In-Depth

Safe Waters

How do you dive into the sea of networks in an efficient and secure way? We look at four firewall products—both hardware and software—that will help keep the sharks at bay.

In the past, a solution that separated “secure” and “un-secure” networks was labeled with a term—firewall. It’s a concept that’s gone through quite an evolution since its introduction. In the beginning, a packet-filtering router had the intelligence to look at each TCP/IP packet header and make decisions on whether to pass or drop the packet. Such a solution was often called a plain-packet filtering router. For the most part, dedicated packet-filtering firewalls are no longer used. Instead, access control lists (ACLs) can be configured on layer 3 devices (routers), which serve as packet-filtering firewalls.

Following packet-screening routers, application-level firewalls were developed. These devices examine both headers and packet payloads to determine the packet’s fate. The policy rules in such firewalls can be applied at the application level—for example, to examine HTTP requests and block the ones looking for access to specific URLs or containing “cmd.exe” within the URL. Many proxy servers—also known as SOCKS firewalls—rely on this concept.

At about the same time, the concept of keeping “session state” was developed. Stateful firewalls allow the tracking of protocols that were traditionally considered “connectionless,” such as UDP. Stateful inspection is critical to ensure the integrity of requests for communication between network nodes. If the packet is “unsolicited” (the network host never wanted to see such packets in the first place), the firewall can make an intelligent decision to block it. UDP packets don’t carry SYN, ACK or any other flags, which is why it’s crucial for the firewall to know if the host it’s protecting ever requested the UDP packet. For example, if a host wants to resolve an IP address to a name and performs a DNS query, it sends a UDP packet addressed to port 53 of its DNS server; the DNS server then replies to the request. In the absence of stateful inspection, attackers can masquerade as DNS servers and send unsolicited UDP “replies” from source port 53 to various hosts behind firewalls. In TCP sessions, stateful inspection helps firewalls keep track of TCP flags in each session.

As network applications grew in complexity, firewalls had to become more intelligent and begin making decisions related to specific traffic patterns. For example, remote procedure call (RPC) technology or applications such as Network File System (NFS) would be difficult (or impossible) to securely configure via a firewall, as the traffic rules are too complex for a basic, stateful-inspection firewall to examine. Thus, a new generation of firewalls was created to provide support for widely utilized standards such as RPC and H.323 or included interfaces, allowing users to program dynamic packet-filtering rules. The firewalls can examine control and handshake sessions of some applications, understand which virtual circuits applications require and dynamically configure necessary rules.

Many vendors started combining firewall features with other network applications or services. Indeed, security threats grew in number and complexity, and each security problem seemed to require a separate security solution. For example, controlling users’ Web browsing behavior needed software such as that offered by companies like Websense. The desire to speed up the loading of Web pages required a dedicated server for proxy and caching. The addition of new network security devices made network architectures more complex, creating single points of failure—that is, until designers of security products created feature-packed appliances.

Product Information

Microsoft Internet Security and Acceleration Server 2000,
Standard Edition
$1,499 per processor
Microsoft Corp.
425-882-8080
www.microsoft.com/isaserver/

ServGate EdgeForce
$895 for the ServGate EdgeForce with Firewall and VPN, with unlimited users
ServGate
408-635-8400
www.servgate.com

SonicWALL SOHO3
$895 for SOHO3-50 users with VPN
SonicWALL
408-745-9600
www.sonicwall.com/
products/soho3.html

Symantec Firewall/VPN Appliance (Model 200R)
$1,199
Symantec
408-517-8000
http://enterprisesecurity.
symantec.com/products/
products.cfm?ProductID=63

An example of this “all-in-one” type of appliance is the firewall/virtual private network (VPN) appliance combination, which has grown in popularity. Now, secure connections can be established with either remote clients or other networks (perpetual connectivity with a parent corporate network or business partners). One thing to note: By introducing the VPN component to a firewall solution, many administrators find that their software solutions slow down, although appliances relying on hardware acceleration (hardware chips performing the encryption function) are less affected.

