An Internet firewall is like a newly divorced person: It's happy to be
out on the network but won't let anybody get too close. In this day and
age, you'll want to run a background check before you enter a relationship
with one of these devices, and that's just what we did, checking out 13
products designed to control access to TCP/IP networks.
Products from vendors Livingston Enterprises, Inc. and Network Systems
Corp. (NSC) excel at low-end, router-based firewalls for sites with simple
security policies.
If you want to tinker with their insides, you'll be most interested in
firewalls from Trusted Information Systems, Inc. (TIS) and Network-1
Software and Technology, Inc. These products are the ultimate in
do-it-yourself kits.
Those of you who want an easy-to-configure product will be happiest
with systems from Digital Equipment Corp. and CheckPoint Software
Technologies, Ltd. CheckPoint is also a clear leader in managing multiple
firewalls from a single interface and mixing packet filtering and
application proxying technologies.
Border Network Technologies, Inc. provides the most complete
all-in-one solution, a combination firewall and Internet server that kills
many birds with a single box.
The application proxy firewall from Milkyway Networks Corp. showed the
most innovative features, while Harris Computer Systems Corp., IBM, Secure
Computing Corp. and SOS Corp. all turned in credible results.
For high-powered and speedy network address translation (NAT), Network
Translation, Inc. managed to combine NAT and some firewall features into a
powerful and easy-to-configure package.
In our last review of firewalls (NW, July 31, 1995, page 1), we found
products that fit into textbook categories of packet filter, circuit
gateway or application proxy. (For a more complete discussion of these
categories, see the related stories on Network World Fusion.) Today, among
products we looked at that were introduced or significantly revised since
then, almost all are a hybrid of different firewall technologies and
techniques.
Firewall routers
The combination router/firewall systems built into Livingston's
Firewall IRX and NSC's The Security Router are primarily network routers
that also include firewall functionality. Both of these augment the
functions of simple routers by providing a way to log security-related
information such as attacks to a local host. These products can also do
limited filtering on other protocols. Livingston's Firewall IRX is limited
to NetWare's IPX protocol, while NSC's Security Router can also handle
AppleTalk, DECnet, XNS and VINES.
Firewall IRX is limited to filtering and monitoring network traffic,
while The Security Router also provides secure IP tunnels.
The main distinguishing characteristic of these two products is their
lack of state information; that is, they cannot decide to pass or drop
traffic flowing through them based on past information. This restricts the
complexity and power of the security policies these products can support,
particularly with connectionless protocols such as User Datagram Protocol
(UDP).
Firewalls also need state information to work with certain TCP
protocols, such as File Transfer Protocol (FTP), that use two connections
for data transfer. Firewall IRX and The Security Router examine each packet
individually without any knowledge of packets that have been seen before.
For example, it isn't possible to permit Domain Naming System (DNS)
responses - which use connectionless UDP - to pass through the firewall
only in response to DNS queries. If you're making heavy use of UDP-based
services, such as Network File System (NFS), that you want to extend into
the Internet, a stateless firewall won't work for you.
A variation on the router-as-firewall approach is an innovative
firewall from Network-1 Software and Technology. FireWall/Plus does not
route packets; instead, it bridges them across two Ethernet interfaces and
appears invisible to any higher level protocols. FireWall/Plus examines
each Ethernet frame it receives and decides to pass or drop the frame based
on content in the frame itself - such as frame type, media access control
address or subfield, or length - or in higher level protocol data in the
frame.
FireWall/Plus can be used for simple filtering of non-TCP/IP protocols
but has the greatest utility for protocols that operate on top of IP
because it includes prewritten rules for most IP-based protocols and
security scenarios. FireWall/Plus handles not just traditional TCP and UDP
but also other protocols that run over IP, such as the Open Shortest Path
First routing protocol. FireWall/Plus can also maintain some types of state
information to securely handle protocols such as DNS, NFS and FTP.
Private Internet Exchange (PIX) from Network Translation is a special
type of packet-filtering router. It performs NAT and also has many security
features built in. PIX helps organizations hide their internal IP
addresses. PIX security features include some state information for
protocols such as FTP, rules based on TCP/IP protocol flavor - such as
Telnet, Simple Mail Transfer Protocol or Network News Transport Protocol
(NNTP) - and IP tunneling.
Flexibility of filters
CheckPoint's Firewall-1, Harris' CyberGuard Firewall and IBM's
Internet Connection Secured Network Gateway (SNG) use a combination of
techniques, including application proxies, circuit-level gateways and
simple IP-based packet filters to implement a network security policy.
These three products allow network managers the greatest flexibility to
support a completely open internal environment with no software changes on
client systems.
