Device and Specialty Firewalls Overview There are two kinds of firewalls—software based and hardware based. The previous chapters have examined firewalls that run as applications on conventional operating systems such as Windows NT or versions of Unix. This chapter describes those firewalls that provide their own underlying operating system. With these firewalls you just turn them on, or (at most) insert a floppy disk and turn them on. Also in this chapter, we talk about a couple of firewalls that run on unusual platforms (for firewalls) such as AS/400 or NetWare. The nicest thing about a device based firewall is that you only worry about keeping one piece of− software current—that of the firewall itself, usually in the form of a firmware update. You don't have to download operating system patches, new kernels, service packs, or security updates. This makes keeping the firewalls current considerably easier. It also gives you one vendor to point your finger at when a weakness is found. Device based firewalls are also often much easier to set up and get running than software based− − firewalls. They arrive with the software already installed in the device, and all you have to do is give it valid IP addresses to use. Policy configuration is usually just a matter of installing and using a Windows application or web interface to manage the machine. This chapter also covers those firewalls that run on standard computers (all PCs, actually) but do not use a standard Unix distribution or Windows NT as their host operating system. Despite the hype, Windows NT and Unix are not the only operating systems in existence. Firewalls for other operating systems abound and are, in many cases, more secure. Because these firewalls are based on unusual operating systems, hackers have not yet created a trove of the various attacks against them, such as exploiting buffer overruns in the Unix sendmail daemon or exploiting bugs in Internet Information Server on Windows NT platforms. Many of these operating systems were uniquely developed by their vendors to support a specific firewall product, so they are completely proprietary. This lends a strong measure of "security through obscurity," and keeps the hordes of typical hackers (those who merely read and repeat known attacks rather than developing new ones) completely at bay. Obscurity has its price, however. Almost all of this type of firewall require unique adapter drivers and will only work with specific adapter models. Patches for these firewalls are rare, so if an exploit for one of them is developed, it usually takes until the next revision of the software before it's fixed. Some of these firewalls operate on platforms with arcane user interfaces that you may not be familiar with. These firewalls also suffer from a lack of complete features. They are either based on generic SOCKS proxies or stateful inspection, and usually do not provide any support for the opposite type of firewall. The firewalls also suffer from a generational lag behind the firewalls developed for Unix and NT because software is much harder to develop for smaller market operating systems.− NetWare is well entrenched in the server market, and thousands of "red" (Novell only) networks− exist. Managers in these environments rightly balk at the requirement to become an expert in a foreign operating system for the sole purpose of establishing a firewall. Novell markets a very strong firewall that runs on NetWare called BorderWare for these environments. 372 The mainframes of yesteryear have been converted to the application servers of today. VAX and AS/400 machines running VMS and OS 400 now serve as web servers, e mail hosts, and− − e commerce engines. They also require protection, so there are firewalls available for them.− I've rolled these smaller market operating systems together into a chapter because of the limited− fields they represent. In many cases, the firewalls I profile here are the only serious firewalls available for the platform shown. Keep in mind that your choice of application or file server doesn't constrain your choice of firewall—you can use an NT firewall in a Novell network and a Unix firewall to protect an AS/400. Because of the high cost of small market software, it's usually more economical to use a− larger market platform for generic services like firewalling. To run an OS 400 firewall on the− − AS/400 will cost you tens of thousands of dollars, compared to the few thousand for a robust PC. These costs should be balanced against the cost of training administrators on an unfamiliar operating system and the security risk of operating a firewall in an environment that may not be completely familiar. SonicWALL If you want the no holds barred easiest to use firewall you can buy, get a SonicWALL. You just− − drop it in, point a web browser at it to configure it, and then use it. There's not a whole lot to configure, just the interface addresses and what ports you want to let in and out. If you want a VPN, you set up the shared secret IKE keys and the hosts to allow, and then, again, you just use it. • Pros Cons No hardware or software required No true Application level proxying− Strong stateful inspection Simple configuration Highly reliable Highly compatible VPN SonicWALL devices are the closest things you'll find to a true plug and play, install, and forget− − firewall. For environments without on site support staff, they are the way to go since they're very− easy to manage remotely and unlikely to suffer from failures that can't be corrected remotely. We routinely update the firmware on these devices remotely and have never run into any significant problems. Major Feature Set The SonicWALL Firewall provides the following major features: • Packet filter (stateful) • Network