The performance degradation occurs in software solutions because the more work the product performs, the slower the platform becomes. For example, if you’re simply running a firewall, the product will only be concerned with the TCP header. If you add to this a VPN, proxy server and layer 7 (application) packet inspection, the product will need to perform encryption, decryption, HTTP filtering/blocking and caching as well as deeper packet inspection.

The tradeoff for having many features in one solution is that complexity eventually reduces security. If a vulnerability is discovered in any one of the components supporting your security solution, the strength of the entire solution may be diminished and you may lose all layers of protection simultaneously.

On the other hand, if the firewall, proxy server and VPN solution are kept separate, a failure in one allows the others to continue functioning, thus maintaining some of the layers in your security architecture.

Security decisions should be made with consideration to both performance and risk of failure. This approach can also help you assess the importance of every component in your network’s firewall solution.

Implementing a Firewall/VPN Solution
The days of dial-up are dwindling. Today’s dynamic, “always-on-the-road” user requires access to the LAN from anywhere in the world. With broadband and LAN access widely available in homes, hotels and even airplanes, the ability to reach a remote network via IP becomes a must. While performance may be an issue, a good candidate to fulfill this need is a firewall/VPN appliance, which relies on IPSec standards.

Several IPSec standards allow different ways of implementing a VPN solution. For example, the security associations within VPNs can be set up either manually or using IKE with either certificates or preshared secrets (such as passwords). These standards are described in RFCs 2401 through 2409. IPSec inside of Layer Two Tunneling Protocol (L2TP) is popular for client-server remote-access solutions (RFC 3193), and many vendors have successfully integrated these standards into their products for easy interoperability.

VPNs have also been effectively implemented with wireless networks. Due to the security weaknesses of the WEP algorithm in the 802.11b Wi-Fi standard, many organizations use VPNs with their wireless networks to ensure the confidentiality of transmitted information. The products reviewed in this article can be used to secure the networks with 802.11b wireless access points by forcing all wireless traffic to use IPSec.

Other features that administrators of small networks (as well as large enterprises, but in combination with other units) may be looking for in firewall/VPN appliances are secure Web browsing, the ability to set up an internal and/or external Web server, virus scanning and URL blocking.

Keeping up Your Defenses
It’s important to keep track of vulnerabilities that may be discovered in your security mechanisms. Some hardware solutions use Intel architecture, closely resembling a PC sealed in a box. Sometimes, the software these firewalls rely upon (such as Windows servers or Linux) become vulnerable—thus jeopardizing the security of the whole network. Network administrators who work with firewalls should keep up on the latest news to respond to any vulnerabilities discovered in the software packages powering their security gateways. Also, hard drives or other system components may fail with these types of firewalls, as sometimes happens in simple PC architectures. Features such as Web proxy and caching rely upon system resources, such as hard drives, to accomplish these tasks.

Another important note relates to firewall access, password configuration and administration features. Detailed firewall manuals and guides are available online, offering fairly easy access to default firewall passwords and features. This highlights the importance of always changing default passwords and configuring your units for secure administration, for example, limiting which IP addresses can manage the firewall.

As the demand for external access from internal networks increases and plain-old DMZs become too cumbersome or overloaded, organizations are forced to look for more granular, flexible security solutions and create layers of security with special-purpose devices. A plain-packet filtering firewall is still an effective protection from general network attacks, but each network node becomes subject to its own security requirements. You can meet the special security needs of individual workstations and servers by using a special-purpose device (a dedicated proxy) or by extending protection from the network perimeter to the host itself, via a personal firewall.

Personal Firewalls
Personal firewalls are another crucial component of end-to-end defense (see “Protecting the Desktop”). Regardless of how many protection layers exist around the perimeter of your network, there’s still the chance of an internal security problem. Therefore, as networks grow in size, all network nodes may need a basic level of protection.