Because of their concentration on packet filtering techniques,
Firewall-1, CyberGuard and SNG are strongest in that area, although they
all support either application proxies, circuit gateways or both.
TIS' Gauntlet Internet Firewall comes from a company with a long
history of firewall research. Gauntlet includes the second generation of
TIS' free tool kit with a simple integrated administrative user interface
and other proprietary tools. TIS is unique in providing full source code
with its software.
SOS' Brimstone Firewall Package is more a collection of public tools
than original software, although SOS does add some proprietary pieces, most
notably in the user interface and monitoring areas. SOS' main contribution
has been to collect, package, document and certify the products in its
firewall. However, its tool kit approach encourages network managers to
modify the firewall.
If you don't want to learn the ins and outs of Unix or network
security and safe firewall configuration, check out Milkyway's Black Hole,
Digital's Firewall for Unix, Secure Computing's Sidewinder and Border's
BorderWare Firewall Server.
These products all simplify the task of building a firewall by
reducing the possible options. They depend on application-level proxies and
circuit gateways to lock down the most commonly used TCP/IP applications.
Other limitations have been put in place to simplify the administrative
user interface. For example, all but Milkyway's Black Hole strictly limit
the number of IP interfaces (usually Ethernet cards) supported. This in
turn significantly simplifies the user interface.
These products also link other common system management tasks, such as
backups, reporting and logging, and system configuration into a single user
interface, freeing you, in principle, from having to descend to the
squirrelly passageways of the Unix command line.
Interfaces and orientation
The largest market for firewalls is in protecting corporate networks
from public networks such as the Internet. An Internet-oriented firewall
typically has two LAN interfaces, one for the insecure side (sometimes
called 'dirty' or 'red') of the network and one for the secure side
(sometimes called 'clean' or 'blue'). All of the firewalls we looked at
support at least two LAN interfaces; a few can support only two.
A restricted configuration with only two interfaces has a big
advantage for a part-time security manager: The user interface can be very
explicit about what is being allowed and what is being filtered. For
example, in Network-1's FireWall/Plus, the inside network is shown with an
angel icon, while the outside network is shown as a devil. Digital's
Firewall for Unix, Secure Computing's Sidewinder, Network Translation's
PIX, TIS' Gauntlet and Harris' CyberGuard share the same configuration
restriction: two interfaces, with a heavy orientation toward Internet
environments.
Border's BorderWare allows three interfaces, but with the same
strictly defined roles: one is dirty and insecure; one is clean and
internal; and one is for Internet-accessible servers that are not to be
trusted, a subnet often called a demilitarized zone or a lobby.
For more complex environments with multiple firewalls, organizations,
LANs or other webs of trust and distrust, two interfaces are not
sufficient. The problem with more interfaces, of course, is that more
complex management interface and configuration options offer greater
opportunities to build a firewall with other-than-intended security
policies.
Milkyway's Black Hole, IBM's SNG, CheckPoint's Firewall-1 and SOS'
Brimstone all support multiple interfaces, all but IBM on a SPARC platform.
Firewall-1's multiple-interface philosophy extends even further than
the limits of a single hardware platform. Its administrative user interface
lets a set of Firewall-1 systems and routers with many LAN and WAN
interfaces be managed as a single entity with a single security policy and
logging point. Brimstone provides a similar, although less comprehensive,
capability.
Getting out through the firewall
Each firewall we tested has a slightly different way of handling
access through the firewall. In general, external access to internal
services is simply turned off; the firewall acts as a one-way valve,
letting users inside originate traffic going out but preventing any outside
traffic from getting in. Some firewalls provide special holes that allow
particular systems on the outside to connect to particular systems on the
inside, such as an external NNTP feed to an internal Usenet news server.
If all you want is a one-way valve, then almost any firewall will
support your security policy. If you have a more complex security policy,
you need to be a little more discriminating.
We divided the products into two rough categories: ones that are
fundamentally IP address-based and ones that are fundamentally user
authentication-
based. Products in the first category generally care most about what IP
address a particular user is coming from and don't have strict
authentication requirements. Products in the second category keep a strict
tie between users and access through the firewall and are generally
considered to be harder for illegitimate users to get around. There are
also hybrid products that do a little of both or mix multiple techniques;
these tend to be the most attractive. (See Network World Fusion for a
related story, Authentication methods.)
Digital's Firewall for Unix and Border's BorderWare have the most
restrictive access requirements: All authenticated access must use a
onetime password mechanism. For example, if you want to give vendors
temporary access through your firewall to diagnose a problem, you have to
either set them up with a handheld token or have them call while someone
who has a token can generate the proper response to the onetime password
challenge. All the other authenticating firewall vendors also allow the
less secure reusable passwords.