Address Translator (dynamic, static) • DMZ support • Port redirection • Secure authentication (IPSec/IKE, certificates, RADIUS Server) • VPN (IPSec/IKE) • VPN Client Software (Windows 98/NT/2000/XP) 373 • Firewall high availability • Logging including syslog and e mail notification− The most obvious feature missing in the major feature set of the SonicWALL is proxy services. If you need to strip viruses from mail attachments, then you'll have to install a separate proxy server to do it. The DMZ support includes a nice feature—the DMZ hosts supported can be configured to be in the same (public) IP subnet that the firewall itself resides in. The SonicWALL must of course be installed between the DMZ Ethernet and the public Internet connection, but that way it can transparently redirect and filter traffic between the DMZ and the Internet. With a SonicWALL, you do not set the IP address of the DMZ interface because it is set to be the same as the public interface, even though it is a physically separate connection. Minor Feature Set The SonicWALL Firewall supports the following minor features: • Scan detection, spoofing detection, and automatic blocking • Limited HTTP content filtering • DHCP • Graphical administration • Remote administration • SYN flood protection− • Anti spoofing control− • High performance The nicest thing about the SonicWALL is its web interface. You don't have to install any special software to configure it, and you can manage it from any machine in your LAN that has a Java capable web browser, including Unix or the Macintosh (which is an important feature for those− few institutional holdouts that haven't caved to the Microsoft monopoly). Most other device based− firewalls require you to install Windows specific software to control them. You can even manage the− SonicWALL from outside your network if you have configured the VPN properly and enabled the feature. Installation, Interface, and Documentation The SonicWALL is pretty much plug and play, with minimal web configuration. Chapter 11,− − "Configuring a Real Firewall," covers SonicWALL in detail because it is the "real firewall" used in the chapter. In summary, the installation is easy, the interface is simple, and the documentation is straightforward, if a little shallow. Figure 19.1 shows the Sonic WALL web configuration interface.− 374 Figure 19.1: SonicWALL's web interface is the easiest to use that we've seen. Security A SonicWALL is a complete Layer 3 (Network layer) firewall. It does not do Application layer− − proxying or content filtering. It has a simple HTTP filter included that can strip Java, ActiveX, and cookies, but no more than that. Its packet filter, port blocking and redirection, and VPN configuration are first rate and easy to configure. Cost and Support SonicWALL is neither cheap nor expensive, but when you add up the hardware and software costs for anything but a free software firewall (see Chapter 16), the SonicWALL is very competitive in− price. And if you instead add up the time and effort needed to configure a free software firewall,− you'll most likely find that SonicWALL is still comparatively cheap. SonicWALL's technical support is a little anemic, but there's not much to go wrong with the device anyway. The devices range in price from about $400 for the SOHO small 10 user devices to around $3000− for the PRO VX (which is the most useful and should be considered the baseline device for protecting a real network), all the way up to $27,000 for the top of the line SonicWALL GX 650.− − − One thing to keep in mind at the time of this writing: the Client VPN licenses for Sonic WALL cost− around $70 each, and the VPN upgrade for the SOHO and XPRS firewalls (to enable the VPN connectivity) is also around $500. The PRO devices and up all come with VPN enabled. One nice thing about SonicWALL that distinguishes it from the WatchGuard firebox (see later section in this chapter) is that the SonicWALL firewalls are essentially the same in configuration and use from the bottom of the line (the SOHO units) all the way up to the top of the line GX 650.− − − They merely add a few features and use faster hardware as you go up the product line. The interface is the same from box to box. The smallest Watch Guard (the FireBox SOHO) is really a− completely different device from the excellent Fire Box 1000 and is configured and interfaced to− separately (via the Web instead of by a Windows client application). 375 WatchGuard Firebox 1000 If you want a full featured proxying firewall that doesn't take a rocket scientist to set up, the− WatchGuard Firebox may be just what you're looking for. This product vies with the SonicWALL in price, capabilities, and ease of use, and just by looking at the two firewalls it's obvious that they're fighting over the same market segment. Of the two, the SonicWALL is easier to configure (requiring only a web browser on a client inside the network), while the WatchGuard includes support for proxying and content filtering that the SonicWALL does not. • Pros Cons No hardware or software required Can only be managed from Windows clients Strong Application layer inspection− Strongest device based firewall− Highly reliable We had to scrape to come up with a negative for the above table—this device functions exactly as a theoretically perfect firewall would. It contains no significant failure components so it's reliable, yet it performs strong Application layer filtering and is easy to administer. The interface isn't quite as− easy as the SonicWALL devices, but it allows you to perform real time monitoring that the− SonicWALL can't. And when you consider that these devices cost about the same, they're the firewall of choice for higher security environments with more experienced staff. Major