Consider the outbreak of the “SQL Slammer” (Sapphire) virus this year. One of the most challenging obstacles administrators faced was the fact that more than 20 widely deployed desktop applications use Microsoft SQL Server Desktop Engine (MSDE) 2000. Therefore, packets addressed to UDP port 1434 propagated the worm faster than anyone could count the applications that ended up vulnerable to that virus. With a personal desktop firewall, such ODBC features of applications could have been blocked (for the most part), as these features aren’t widely used by the applications themselves (and give users the ability to decide on their own if such traffic should be allowed).

Many other products protect specialized network servers. For example, Microsoft’s URLscan tool for IIS 4.0-5.0 examines and blocks unwanted HTTP requests directly on the IIS server.

In general, each layer of security on the network should be designed to accommodate a separate class of hosts protected by that layer, but shouldn’t disrupt the whole network.

Protecting the Desktop

Although ZoneAlarm isn't a network tool, it still warrants consideration as additional defense for your enterprise. Unlike network security appliances, ZoneAlarm is designed to protect individual PCs—not entire network segments. ZoneAlarm's basic version is free but for $40 to $50, ZoneAlarm offers Plus and Professional versions. ZoneLab's enterprise solution allows for the implementation of personal firewalls across all user workstations to manage them centrally. ZoneAlarm supports Windows 98/Me/NT/2000/XP and is able to:

  • Inspect all incoming and outgoing network traffic (stateful inspection).
  • Monitor all outbound traffic with a "program control" feature to prevent rogue applications from establishing network sessions. This feature allows users to examine system components attempting to communicate on the network (see the figure).
  • Operate in stealth mode, suppressing automatic RST and ICMP responses, thus making the workstation invisible to scans.
  • Integrate with Microsoft services (such as NetBIOS).
  • Support zones to allow the firewall to differentiate between the Internet (untrusted) and local (or VPN) traffic.
  • Time-out all sessions with untrusted networks after a period of inactivity.
  • Support wireless interfaces.
  • Block ads, cookies and mobile code.

ZoneLabs ZoneAlarm
ZoneAlarm keeps a record of every system component that tries to communicate on the network. (Click image for larger version.)

ZoneAlarm installs with preconfigured security settings, giving less skilled users immediate protection from Internet threats. These default settings can be changed if greater security is required. The basic default settings are:

  • Firewall-Internet Zone—(High) Traffic to and from the Internet zone is blocked unless initiated by a program residing on your computer that's been granted permission to communicate with the Internet zone.
  • Firewall-Trusted Zone—(Medium) This setting enables file and print sharing on your home or local network.
  • Program Control Authentication—(Medium) Programs must ask for permission and be authenticated before initiating communication with the Internet.
  • Alerts and Logs—(On) All alerts are shown and logged.
  • E-mail Protection—(On) Quarantines e-mail attachments bearing .vbs extension.

ZoneAlarm Plus, $39.95; Pro, $49.95; ZoneLabs, 415-341-8200; www.zonelabs.com

—Matthew Knehans and Greg Saoutine

Building a Wall
When it comes to protecting your network from the dangers of the “network ocean,” the choices abound. The advantages of a hardware solution include the ease of installation and configuration. Typically, the units are shipped pre-configured, which allows network administrators to get them up and running within minutes. However, if the requirements change (for example, a DMZ is desired), you’re stuck with the same hardware. There’s only so much reconfiguration you can do.

Software solutions tend to be more tedious and time-consuming to implement, as they require the installation of an operating system, various firewalls and other applications, as well as general tuning and configuration. It’s critical for the firewall designer to harden the operating system, leaving only those services and components necessary to support the firewall software (such as ISA Server). On the positive side, you can substitute hardware used in a standard server platform when you use a software-based firewall.

We tested the effectiveness of four firewalls, three hardware and one software, each with unique capabilities.