If your policy distrusts all outsiders and trusts most insiders, then
IP-based filtering may be sufficient. It is nonintrusive, so users will see
little, if any, change in how they use the Internet. For traffic
originating from inside your network, this kind of filtering works pretty
well.
IP-based filtering for outside users who wish to come into your
network is another story; this is asking for trouble. As the Internet is
security-free, no IP addresses can be trusted because they can be easily
changed or spoofed. User authentication doesn't necessarily help, since a
malicious attacker could conceivably 'hijack' an existing TCP session,
given the right circumstances and access.
Products that have no user-based authentication and rely on IP
addresses - along with other criteria, such as service requested - to
decide whether to allow traffic through the firewall include the routers we
tested: Livingston's Firewall IRX, NSC's Security Router, Network
Translation's PIX and Network-1's FireWall/Plus.
Digital's Firewall for Unix and Border's BorderWare are slight
variations on this theme: All internal users are filtered based on IP
address when sending outgoing traffic, and external users attempting to get
in must be authenticated using a onetime password scheme.
Secure Computing's Sidewinder has a more limited and obscure approach.
Sidewinder filters based on IP address but can use authentication for
traffic originating from World-Wide Web browsers, such as Netscape
Communications Corp.'s Netscape Navigator.
Other products let a user poke a temporary hole for a particular IP
address for some period of time. For example, if you want to establish a
telnet connection through the firewall, you must first authenticate
yourself with a user name and password to the firewall itself. Once the
firewall sees a valid user name and password coming from a particular IP
address, it allows access.
The best example of this technique is Milkyway's Black Hole. Proxies
built into Black Hole detect unauthorized traffic and request
authentication before letting the traffic pass through. This is
particularly nice for protocols such as HyperText Transfer Protocol (HTTP)
and Gopher because the firewall authentication is relatively nonintrusive.
As an alternative to using semitransparent authentication, users could
specifically telnet to the firewall to open up their hole (and to later
close it).
When a tighter handle is necessary, firewalls such as TIS' Gauntlet
and SOS' Brimstone require authentication for each and every TCP access
through the firewall. This means that each telnet or FTP command stops at
the firewall for a user name and password before being passed through.
Gauntlet can also operate in transparent mode, which doesn't require
authentication by internal users.
This model runs into a problem with protocols such as HTTP, which can
open up hundreds of TCP sessions as users click from page to page.
Authenticating each of those sessions would be impractical, so the
alternatives offered are to either allow such traffic unfettered and
unauthenticated, or simply disallow all such sessions.
IBM's SNG, CheckPoint's Firewall-1 and Harris' CyberGuard are all
hybrid systems that allow a combination of techniques. All offer IP-based
filtering, as well as per-connection authentication for telnet and FTP
sessions. Firewall-1 also allows authenticated temporary holes such as
those provided by Black Hole, although the technique is less flexible and
not as well integrated.
Incoming access to network services, such as Web, SMTP and DNS
servers, varies from vendor to vendor. Firewalls such as TIS' Gauntlet,
Digital's Firewall for Unix, Secure Computing's Sidewinder and SOS'
Brimstone prohibit any direct access, requiring everything to pass
nontransparently through the firewall. These products expect
Internet-accessible services to be outside of the firewall.
Although this can increase the security of a domain, it also raises
problems. For example, most Unix-based firewalls use sendmail as their mail
system, a program notoriously difficult to configure. When an organization
wants to use a real electronic mail backbone, the firewall gets in the way
by providing a difficult-to-track stopping point for messages into and out
of the network. For example, a bug in Digital's Firewall for Unix mail
implementation prevented us from sending many kinds of mail from strictly
compliant mail agents through the firewall, something we were unable to
work around because we couldn't disable the mail proxy.
Other firewalls allow limited access - for example, to allow
connecting incoming NNTP packets to a single system inside the firewall.
Packet-filtering firewalls are the most generous, giving you the
flexibility to identify internal systems that are available directly from
the outside world.
Most circuit-gateway firewalls implicitly provide a restricted NAT
function. For example, Digital's Firewall for Unix, Secure Computing's
Sidewinder, TIS' Gauntlet, Border's BorderWare and SOS' Brimstone all have
nonnegotiable NAT: Nothing outside gets to see IP addresses inside the
firewall.
