|
There are many players in the firewall market. Naming and describing them all could easily turn into a chapter in and of itself. Firewalls usually take the form of either a computer running a common operating system (OS) with the firewall software installed on top, or a purpose-built hardware appliance that the manufacturer intended as a firewall from the ground up. Those that fall into the latter category either run on pre-hardened versions of a common, general-purpose OS (such as NetBSD or Solaris), or they run a customized, real-time OS that was only intended to run the firewall. Table 2.1 introduces the major vendors and where their products line up in the marketplace:
Firewall Vendor | Form | OS |
---|---|---|
3Com Corporation & SonicWALL | Hardware | Custom |
Check Point Software Technologies | Both | Windows, Solaris, _IPSO |
Cisco Systems, Inc. | Hardware | Custom |
CyberGuard | Hardware | Custom |
Microsoft | Software | Windows 2000 Server |
NetScreen | Hardware | Custom |
Novell | Software | Netware |
Secure Computing | Hardware | Custom |
Stonesoft, Inc. | Software | Linux |
Symantec Corporation | Software | Windows, Solaris |
WatchGuard Technologies, Inc. | Hardware | Custom |
Microsoft ISA Server and Symantec Enterprise Firewall fall into the software category while the Cisco PIX firewalls fall into the hardware appliance category. Interestingly enough, Check Point FW-1 falls into both categories: it can be installed on a common OS (Solaris or Windows), but through a partnership with Nokia, most Check Point firewalls actually run on Nokia IPSO appliances.
The vendors that do run as pure software installed on a common, general-purpose OS usually employ some form of hardening process so that hackers do not compromise the security of the underlying OS. Rather than try to subvert the firewall, hackers could just attack the OS that is hosting the firewall and cause that machine to route packets before the firewall sees them. They might also simply obtain a remote terminal session with the desktop and change the security policy altogether.
Axent Raptor, the predecessor to Symantec's Enterprise Firewall, runs a service called Vulture to kill any rogue processes that attempt to start (such as viruses, Trojans, or other malicious applications). Rather than lock the Windows OS down such that outside programs can't infect the server, the Vulture "watchdog" process just makes sure that no new processes start up once the firewall is installed. Similarly, Novell's BorderManager, which runs on NetWare, requires a special version of the Netware core server.exe file to prevent access to the console before authenticating to the machine.
Manufacturers that specialize in hardware appliances will often flaunt the security holes in general-purpose OSs as a weakness of products that run on those platforms. Furthermore, they'll usually state that hardware appliances have better security since the firmware that runs them has no other function. The argument seems to make sense, but it doesn't cover every situation. Check Point FW-1 and Symantec Enterprise Firewall easily exceed the minimum ICSA requirements, while numerous hardware appliances require firmware upgrades to fix security holes. Therefore, you cannot make a judgment about a firewall's security based entirely on whether it is hardware- or software-based. You do, however, need to know into which category your firewall falls because each type presents a different challenge to hackers.
In the end, the decision on which firewall type to use is more of a personal preference. You should select your firewall according primarily to which features you need. Only as a secondary or tertiary criteria should you consider the delivery format—hardware or software. For many, the ease of a plug-and-play hardware appliance is very attractive. If something goes wrong, just slide in a new appliance and off you go.Others may not want to pay the extra money for a purpose-built custom appliance, and instead would like to repurpose some of their old servers that can be converted to use as a firewall. Depending on your organization and the budget you have for your firewall, you will naturally gravitate to either the hardware types of firewall.
Packet filtering is the basis of the typical firewall. The functions performed by packet filters are similar to those performed by routers, and the languages used to program them are often based on router interface-type rule sets. Many firewall vendors provide hardware-based solutions. Some of the most popular hardware firewalls include the Cisco PIX firewall, SonicWall, the Webramp 1700, the Firebox from WatchGuard Technologies, and the OfficeConnect firewalls from 3Com.
Hardware solutions are available for networks of all sizes. For example, the 3Com products focus on small business and home office users, while the Cisco PIX comes in configurations that support up to 250,000 connections.
Hardware-based firewalls are often referred to as firewall appliances. A disadvantage of hardware-based firewalls is the proprietary nature of the software they run. Another disadvantage of many of these products, such as Cisco's highly respected PIX, is the high cost.
The Cisco PIX firewall is designed to meet the needs of small or home networks to enterprise-sized networks. The PIX provides various types of users with the same security level and features, but performance is increased with the larger PIX appliance. The PIX can support many users, and most PIX models have VPN support. Depending on the model, the PIX may have a fixed chassis that cannot be upgraded to support additional interfaces, where other PIX models may support many network interfaces.
Key items of the PIX firewall include the following:
Auser license that supports either a limited amount of internal IP addresses to access the Internet simultaneously, and the DHCP server feature supports up to a fixed number of DHCP address assignments. Depending on the model, this may be unlimited.
Various levels of clear-text throughput, from 10Mbps to 1Gbps.
Various types of hardware, including rack-mountable. Also has many different types of network card support to fixed for a small office.
