a hacker can attemptto initiate a connection with a host on the internal network using any oneof the ports in that range. This allows the hacker to access possible vulnerabilitiesthat may be exploitable via these destination ports.

Some firewalls (see features chart, page 64) can track the state of theFTP session and observe the port number that the client tells the serverto use. A temporary allowance is then made for the specific port for theduration of the FTP session.

Another option is to use the PASV command that elim inates the need to establisha connection back to the client in th e 1,024 to 65,535 range. The dis advantageof this is that not every client and server implements this command.

February 13, 1996