The king of NAT is Network Translation's PIX, which combines NAT and
some firewall functions such as filtering rules. PIX allows static mapping
of IP addresses, which lets you designate specific and controlled holes
through the NAT hardware. PIX can also use a pool of IP addresses to
randomly and dynamically give access to systems inside the firewall trying
to get out. PIX's NAT includes adaptive security, which prevents a
potential intruder from trolling for insecure systems by randomly picking
addresses and trying to connect to them.
Milkyway's Black Hole, IBM's SNG, CheckPoint's Firewall-1 and Harris'
CyberGuard all have some optional NAT functionality.
Managing firewalls
Early adopters of firewall technology were, of necessity, both
security and operating system experts. Public domain tool kits became the
base on which highly customized firewall systems were built. Fortunately,
this level of expertise and homegrown modification is no longer necessary.
Several of the firewalls we tested provide excellent user interfaces, which
allow any network manager to easily configure a firewall securely.
Digital's Firewall for Unix has the best thought-out and most powerful
management interface of all the products we examined. The firewall and
operating system are managed using Netscape Navigator on a locally attached
X Window System display, which makes configuration modifications simple.
Digital also includes all of its documentation on-line as hypertext, which
is a tremendous help.
Border's BorderWare also has an easy-to-use interface. Because the
interface is screen-based via curses, a Unix-based screen library, rather
than X Window-based, it has fewer frills, but it was seldom difficult to
understand.
Both of these products employ a single interface to handle operating
system and firewall configuration tasks, something we appreciated. Writing
this review exposed us to seven Unix flavors, so not having to deal with
the nitty-gritty of network configuration on each operating system was a
blessing.
A close runner-up is CheckPoint's Firewall-1, which also uses X Window
but has a more opaque interface. Some of this complexity is due to the
product's wider range of capabilities; that is, many things you can do in
Firewall-1 are not possible in Firewall for Unix or BorderWare.
Milkyway's Black Hole and IBM's SNG also have competent X Window-based
management interfaces, but they're more difficult to use than the others.
Both made up for this with good documentation, Milkyway's on paper and
IBM's on-line.
TIS' Gauntlet, Secure Computing's Sidewinder and Harris' CyberGuard
provide screen (curses) based management interfaces that are also simple
enough to use. However, all of these required us to dip into Unix more than
we liked for command-line configuration of either firewall or operating
system options. Sidewinder's interface was rather unstable: It crashed
several times while we attempted to configure the software.
Even worse, when we were forced to manually edit a configuration file
- because the documentation told us to - a single misplaced space in a file
made the firewall unusable and took more than two hours to recover from.
Command-line interfaces on NSC's Security Router and Livingston's
Firewall IRX were also unexciting, although the types of operations
required made them easy enough to configure. In this case, though, the
margin for error was significantly higher. These systems require far more
expertise and knowledge of network security than most of the other
firewalls.
Our worst experiences were with the management interfaces on SOS'
Brimstone and Network-1's FireWall/Plus. Both of these need significant
human reengineering before they'll be ready for mere mortals. FireWall/Plus
hinted at amazing power and a fascinating command language, but the design
of the firewall was such that only an expert could feel comfortable and
then only after a lot of practice and testing.
Documentation generally followed user interface in terms of
thoughtfulness and completeness. Milkyway and SOS get special kudos for
including a separate user manual for end users inside and outside the
firewall, while Digital and IBM had the best on-line documentation.
Reporting, logging and alarms
One basic requirement of firewalls is that they squeak when pressure
is applied. If someone is probing a network for weaknesses, a good firewall
should log the attempt and provide an immediate alarm should the attack be
serious. You may also want the firewall to provide general reports of
TCP/IP traffic for capacity planning and other administrative purposes.
The only product we looked at that provides no logging, reporting or
alarm capabilities is Network Translation's PIX. Livingston's Firewall IRX
and NSC's Security Router are only a little better. They provide logging
information - via the network - to a host; it's up to you to write custom
software to set alarm conditions. Neither router provides traffic
statistics for general reports.
The best alarm, logging and reporting capabilities were in TIS'
Gauntlet, Digital's Firewall for Unix and Secure Computing's Sidewinder.
These three products provide good all-around capabilities to capture
statistics, notice problem situations and generate readable logs of probes
and attacks.
Digital's reports are outstanding. With the product's hypertext
documents, you can drill down through reporting data using the supplied
Netscape browser to see more information about how the firewall is being
used. Digital's alarm conditions are comprehensive. Firewall for Unix moves
from a green state, as shown by the background on the user interface,
through yellow, orange and red, with different actions occurring at each
time. Firewall for Unix's ability to intelligently shut down some or all
traffic flowing through it in response to a probe was a unique feature.
