A look at five different firewall products and services you can install today
John Bryan
Sometimes, simply foiling an outside attack isn't enough. Nobody enjoys unwanted visitors constantly knocking on the door. One high-powered deterrent is Sidewinder, a $30,000 firewall system from Secure Computing Corp. (Roseville, MN). The company advertises Sidewinder as "security that strikes back."
SCC's background has been in developing security for U.S. government classified systems and networks, and the company is parlaying this experience in the commercial arena. Its client list still includes several "initialed" agencies. It offers hardware, software, cryptography, and consulting services.
Sidewinder is basically an outgrowth of SCC's Secure Network Server, a class A-1 (this is the highest rating
awarded by the National Computer Security Center) server designed primarily for military installations. Sidewinder is hardware and software; it's designed around a 90-MHz Pentium PC and an SCC-tweaked version of BSD Unix.
SCC has modified this operating system so that it is secure in and of itself, requiring no proxies or gateway applications. In addition, Sidewinder is furnished only as a complete turnkey system, not as software alone. SCC has carefully examined the BIOS of the particular Pentium PC it uses and has modified its own software to make sure that there are no surprises or security holes to exploit.
Type Enforcement is what SCC calls the patented mechanism wherein the operating system and its applications stay secure. Under Type Enforcement, data and processes are assigned to class types according to your security policy. A central, protected table is used to enforce how any class may interact with another; this, too, is determined by your security policy (see the figure "
Sidewinder's Type Enforcement
").
Type Enforcement provides what SCC calls defense in depth--meaning that, even if a determined hacker were able to break into the Sidewinder platform itself, he or she would be left stranded in one domain without access to any other applications or processes. And breaking in is made more difficult because Sidewinder can filter any data that passes the network boundary, coming in or going out, on the basis of its content and its source or destination headers.
Secure as Sidewinder is, that's not even its most interesting feature. Unlike most other systems, Sidewinder can provide active security--the part that "strikes back." Sidewinder can be configured to respond to any probe or attack, however slight, in a variety of ways.
When Sidewinder detects a hacker, the first thing it does is send a silent alarm to the system administrator. What happens after that is up to the administrator and company policy. The system can let the intruder in and permi
t certain activities up to a point, all the while collecting information on the source of the probe and what types of actions the hacker takes. The system can also provide dummy password files, dead-end traps, and other stealthy defenses--a veritable "hall of mirrors," where nothing is quite the way it appears.
The intruder might, for example, issue a command to delete all files; a subsequent directory check shows they have been erased. However, that's only what the intruder sees; in actuality, all the files are still there.
Systems administration is handled through a GUI that is straightforward and exhaustively complete. When it's in an administrative mode, Sidewinder forces a disconnection from any outside network. This ensures that no one may slip in undetected and acquire root privileges.
If the whole process seems too daunting, SCC -- like most other companies in the business -- provides consulting services. The company also has software that provides Sidewinder clients with a Window
s-based Internet service connection together with automated search, retrieve, and sort features. Finally, SCC offers continuing information on hacking attempts on its systems.
Trusting Your Systems
Trusted Information Systems of Glenwood, Maryland, offers a complete turnkey firewall solution called Gauntlet Internet Firewall. This is a bastion-host system built around a Pentium-powered platform and the complete suite of TIS firewall software installed and configured to your specifications, running on a customized, secure (in government parlance, "trusted") version of BSD Unix.
Gauntlet Internet Firewall includes an integrity checker for the system itself, configurable alarms, and an audit tool that reports anomalies on a timely basis. It provides a generic interface for multiple forms of user authentication, including token-based one-time password systems.
The whole package costs $15,000, which includes setting up and configuring the system, testing, and training. F
or non-TIS installations, the company also offers a monthly firewall security audit, Internet gateway penetration testing, and an Internet gateway security survey.
For the do-it-yourself organization, TIS offers a Firewall Toolkit that contains source code for bare-bones versions of its logging facilities, E-mail gateway, an FTP gateway proxy, a Telnet proxy, an Internet service access-control server, and a generic pass-through plug gateway. All are available free under license from TIS on the Internet at ftp.tis.com (look for fwtk in /pub/firewalls/), or you can point your Web browser at http://www.tis.com/.
The Digital Difference
Digital Equipment (Maynard, MA) is another vendor that provides a soup-to-nuts security service called Digital's Firewall Service. The service includes consulting, software installation, hardware (if required--priced separately), training, and support. Other optional services include configuration of public-domain software, customized applicatio
ns gateways, cryptographic and authentication consulting, and general-computer and network-security consulting.
The standard Firewall Service setup requires three computers, which Digital calls Gatekeeper, Gate, and Mailgate. Gatekeeper resides on the external network (what the company calls the red subnet), Mailgate resides on the network you're trying to protect (the blue subnet), and Gate resides on both. In this way, a screened subnet is established that isolates your system from the Internet or whatever public system you are trying to keep at bay. The screening software runs on Gate, a secure host. There are no user accounts (only system administration accounts) on any of the hosts, and the applications loaded are the customized Unix utilities that Digital provides to pass acceptable packets back and forth over the link (see the figure "
Digital's Three-Way Isolation
").
Gatekeeper is the doorway to the outside world. It is the root DNS (Domain Name System) server of your sy
stem for the Internet, and it is where your applications gateways or proxies reside. Gatekeeper would generally be configured to accept log-ins only from trusted hosts, and the packets from these are screened according to whatever security policies you have established. Gatekeeper records all log-in attempts to the system, and it can be programmed to send an alert to the systems administrator in the case of repeated unsuccessful attempts.
If Gatekeeper is compromised, damage is limited to that single system, because Gate doesn't accept log-ins from external systems. Gatekeeper does not store the security screening policies of your network--that's one of Gate's jobs--so an intruder can't get into Gate and change them.