ServGate EdgeForce
Figure 1. EdgeForce's cache can store up to 4GB of Web content locally and deliver it to users at LAN speeds.
ServGate EdgeForce
ServGate’s EdgeForce is based upon a combination of open-source technologies (including Linux and Apache) and the integration of several vendor solutions, such as NetIQ’s WebTrends for URL filtering and Network Associates’ McAfee for virus scanning.

One of EdgeForce’s attractive features is Web caching, which allows users to increase network performance and contributes to an organization’s security. With limited bandwidth, EdgeForce’s cache can store up to 4GB of Web content locally and deliver it to users at LAN speeds. EdgeForce also can check the URL in each user’s request. Local storage components (hard drives) allow the appliance to store the Web content. The only other product with Web-caching functionality is Microsoft’s ISA Server.

In addition, outbound user requests for most applications—such as WWW, FTP and telnet—can be authenticated. Users are presented with a pop-up box requesting a user ID and password. EdgeForce can integrate with RADIUS and LDAP technologies to support the user-management process.

EdgeForce has three network interfaces, which allow the creation of a DMZ to secure access to the shared resources available to external (public) and internal networks. Another important feature is the ability to work in transparent mode. In this mode, the firewall acts as a bridge, works on the TCP/IP layer 2 and is virtually invisible to everyone on the network. The decision on whether or not to build your security solution in an invisible or stealth mode depends on which functions you want your security solution to perform. In bridge mode, the unit can’t do much more than filter traffic. In transparent mode, you can introduce a firewall to your network without changing any of the host or network IP addresses, which is useful for filtering traffic on internal network segments. It’s important to note that DMZ and QoS features aren’t available in transparent mode.

For additional flexibility, EdgeForce allows scheduling for specific firewall policy rules. This allows administrators to enable or disable individual rules dynamically, based upon the time of the day or day of the week. However, it’s critical to ensure that the firewall’s clock is accurate. You may have to use Network Time Protocol (NTP), supported by EdgeForce, to ensure accuracy.

SonicWALL SOHO3
SonicWALL’s line of products has been reviewed in print many times and won several awards. SOHO3 is one of the more basic, inexpensive SonicWALL solutions, but still boasts a number of unique features. The design is based upon proprietary hardware and software architectures and includes a VPN-accelerator chip.

SonicWall SOHO3
Figure 1. EdgeForce's cache can store up to 4GB of Web content locally and deliver it to users at LAN speeds.
SOHO3 has two network interfaces and is a great solution for protecting small networks’ outbound user traffic, while providing a number of valuable security services to the internal network. Even though both SOHO3 and Symantec’s 200R allow administrators to configure restricted inbound access from the Internet directly into the internal network, remember that publicly accessible resources should reside in a DMZ. SonicWALL’s PRO 100 unit provides capabilities for a secure DMZ configuration.

Inspecting URLs in users’ Web browsing requests is a powerful feature to control browsing behavior. The URL-filtering feature relies on the built-in Websense software, which automatically classifies each Web site and updates its URL databases daily.

Administrators of small networks will find SOHO3 to be a great, low-cost solution. The unit is capable of enforcing many network security policies while providing client-to-server and LAN-to-LAN VPN connectivity for remote users and partner networks. Similar to EdgeForce, SOHO3 can scan network traffic for known viruses using Network Associate’s McAfee software. Taking virus control a step further, the SOHO3 can serve as a distribution point for virus signature files and can be configured to refuse an Internet connection to clients unless their antivirus software is updated.

SonicWALL’s unit (similar to EdgeForce) uses licensing for several of the enhanced features. To enable these features (URL-blocking, antivirus-scanning or other licensed software), users must contact SonicWALL to purchase the license and upload the corresponding license keys.

Other features of SOHO3 are similar to other products. The unit supports transparent bridge configuration, managed bandwidth and DHCP server functions. SOHO3 can be managed via a Web interface with SSL, a serial console or a dial-up modem attached to a serial port. SonicWALL provides ViewPoint Reporting Software for the centralized monitoring and reporting of a large number of firewalls.