Feature Set The Firebox 1000 provides the following major features: • Packet filter (stateful) • Network Address Translator (dynamic, static) • DMZ support • Port redirection • Proxies (DCE RPC, FTP, H323, HTTP, RealNetworks, RTSP, SMTP, Stream Works,− − VDOLive) • Secure authentication (Proprietary, Windows NT, RADIUS, SecurID, and CRYPTOCard) • VPN (proprietary, DES, 3DES, IPSec/IKE, PPTP) • VPN client software (Windows 98/NT/2000/XP, Unix, Linux) • Bandwidth control and quality of service • Logging and e mail notification− The most impressive aspect of the Firebox 1000 is its built in proxy support, a feature not found in− other device based firewalls (i.e., firewalls that don't expose you to the underlying operating− system). Its VPN support, network address translation, packet filtering, and DMZ support are all first rate, but the same could be said of most other firewalls of its class. VPN support, which just a couple of years ago was a novelty in a device based firewall, is now the order of the day—certainly− in the future everybody's "drop in firewall" will have built in proxying, but if you want it now and you− want it easy to use, the Firebox 1000 is pretty much it. 376 Minor Feature Set This firewall supports the following minor features: • Network transparent drop in configuration− • Content filtering (Java, virus scanning, URL blocking) • Scan detection, spoofing detection, and automatic blocking • DHCP • Graphical administration • Remote administration • Centralized administration • SYN flood protection− • Anti spoofing control− • Real time monitoring and reporting− • Policy based configuration and management− • High performance Proxying is only half of securing ports for Application layer protocols like HTTP, SMTP, and FTP.− Proxying is important because it makes sure that the ports are being used for the protocols they were meant for, but it does not protect interior computers from malicious content (such as devious ActiveX controls and viruses) that are sent via those protocols. Content filtering is the other half of securing the ports, and the Firebox does that as well. The firebox is also good at incident detection—telling you when you're under attack (and what kind of attack you're facing). The real time graphical monitor is nice to watch—you can see traffic− pattern changes as they happen. The lights on the front of the box are also helpful and intuitive: it is obvious at a glance how much traffic is flowing to or from the DMZ and the Internet, the protected LAN and the Internet, or between the DMZ and the protected LAN. A nice feature of the WatchGuard 1000 firewall is that if you already have a publicly routed subnet that you want to protect, then you can place the firewall in "drop in" mode—where it is given an IP address on that subnet (rather than being set up as a router for that subnet), and it transparently intercepts the traffic between that subnet and the Internet. You have to place it connection wise− between the subnet and the router, but you don't have to reconfigure the clients or the router to protect your LAN. Installation After installing a number of command line based free firewalls (see Chapter 16) and firewalls that− run on top of Unix or Windows (see Chapters 17 and 18), installing and configuring the Firebox 1000 was a breath of fresh air. The graphical Windows application for administration was a breeze to install and use. After setting the IP addresses of its interfaces and giving it a range to supply for DHCP, the box was ready to use in a minimally configured state. Security A Firebox 1000 that is fully locked down with proxies in place is about as secure as you're going to get with a modern firewall. Perhaps OpenBSD does a better job of obfuscating TCP sequence numbers, perhaps Gauntlet has a better set of proxy services, but for the price and ease of use there's no comparison. Because the Firebox is based on Linux, its TCP sequence number generator is considerably more random than most devices. 377 Interface The Windows client application that comes with the firewall for administration is easy to set up and use. The only easier way to administer a firewall is through your web browser (SonicWALL does this, as do the majority of the little home office firewalls), because the management application− limits you to configuring the machine from Windows (as opposed to, say, Solaris). See Figure 19.2 for a view of the Firebox management interface. Figure 19.2: Firebox's rule based interface− The Windows application does have the advantage that you can do more from it, including real time− monitoring of the status of the firewall. The policy based rule editor is also easy to use, including− allowing you to save a policy locally before uploading (so you can test out new configurations, for example, and fall back if they're too restrictive). Documentation The installation booklet provided with the firewall concisely and clearly walks you through the process of installing the firewall, but you'll have to look to the documentation supplied on the CD in PDF format for instructions on how to make policies to really secure your network. The PDF documentation walks you step by step through using every feature of the Firebox,− − including establishing policies, setting up VPNs to other Fireboxes and to remote Windows clients, blocking URLs, and setting up content filters. It doesn't go into great detail explaining why you would do any of these things, but another book (such as this one) can tell you what to do to protect your network; the Firebox documentation will tell you how to do it. Cost and Support A WatchGuard Firebox is not cheap; at the time if this writing the Firebox 1000 will cost you about $3000. Getting the top of the line model (a model 4500) can cost $7700. The support is good− − − 378 though, including (in addition to your regular dial up support) online documentation, questions and− answers, and a web based forum on which customers can exchange problems and solutions.