Current firewall product literature lacks true standards, a problem encountered by many firewall shoppers. Vendors naturally prepare marketing literature that puts their products in the best possible light and describes them in ways that are appropriate to the company's design and sales philosophies. However, standards have emerged in other areas of hardware and software, both in terminology and the description of features. For example, when a car brochure refers to antilock brakes or touts dual air bags, we can expect these items to fall within certain parameters.
Hoping to apply this type of standardization to firewall product descriptions, the ICSA Firewall Product Developers Consortium has supported a solution, developed by Marcus Ranum of Network Flight Recorder, Inc. (http://www.nfr.net/), referred to as "Firewall Product Functional Summaries." The purpose of the firewall product functional summary program is twofold:
To provide a structured format in which vendors can describe the distinguishing features and advantages of their products
To provide a structured format from which potential firewall customers can compare and contrast the features and design principles of firewall products
In other words, we want vendors to provide product information in a format that allows potential firewall customers to make meaningful comparisons between products. Over the past three years, ICSA has collected Firewall Product Functional Summaries from members of the Firewall Product Developers Consortium and posted them on the ICSA web site. Copies have also been made available on the Third Annual Firewall Buyer's Guide CD. The summary format used in the program was derived through an open process including firewall vendors, agencies of the computer-security community, and the firewall customer community. Marcus Ranum coordinated this cooperative industry effort.
The next two paragraphs describe the thinking behind the Firewall Product Functional Summaries. The remainder of this section provides an overview of what firewall shoppers will find in Firewall Product Functional Summary documents.
Computer-security systems, like other mission-critical systems, must have sound basic design principles, and the implementation of those principles must be of high quality. When choosing a computer-security system, then, the customer must have a means to judge the capabilities and design principles of the system in terms of the protections required by that customer's intended deployment of the system. The Firewall Product Functional Summary program permits manufacturers of computer-security products to present their products and designs in the best possible light, while adhering to a format that encourages accurate product comparison. The summary format requests information from the vendor about design decisions made in a number of important areas, yet tries to permit the response to be as free-form as necessary so as not to constrain the vendor within the bounds of a narrow definition of what constitutes a firewall. Since the network security field is dynamic and rapidly growing, new techniques and terms are constantly brought into use. To provide a basis for clear communication, the summary format includes a simple glossary of terms and definitions. Vendors are welcome to define their own terminology, distinct from the terms in the glossary, but are requested to provide definitions in the glossary section for new terminology that is coined, and to annotate them as such. Readers are encouraged to peruse the glossary section for annotations and definitions of such new terms as may appear.
The following overview describes the contents of the sections included in the Firewall Product Functional Summary documents.
This section includes basic identifying information, such as the corporate name of the vendor and the product version to which this summary applies. The purpose of this section is to prevent confusion and to allow the vendor to supersede a version of the summary as a product is updated. The date of publication of the summary is also given.
This section provides a one-paragraph summary of the product: what it does and its distinguishing characteristics. The executive overview section should be relatively free of technical jargon.
This is the standard text describing the purpose of the document, as paraphrased above. It is included in each summary to explain to readers the philosophy behind the document.
This section offers a brief description of the product's primary features. It should be more detailed than the executive overview and should include information about the types of services supported by the product, the hardware or software platform of the product, the basic overall design approach, and any distinguishing characteristics.
This section tells how to contact the vendor and provides an opportunity for vendor companies to describe themselves in their own terms. This section will usually include information about the size of the company, its geographical coverage, and so on.
This section explains how the firewall protects itself and the systems connected to it. In cases where additional protections are provided or additional protective relationships are provided, this will include an explanation of the design principles and operation of these protective relationships.
This section provides an overview of the basic security architecture and philosophy of the product. This gives the vendor an opportunity to indicate why the company's chosen approach is valid, unique, and desirable, and how the overall architecture of the system enhances its security properties.
This section briefly describes the assumptions that the product makes on behalf of the user when the product is initially installed. This helps the customer understand the firewall's security properties as well as how much configuration the customer will have to perform on his or her own. Explaining the default options that a firewall supports gives customers a better idea of how much effort is needed to make it operational. Since a firewall implements policy, the firewall's defaults are its default policy.
Topics likely to be found here include whether services are enabled by default; whether transactions get logged by default; whether the firewall requires individual authorization at a level of users, hosts or networks; and how much help the firewall requires to tailor a policy to a specific organization's requirements.
