ome network resources are too sensitive to expose to the Internet through a firewall, most organizations with any Internet connectivity can use one -- it's just good security policy.
One firewall benefit is screening out the details of your site and intranet from prying eyes: The less outsiders know about your network, the harder it is to attack. Even if your Web server is isolated from your intranet, a firewall is still a good idea for screening the server from unfriendly probes and thwarting HTML vandals. And it's an absolute necessity if the server supports commercial transactions.
For this report, we tested six Unix products and three Windows NT products. All the Unix packages use a "h
ardened" version of the OS, in which as many security holes as possible are plugged: usually unnecessary system services that vandals like to use as toeholds to gain access to servers and connected systems. The three Windows NT products we tested -- AltaVista FireWall 97, Centri, and Eagle -- build on NT's security model, which is designed for C2-level security as defined by the U.S. Department of Defense.
We tested these servers for performance under typical real-world network loads and for how well they handled typical Internet attacks, as well as for ease of use and configurability, which are equally important in light of the 90 percent or more of security breaches that result from improper firewall configuration.
Of the nine packages tested, CyberGuard's CyberGuard Firewall tied with three others for a near-perfect security score, but it edged out its two closest competitors with a combination of the best features,
easiest management
, and respectable performance.
Two runners-up are also worthy. AltaVista Firewall 97 overcomes its relative lack of features (like the absence of a hardened OS) with top performance and a simple management interface. Check Point Firewall-1's full feature set and high performance are countered by its less-than-perfect configuration tools.
Big Hack Attacks
The NSTL security test suite uses two different name servers, both located in the same domain. One is situated on the private network. Its purpose is to handle name-service requests on the private network. The other name server is located on a segment of the network known as the demilitarized zone. The purpose of this second server is to handle all name-service requests for the private network that cannot be handled by the private network's Domain Naming System (DNS) machine. In effect, it acts as the "root" name server to the Internet.
The results of the security tests show that all nine products offer high levels of security when properly configured. To as
sure proper configuration, vendors set up their own products for the security tests. Most of the firewalls we tested managed to detect all but one or two of the nearly 100 simulated attacks. None of the programs failed during attacks deemed to be high risk in nature. Centri Firewall and Eagle NT Firewall each failed a medium-risk attack. Centri Firewall failed three low-risk attacks; Eagle NT Firewall failed two. Black Hole failed two medium-risk and nine low-risk attacks. Gauntlet and Sidewinder Security Server failed two low-risk attacks. The other products each failed only one low-risk attack.
What About the OS?
Unix and NT both have exploitable security weaknesses. For example, if a hacker cracks the Unix root account (with read and write access to all system resources), the entire network and its resources are at the hacker's command. Windows NT offers an option to store passwords in cleartext in the system registry, which, if enabled, puts those accounts at risk. Various system
and network services, notoriously the Unix sendmail program, can also offer hackers a backdoor through which they can gain access to the operating system.
Often weaknesses in network security are as much a problem of proper configuration as the OS's design. The main thing is to remove unnecessary services and locate as many "holes" as possible and configure the network in a way that is both usable and secure. Most of the vendors offer their software with securely configured OSes, usually some variant of Unix.
Micromanaging the Firewall
Since one can never tell when and where security break-ins might occur, firewall programs that allow remote notification of the system administrator are very handy. If a program can alert the network manager to a security breach by pager, then the response time to shut down the system will be much faster than if you have to browse through the system logs the next day. In addition, the ability to shut down further access from a remote site is pre
ferable to requiring the network administrator to drive from home to the office when breaches occur after hours.
All the firewalls we tested, except FireWall/Plus, can notify the system administrator by e-mail or pager in the event of an attack; the notification capabilities of Centri Firewall and Black Hole were slightly more difficult to configure than those of the other products. Centri Firewall and FireWall/Plus are the only two that do not allow administrators to turn off outside access to a site remotely. Of the products that do, Black Hole and Sidewinder Security Server required the most effort to accomplish.
Logging and Tracing
When an attempt to enter the system fails, you might not want the system to page you at home, but you do want the firewall to record the attempt. Firewalls that log and attempt to trace addresses of failed authentication are helpful in spoiling the attempts of unwanted visitors to break in.