− The home unit, which is really a different device entirely but can be used to establish a VPN connection to a model 1000, costs about $300, though the VPN upgrade for it costs another $400. Elron Firewall Elron Firewall is available on its own proprietary operating system and was ported to Windows NT in its latest edition. I find the port to NT interesting in light of the fact that Elron considers their secure OS to be one of the primary features of their firewall. • Pros Fast stateful inspector firewall Includes VPN Supports IPX Minimal hardware Cons No proxy servers Adapters limited to 3c905 Ethernet Poor user interface design Elron employs multilayer stateful inspection rather than proxy servers for filtering in the Application layer. This is somewhat similar to Firewall 1's support for HTTP and FTP filtering. Filtering in the− Application layer is capable of blocking numerous attacks, but filters may not recognize certain attacks that proxies would not forward because the attack would not be created. In other words, filtering still passes the originally formed packet, so undetected malformations can still be routed through. Multilayer filtering is considerably more secure than Network layer filtering alone, but not as secure as security Application layer proxies.− Elron Firewall running on its own operating system is not subject to standard operating system vulnerabilities. Although a proprietary operating system is not necessarily more secure than a standard operating system, few hackers attempt hacks against operating systems that are not widely deployed, so the firewall is not vulnerable to most of the exploits developed by hackers. Since superfluous firewalling services (like file and print sharing) are not provided, no holes exist in the operating system. Elron software maintains that, because 32OS source code has not been released to the public, there is virtually no possibility that hackers will be familiar with it. While this may be true to some extent, good hackers can read machine language source code through a process called disassembly, where the binary image is turned back into human readable assembly language.− While assembly language is not nearly as clear as the C programming language (relatively speaking), hackers who are familiar with the i386 microprocessor and its descendants could read it and thereby understand in detail the operation of a piece of proprietary software. I've done it, and so can any decent programmer. Though software based on a proprietary operating system will keep the masses at bay, security through obscurity should never be relied upon. Note also that 32OS uses MS DOS as a boot loader, and could therefore be susceptible to certain types of RAM− resident viruses. Elron's documentation describes some alarming problems that can happen when the firewall runs out of memory, including losing Network Address Translation addresses, which would cause translated connections to be lost. While neither fatal nor a security risk, these sorts of problems are 379 the result of using proprietary operating systems that aren't completely thought out. Hardware requirements for the Elron Firewall are (SecureOS Version): Connections <1.5Mb/sec (T1) • 486DX 2/66− • 8MB RAM • 200MB hard disk drive • MS DOS 6.22− • Two or three 3C905 10/100 NICs • Floppy drive Connections >T1 • Fastest possible processor • 16MB RAM Requirements for the management station are: • Windows 9x or NT • 50MB available disk space • 16MB RAM Major Feature Set Elron Firewall provides the following major features: • Stateful inspection packet filter • Network Address Translation • Encrypted authentication • Virtual Private Networking Elron Firewall's stateful inspection filter is unique in that it is capable of filtering the application (payload) portion of a packet for known content. The firewall compares packets to bit patterns of− previously filtered packets before passing the packet into the protected network. This ensures that unknown deformations of packets will be filtered out. Elron Firewall's NAT option supports IP address hiding only by using the Firewall's IP address. This provides an upper limit of about 64,000 outbound connections, but that's generally high enough that this limitation is not serious for most organizations. User authentication clients are provided for Windows 9x and NT. Authentication is password based− and supports RADIUS and CHAP authentication. The user authentication software also supports periodic authentication. The included VPN option provides IP in IP tunneling, which provides a measure of internal security by hiding the true source and destination addresses. IPSec is used to encrypt the encapsulated IP packet. Elron makes two completely separate Application layer filters called the InternetManager (HTTP) and the MessageInspector (e mail, news, and FTP). These products run on their own Windows NT− 380 server and work with any firewall or security service. The Message Inspector filter performs− powerful keyword string matching and statistical analysis (for spam filtering) to block e mail,− newsgroups, and FTP downloads. Minor Feature Set Elron supports the following noteworthy minor features: • IP and IPX filtering • VPN continuous key regeneration Elron supports both IP and IPX filtering. IPX filtering is not usually a big concern unless you run a large IPX network where internal security between divisions is important. For most enterprises, IPX filtering is not a function required of bastion hosts. The firewall also supports IPX bridging (forwarding all IPX packets transparently and irrespective of their contents), which is not a security function and reduces the security posture of your network. The continuous key regeneration feature provides a facility somewhat akin to Kerberos ticketing. After an established amount of VPN traffic has passed between two firewalls, the firewalls will both g e n e r a t e n e w k e y s a n d e x c h a n g e t h e m . T h i s r e d u c e s t h e a m o u n t o f u s e f u l t i m e a brute force decrypted key would be useful, thus moving the probability domain for a brute force− − − attack from highly unlikely to practically impossible. Interface Elron firewall is configured remotely through a Windows based policy manager. The firewall itself is− initially configured using the firewall management software on a Windows computer and transmitted to the firewall located on the same Ethernet collision domain. The user interface bespeaks an amateurish attempt at design, suffering from such problems as a non sizeable main window that takes up the entire screen and the use of purely modal dialogs− throughout the software, which prevents you from seeing two content windows at the same time. There seems to be an unwritten rule in the firewall industry that user interfaces aren't worthy of programming effort. Figure 19.3 shows the clunky management interface. 381 [...]... fix things, the happier our customers are with us Firewalls like Elron and GNAT box hold down a middle ground between computer−based firewalls and device based firewalls; they run on standard i386 hardware, but they package their own OS with the firewall and are managed like a device These firewalls, while interesting, are also losing ground against the device market because you still have to provide... Firewall? Chapter 16: Open Source Firewalls Case Study: Free vs Commercial Firewalls Chapter 17: Windows Firewalls Case Study: Windows As a Firewall Chapter 18: Unix Firewalls Case Study: Try to Buy Chapter 19: Device and Specialty Firewalls Case Study: Drop 'Em in, Turn 'Em on Firewalls 398 List of Sidebars Chapter 1: Understanding Firewalls Variants of Windows Chapter 2: Hackers Reality Check: Ethical... These firewalls can't really compete with the stronger and cheaper firewalls available for more common operating systems and to those used as firewall embedded devices This explains why you don't see them around much Since the future of any product offering is ensured by its success, you'll probably find that these firewalls fade away as the more competitive Unix, Windows, and dedicated hardware firewalls. .. Study: Drop 'Em in, Turn 'Em on Firewalls The new device based firewalls that are taking over the firewall market are taking over for a reason—they are easy to install and use The more difficult a firewall is to configure, the easier it is to get the configuration wrong We've been using device based firewalls in all our client's networks because our time is valuable to us and to our customers, so the... IBM customers who use AS/400s opt for other firewalls: Cisco PIX in one installation I support and Firewall−1 in another All the NetWare installations I'm involved with use NT−based firewalls 392 Chapter 1: Understanding Firewalls Figure 1.1: Filtered Internet connections block undesired traffic Figure 1.2: Proxy servers receive requests on the private network and regenerate them on the public network... its configuration from a text file Chapter 17: Windows Firewalls Figure 17.1: Firewall−1's rule−based interface Figure 17.2: Raptor Management Console for the Symantec Enterprise Firewall user interface Figure 17.3: Microsoft ISA Server Chapter 18: Unix Firewalls Figure 18.1: The SunScreen Initial Policy page 394 Chapter 19: Device and Specialty Firewalls Figure 19.1: SonicWALL's web interface is the... components that are installed and configured separately You should be at least a Novell CNE and be very familiar with the NetWare environment before attempting to install this software Security Proxies are available for the following protocols: • HTTP and SSL • FTP • DNS • Gopher • SMTP and POP3 • NNTP • RealAudio and Real Video • Real Time Streaming Protocol (RTSP) • SOCKS 4 and 5 • Generic TCP/UDP •... the external network and detect HTTP traffic on its way out They then transfer these HTTP requests to the proxy service rather than forwarding them directly, and thereby insert the proxy functionality seamlessly and transparently This makes it impossible for internal clients to bypass the proxy and eliminates the administrative burden of configuring the proxy Documentation, Cost, and Support The documentation... Figure 3.5: An IP packet has a header that includes the source and destination IP addresses, version, type, and service information, options, and a data section Figure 3.6: The subnet mask identifies which part of the IP address is the network address and which part is the station address Figure 3.7: A gateway machine has two network adapters and allows network traffic to move between LANs Figure 3.8:... (NIAS) provides dial−up service akin to Windows NT's RAS service and is included in the BorderManager Enterprise Edition NT and Unix both natively support dial−up, so this isn't a particularly compelling reason to choose this firewall over those based on more 387 common operating systems Interface BorderManager runs on NetWare 4.x and 5 and therefore uses the clunky text−based con−sole interface of NetWare . Device and Specialty Firewalls Overview There are two kinds of firewalls software based and hardware based. The previous chapters have examined firewalls. number of command line based free firewalls (see Chapter 16) and firewalls that− run on top of Unix or Windows (see Chapters 17 and 18), installing and configuring