This section provides a description of how the firewall system protects itself against attack. The goal of this section is to explain to potential customers why the product is secure and why the vendor believes its firewall is resistant to attack. The vendor can explain the firewall system's software design and how it enhances the firewall's resistance to attack. In addition, the vendor might discuss here how the system uses high-integrity media, operating-system technologies, access control, intrusion detection, and response capabilities to provide protection.
This section offers a description of how the firewall system protects connected systems against attack. The goal of this section is to explain to potential customers how the product protects hosts that reside behind it and why the protective controls it implements are resistant to attack. Some topics that might appear here include how the firewall decides what to block or permit; how it implements blocking and permitting; how it protects against network spoofing; and how the firewall performs authentication, including any standards it supports.
This optional section describes how the firewall system interacts with individual hosts inside or outside of the firewall, if there is some kind of interaction that improves or bolsters the security of the firewall or the individual hosts. The goal of this section, if it is appropriate to the product, is to explain to potential customers what extra security-related interactions the product may provide for systems it protects and how these mechanisms resist attack. This can include discussion of the use of cryptographic protocols between the firewall and the protected nodes for authentication or confidentiality, and the use of specialized software between the firewall and the protected nodes to improve security and integrity.
This is another optional section, in the same format as above, to be used if a firewall maintains a protective relationship with some other network or system. The goal of this section, if appropriate to the product, is to explain what extra protective capabilities the firewall provides to improve the security of networks and how the additional mechanisms resist attack. Examples include protection against viruses on the internal network and protection against network outages.
If a firewall provides service-based controls, this section lists the services that it supports. This will normally appear in the form of a relatively simple list, since more details can be found in the per-service information following. If the product does something unique in its handling of network services and security, that will be described here, together with how and why it works and how it resists attack. This section may be extended as appropriate to explain design and service philosophy. The goal of this section is to describe how the firewall provides security for services and how the chosen approach is resistant to attack and easy to manage. Also appropriate here are any default behaviors applied to this service for example, whether it is initially disabled and if it logs all transactions by default. For each service, if appropriate, this section describes the controls that the firewall provides on that service, as well as service-specific logging, auditing, access control, authentication, and other capabilities. Service-specific residual risks will also be explained here.
This section describes the kinds of events the firewall logs and audits, explaining how the product reports and summarizes the events. This section aims to demonstrate to potential customers the types of information that the product will provide to the administrator and the types of operational summaries that will be available. Sample report formats or alert messages may be included as appendices to the document. Topics of interest here include log reduction, log reporting, log configuration, types of events logged, active trouble detection, and alert channels such as e-mail, pagers, and sirens.
In this section the vendor describes procedures for product testing and quality assurance, demonstrates the tests and procedures applied as part of the release/test cycle for the product, and shows how they provide reliability and integrity. Topics of interest here include test methodology, outside evaluators, formal methods used, and testing tools used.
This section provides a description of the product's estimated or measured performance range. The goal is to give potential customers enough information to estimate whether the firewall will support their current workload, bearing in mind that most sites have no idea what their workload resembles. Vendors provide information in this section that can relate measures used to an average workload to help customers size their system. This section addresses product-performance questions such as: What is the highest throughput connection supported at its full rate? If the product performs network-level encryption, what is the latency induced by encryption? What performance tests have been performed and with what results? And if maximum load is estimated in simultaneous users, approximately how many are supported?
A brief description of the product's operational and environmental assumptions appears in this section. Topics of interest include reliance on extended hardware configurations, dependence on particular network topology, and requirements for specialized network or power interfaces.
This section provides a brief description of operational and management requirements to inform the potential customer of the amount of maintenance the product requires, how to manage the product, what the management interface is like, and whether the product supports separation of management roles or delegation of management.
This section offers a description of product and customer-support policies and services, including the policy and mechanisms for upgrades and patches. Information on product warranties, maintenance contracts, support on-call hours of operation, and support response-time commitments can be found here as well.
If appropriate, vendors can include here a discussion of any interoperation concerns or features. Topics of interest here include support for other network protocols; network address translation, masking, and hiding; clientside software requirements; connected host software requirements and platforms supported; support for customization of the product; and support for any relevant standards, particularly concerning use of encryption.