AltaVista Firewall 97, Black Hole, and Sidewinder
Security Server scored highest in the management scenario that measures the firewall's logging function; they offer the widest breadth of circumstances in which information could be sent to a log file. Every other program offered adequate logging functions except Gauntlet, which logged entries in only two of the 11 logging trigger scenarios. Only two firewalls allowed running traceroute or finger on an attacking machine: Eagle and Sidewinder.
Preventing Denial of Service
In addition to actual break-ins, some inconsiderate hackers cause annoyance attacks by flooding a Web site with requests, thus blocking access to the site by other users. Firewalls should be able to prevent such denial-of-service attacks. All nine programs protect well against SYN flooding and the Ping of Death. But the firewalls vary in how they handle full logs and disk-full errors (in both scenarios, the most secure option is for the system to shut down).
CyberGuard Firewall shuts down during both disk-full a
nd log-full error conditions. AltaVista Firewall 97 and Sidewinder Security Server both shut down on a disk-full error, but they simply rotate log files on a log-full error. Black Hole and Gauntlet deny access in disk-full situations. Gauntlet rotates logs in a log-full error condition. Black Hole turns off logging -- the least preferable action to take with a log-full error. Centri Firewall and Eagle NT Firewall both turn off logging in a disk-full condition and rotate logs in a log-full condition. Check Point FireWall-1 and FireWall/Plus turn off logs in both disk-full and log-full conditions.
Transparent Protection
Security is essential, but you can't overlook how it might be affecting routine operations. With this in mind, NSTL looked for products that allow all outgoing access while protecting against external attacks that "spoof" internal IP addresses.
Although all nine programs place no restrictions on outgoing access and protect against IP spoofing, configuring the progr
ams to accomplish this varies in level of difficulty. With almost no difficulty, Check Point FireWall-1, CyberGuard Firewall, Eagle NT Firewall, and Sidewinder Security Server can be configured to protect against IP spoofing while allowing full outgoing access. AltaVista Firewall 97, Centri Firewall, and FireWall/Plus are almost as easy to configure in this circumstance. Black Hole is average. Gauntlet is difficult to configure to prevent against IP spoofing.
Performance
Another measure of transparency is the load the firewall places on system performance. NSTL uses Intermark, a home-brewed traffic-generation tool, to offer a mix of Web and FTP requests. Intermark creates traffic on all three sides of the firewall, and NSTL measures both throughput and transaction rates over a Fast Ethernet (100-Mbps) test bed.
NSTL performance tests measure throughput in kilobits per second for four levels of user connections: 16, 32, 48, and 64 users. The results show more disparity between pr
ograms than between user loads. In general, performance increases or stays the same from a load increase of 16 to 48 users, then takes a marked nosedive when the load goes up to 64 users.
The top three performance winners are AltaVista Firewall 97, Centri Firewall, and Check Point FireWall-1, all of which boast throughput of about 50,000 Kbps and above when 16 to 48 users are connected; they drop to about 40,000 Kbps when 64 users are connected. CyberGuard Firewall offers very acceptable performance of around 40,000 Kbps until it reaches a load of 56 users; it falls off to about 33,000 Kbps at 64 users. Eagle NT Firewall is the only other program to offer consistent throughput rates above 10,000 Kbps for 16 through 64 user loads. Gauntlet provides throughput of about 11,000 Kbps for 16 to 48 users, but it drops steadily after 50 users and offers only about 3200 Kbps when 64 users are connected.
Choosing the Right Wall
Choosing the right firewall requires plenty of consideration,
but if you know what your priorities are in terms of security, ease of management and configuration, performance, and scale, then you have a good chance of finding a product that well fits your needs. Beyond the information in this report, you'll find good reference materials at the National Computer Security Association (NCSA) and Internet Security Systems (ISS) Web sites.
The NCSA maintains a site at
http://www.ncsa.com
that includes a section on firewall security. The group has a certification program that lists the levels of functionality it deems important. NSTL uses ISS's SAFEsuite to verify the security and integrity of firewall software. You can find a complete listing of the attacks used by SAFEsuite at
http://www.iss.net/tech/techspec.html
.
Firewall Software for NT and Unix