Besides maintaining your system's screening policies, Gate logs all attempts to connect with your internal hosts, as well as all successful log-ins to Gatekeeper and any requests for remote connections across the firewall. You can set alarm parameters to inform the systems administr
ator any time there is a problem. Optionally, Gatekeeper can be configured to require hand-held authentication tokens, such as Security Dynamics' (Cambridge, MA) SecurID or Digital Pathways' (Mountain View, CA) Software SecureNet Key, for successful log-in.
For E-mail, the Firewall Service uses a sendmail proxy to pass messages across the firewall. All mail between internal and external addresses is routed through Gatekeeper. If incoming mail is destined for a host on an internal network running TCP/IP, then Gatekeeper forwards the mail (through Gate) to that host. If mail is destined for a host that's not running TCP/IP, then Gatekeeper forwards it to Mailgate, which serves as a gateway to other protocols. Outgoing mail is forwarded through Mailgate and then on to Gatekeeper. Mail destined for another internal address never leaves the internal net, although it is routed through Mailgate if delivery over TCP/IP is required.
Digital's consulting services include risk assessment and impact analysi
s, development and implementation of policies and procedures, and security hardware and software at all levels, from the individual desktop system to an entire network. In addition, they can provide training ranging from user awareness to security system management.
Pricing on Firewall Service packages starts at $20,000, which includes the operating system, applications gateways for connections to E-mail (SMTP), file transfer (FTP and Archie), remote terminal access (Telnet), client/server information services (Gopher or World Wide Web), and Notes.
A Different Approach
CheckPoint Software Technologies (Ramat Gan, Israel, and Lexington, MA) maintains that combining the packet-filtering and applications gateway approaches into a single entity is better than using either one alone. It has done just that with its $5000 CheckPoint FireWall-1 package and then topped it off with a GUI and rule-set editor that automates the process of creating the security rules for your network (
for a hands-on review of FireWall-1, see "Intrusion Protection for Networks", Software Reviews section).
FireWall-1 has two parts: a packet-filter module that handles the actual implementation of security policy and a control module that controls and monitors one or more packet modules. Both modules may reside on the same host or on separate machines. If the modules are on different systems, communication between the two hosts is authenticated with a one-time password scheme.
While FireWall-1's design has several unique features, perhaps the most significant is its GUI. The control module used to configure FireWall-1 is an Open Look X11R5 window system, and there's a complementary set of command-line utilities for use with standard terminals. The object-oriented interface consists of the following five basic parts:
--
The Network Objects Manager
handles the definition of the various components of your network. These include, but are not limited to, the FireWall-1 hosts, se
rvers, workstations, routers, domains, networks and subnets, databases, and more. You can also define your own objects by combining two or more standard objects.
--
The Services Manager
is the Network Objects Manager's counterpart for services. All network services are screened and controlled, whether or not you define them. The list of preloaded services is extensive, and you can define your own using simple expressions and macros. You can group services together much as you can objects.
--
Once services are defined,
you put them in the Rule-Base Manager and define your security policy rules. A high-level language makes producing your rule-set relatively easy.
Every rule has four parts: match, action, track, and target. Match specifies which communications attempts (source, destination, and service) are included in the rule. Action choices are accept, reject, or drop. Track defines what type of record, if any, should be kept of the communication. Target puts t
he defined rule in the appropriate packet-filter module or network location. The Rule-Base Manager's default is to drop any packet that's not explicitly defined.
--
The System Status Monitor
provides an instantaneous look at any filter module activity, including packet statistics. SNMP agent support lets this information pass to other management programs.
--
The Log Viewer
lets you view and manipulate any logged statistics, either historically or in real time.
Leave the Driving to Them
Bolt, Beranek, and Newman, the original Internet service provider based in Cambridge, Massachusetts, recently introduced what it calls the Internet Site Patrol, a turnkey package that includes consulting, hardware, software, training, and remote management services. Cost of the service starts at $1500 a month for a single gateway.
BBN's package includes an internal filtering router as backup for a two-Ethernet bastion host. The bastion host provides
proxy-level services using code created by TIS. On the software side, BBN uses a mix of its own and TIS's software. A customer can make up to two software configuration changes per week free of charge, and there's 24-hour phone support for software and hardware problems. If issues cannot be resolved over the phone, BBN will have someone on-site within hours. What makes the BBN package unique is that it will manage the firewall, so the customer needn't do even that.
Different Strokes
We've looked at five different products and services that provide different approaches to firewall implementation, with varying degrees of protection. While none of this initial crop is designed (or priced) to accommodate an individual user, each can be an important component in a comprehensive, enterprise-wide program of information protection. The choice is yours.
illustration_link (13 Kbytes)
Data and processes are assigned to classes, while a protected central data structure (called the DDT, or Domain Definition Table) enforces the ways each given class of process can touch a given class of data or programs. Whenever a data access is initiated, the DDT is consulted and a defined access value is assigned. In this figure, an outside process can execute its own program and can read and write unfiltered data, but it can't execute any other program or touch any other class of data. Data from the internal network can only reach the Internet after passing through a filter process.
illustration_link (19 Kbytes)
Digital's Firewall Service uses a bastion host (Gate) to create an isolation network that sits between the external (red) and internal (blue) nets. This middl
e net talks to the outside world only through another secure host, Gatekeeper. It connects to the internal net either directly (for TCP/IP communications) or through a third host, Mailgate, that converts between TCP/IP and other protocols, such as DECnet.
John Bryan is a freelance technology writer and consultant who is based in San Jose, California. You can contact him on the Internet at
5051339@mcimail.com
or on BIX c/o "editors."
Firewalls For Sale