Optional encryption licenses, which are required if 168-bit 3DES or 56-bit DES VPN tunnels are used.
An unlimited number of VPN peers.
The PIX OS is a feature-filled OS that provides a high level of security and performance. Because it is designed solely for the purpose of securing your network infrastructure, it doesn't have the weaknesses inherent to general OSs such as Windows or UNIX. However, the PIX OS's lack of a general OS does not mean that the PIX has fewer features than its competitors. The PIX has a full set of security features and with its streamlined OS and specially designed hardware it has the ability to outperform many of its competitors.
Features include:
Purpose-built operating system Eliminates the weaknesses found in most general OSs.
Adaptive security algorithm (ASA) Method the PIX uses to provide stateful packet filtering, which analyzes each packet to ensure only legitimate traffic traverses the PIX.
URL filtering Can limit URLs accessed by the user's base on a policy defined by the network administrator or a security policy. Requires an external Netpartner's WebSense server or N2H2 server.
Content filtering Can block ActiveX or Java applets.
NAT and PAT Hides internal addressing from the Internet and makes more efficient use of private address space.
Cut-through proxy Authenticates users accessing resources through the PIX.
VPN Capable of handling mobile user access and site-to-site VPNs utilizing DES, 3DES, and AES encryption methods.
Intrusion detection Enables the PIX to protect against various forms of malicious attack with features such as DNSGuard, FloodGuard, MailGuard, and IPVerify as well as the ability to identify attacks via attack "signatures."
DHCP Can act as a DHCP Client and/or Server.
Routing functionality n support static routes, RIP, and OSPF.
Support for RADIUS or TACACS+ Authenticating, authorizing, and accounting for users passing through the PIX or to enabled authentication for those connecting to the PIX's management interfaces.
Failover Provides a resilient, high-availability solution in case of failure.
Point to Point Protocol over Ethernet (PPPoE) support Compatible with xDSL and cable modems.
Common Criteria EAL4 Certification Certain PIX OS versions have achieved the highest level of certification handed out by Common Criteria, an independent international security organization. You can find more information about Common Criteria at www.commoncriteria.org.
It is very important to security because stateful inspection provides a deeper level of filtering than ACLs found in routers, which may only filter based on header information. Firewalls that perform stateful inspection analyze individual data packets as they traverse the firewall. In addition to the packet header, stateful inspection also assesses the packet's payload and looks at the application protocol. It can filter based on the source, destination, and service requested by the packet. The term stateful inspection refers to the firewall's ability to remember the status of a connection and thereby build a context for each data stream in its memory. With this information available to it, the firewall is able to make more informed policy decisions.
The Nokia hardware platform comes with a hardened FreeBSD operating system out-of-the-box. The hardware is rack-mountable, and it is easily maintained by using a common firewall software package—Checkpoint FW-1. The Checkpoint FW-1 software is covered in the next section.
In addition to firewall appliances, there are various firewall software applications you can use on a standard OS such as Solaris, Windows, or Linux. Many of these software packages do not strictly run at the OSI TCP/IP application level; rather, they use stateful inspection which runs through the entire OSI stack.
Though the statistics are a few years old, at one point it was estimated that FW-1 was deployed on one of every four firewall implementations. FW-1's feature set and complexity have made it quite popular with enterprises. The complexity of the software has also led to the creation of several levels of certifications for use of the product itself. This says little about the product but more about its wide use.
Check Point includes most features that one would expect from a standard firewall package. It uses stateful packet filtering, works with multiple interfaces, and can perform NAT services. Some deployments can be configured to provide fail-over services in the event of loss of one firewall.
Prior to using FW-1 for a DMZ implementation, it is recommended that people using the software familiarize themselves with the package. Although the slick GUI for configuration could put some users at ease, inexperience with the software can lead to a very frustrating experience. In addition to vendor documentation, you can obtain useful information at www.phoneboy.com.
IPFilter is a firewall software implementation developed and maintained by Darren Reed. This personal project has turned into an industrial-strength firewall software implementation that rivals many commercial packages. It also plays on a field on which commercial firewall software packages can't compete—it's free.
IPFilter provides stateful traffic inspection, much like any standard firewall software implementation. It also provides NAT functionality and can handle multiple network interfaces. These features are critical to the implementation of any DMZ.
The IPFilter software package can be downloaded from http://coombs.anu.edu.au/~avalon/ip-filter.html. The package supports both 32- and 64-bit Sparc architectures. A 32-bit implementation can be easily compiled using the freely available GNU C Compiler and will essentially compile right out of the box. A 64-bit build requires a little more work, including obtaining a compiler capable of building binaries for the architecture. This particular situation is one in which the trial version of Sun Forte C Compiler comes handy.
Microsoft ISA Server is meant to be used as an all-in-one security package—firewall, intrusion detection, Active Directory, encryption, and policy manager.
Because the ISA Server is designed to be the central connection between your network and the Internet (or any untrusted network that you're connected to), you should consider running the other services that the ISA provides (e.g. intrusion detection, Active Directory) on other servers.
|