If summary reports are not important, the logging and alarm facilities
in IBM's SNG, CheckPoint's Firewall-1 and Harris' CyberGuard are all
satisfactory. Network-1's FireWall/Plus looked as if it had good reporting
capabilities, but it crashed every time we tried to generate a report.
We found Milkyway's Black Hole, SOS' Brimstone and Border's BorderWare
difficult to set up and manage for alarms. It was not obvious how to best
configure the firewall to alert us when something bad was happening.
Other features
Firewalls come with a variety of additional bells and whistles to
assist the security manager. Some are simple yet valuable additions, such
as time-of-day rules. Others are more specialized, such as encrypted IP
tunnels, and may not be useful in all environments. For more on these
features, see Tunneling and encryption on Network World Fusion.
Network managers interested in restricting Internet access to
off-hours can use time-of-day and day-of-week rules to enable, for example,
unrestricted outgoing Web access after hours while keeping the lid on it
during the day.
Milkyway's Black Hole has the most complete time-based access
controls, including time-of-day, day-of-week, day-of-month, week-of-year
and month-of-year rules. Digital's Firewall for Unix, Network-1's
FireWall/Plus, Border's BorderWare and SOS' Brimstone also have time-based
rules, with somewhat less flexibility.
Our favorites
After looking at 13 products, we came to the conclusion that no one
product is appropriate for all security environments. However, we did have
some favorites among the crowd.
For a low-cost entry into the firewall market, Livingston's Firewall
IRX router is hard to beat. For about $3,000, you get a simple firewall
that does what Cisco Systems, Inc., Bay Networks, Inc. and 3Com Corp.
routers don't: It makes a racket when someone tries to break in. The simple
addition of logging facilities makes it worthwhile to use the Firewall IRX
as a replacement for your Internet connection router.
We also liked the power of NSC's Security Router, but this product
clearly fits another niche - one where multiple parts of a large
organization need restricting routers between them. For a company that
needs some internal security to keep the manufacturing department's
programmers out of the accounting department's system, Security Router fits
the bill.
Network-1's FireWall/Plus is for the true network expert. You need to
really understand TCP/IP and Ethernet to properly configure the
FireWall/Plus, but you can do things with it that no other firewall lets
you do, including easy filtering of unusual IP protocols, IPX, AppleTalk,
DECnet, and even less popular protocols such as Digital's Local Area
Transport or Local Area VAX Cluster. Like Security Router, FireWall/Plus is
most appropriate for sites with a simple security policy or for internal
protection.
Similarly, Network Translation's PIX isn't a general-purpose firewall,
but, in certain situations, it can provide firewall-like functions and
solve addressing problems.
CheckPoint's Firewall-1 remains a favorite, even if security czars
don't like packet filters as much as application proxy gateways. In our
first review, this was a clear leader. The competition has come a long way
since then, and, in reponse, CheckPoint has added a few knobs so it can say
its product does everything. It's fundamentally a good product with a
fantastic management interface.
Firewall-1 also offers what no other firewall has: centralized
configuration and administration of multiple firewalls from a single point.
If your network requires multiple firewalls, Firewall-1 is a must-buy.
If you want a firewall but don't want to play with Unix, you should
definitely investigate Digital's Firewall for Unix. The best management
interface of all the firewalls we looked at makes this easy to configure.
The reporting capabilities are also great.
Although there are limitations on the possible configurations,
Firewall for Unix hits squarely in the middle of most corporate
requirements for an Internet gateway system.
Managers who like the all-in-one approach need to look at Border's
BorderWare Firewall Server. This is the ultimate black box: It comes up
running firewall, FTP, Gopher, Web, News, Post Office Protocol, SMTP and
Telnet gateways. For midsize companies that don't want to fool around,
BorderWare is an excellent choice.
Of the remaining application proxies, Milkyway's Black Hole is our
favorite. With a generally clear management interface, you can make the
Black Hole do almost anything you want - act as a NAT, handle multiple
interfaces, require authentication, be transparent and support Internet
access by inside users with more finesse than any other product.
TIS' Gauntlet, although fundamentally old technology, has an advantage
all its own: source code. If you like to play with software, Gauntlet is
the ultimate foundation on which to build your own firewall and therefore
the product of choice for many security experts.
We didn't have any complaints about Secure Computing's Sidewinder,
IBM's SNG, SOS' Brimstone or Harris' CyberGuard, but they didn't stand out
like some of the others. IBM's IP tunneling is well thought-out, and both
Harris' and Secure's 'secure' Unix looked like they would be invaluable
in some environments. In the absence of specific requirements, though, they
wouldn't make it to our short list.Steps for making the right selection