Symantec Firewall/VPN Appliance (Model 200R)
Symantec Firewall/VPN (Model 200R) includes a number of unique features, along with a powerful VPN solution and other conventional filtering capabilities. It’s based upon proprietary hardware and software architectures with a hardware VPN accelerator chip; attractive features include bandwidth aggregation and load-balancing of network traffic between two broadband connections.

Symantec 200R
Figure 3. Symantec's 200R provides the ability to apply rules dynamically, allowing administrators to define custom policies.

The device contains two WAN ports for independent connections. When both lines are up, the firewall aggregates network traffic, providing nearly double the bandwidth for internal users. However, should one of the lines fail, the 200R will gracefully redirect all traffic to the working line. The firewall can even re-register its domain name for a new IP address for the remaining line in environments where dynamic DNS registration is supported. This feature is ideal for ensuring that remote VPN clients can always access the home network (if their VPN software is set up to search for the VPN gateway by its DNS name). The 200R comes with unlimited VPN client licenses.

If the device detects a connectivity failure on its single WAN port, it can automatically dial out to the ISP via a modem. This offers additional protection against short-term problems with broadband providers.

The firewall also provides support for nonfirewall-friendly protocols, al-lowing it to program dynamic applications of rules. Some multimedia and collaboration applications aren’t friendly to most firewalls. The 200R’s capability to apply rules dynamically allows administrators to define custom policies that can handle replies on a port other than the original request.

Similar to EdgeForce and SOHO3, Symantec’s 200R is capable of generating its own certificates for VPN configuration.

The unit supports the ability to pass multiple VPN sessions through the firewall while in NAT mode. Because the IP layer doesn’t have port numbers associated with it, it’s quite difficult to negotiate multiplexing of these connections. With the 200R, multiple users on the internal network can establish VPN sessions with hosts on remote networks using one broadband connection and one IP address. Not all firewalls support this functionality.

Microsoft ISA Server 2000, Standard Edition
Microsoft Internet Security and Acceleration Server 2000 is built on the Windows 2000 Server platform and incorporates several other Microsoft technologies, such as Routing and Remote Access and Proxy Server (similar to Microsoft Proxy 2.0, but with enhanced features and performance). ISA Server comes in two main editions: Standard and Enterprise. The Standard Edition is the only enterprise-level software solution reviewed in this article and requires a standalone Windows 2000 Server. The advantage of a software solution is the freedom to control the number of network cards, hard disk space and other system components.

Microsoft ISA Server console
Figure 4. The ISA Server console allows users to define protocols to configure complex packet-filtering rules. (Click image to view larger version.)

ISA Server provides stateful, multilayer traffic filtering at the circuit, packet and application levels. Circuit-layer filtering inspects the entire session—not just the connections and packets. Microsoft supplies several smart application filters to analyze and control application-specific traffic. (An application filter ensures analysis, blocking, modification and redirection of application-specific data passing through the firewall.) The ISA Server firewall includes filters for HTTP, FTP, SMTP e-mail, DNS, H.323 conferencing, streaming media and RPC. The streaming media filter supports industry-standard media protocols, including Windows Media Technologies, RealAudio/RealVideo (PNM) and RTSP (used by RealNetworks and Apple QuickTime). This solution also offers the ability to split live Windows Media streams for sharing between internal clients requesting the same stream, thus saving bandwidth.

Similar to other products, ISA Server provides limited intrusion detection based upon technology licensed from Internet Security Systems. The primary types of intrusions it can detect include WinNuke, land attack, UDP bomb, IP half scan, port scan and ping of death. Unlike other solutions, however, triggers can be set up within ISA Server to perform certain tasks like running scripts and programs, stopping the firewall service, sending e-mail alerts, and writing to the system log when intrusions are detected.

Interestingly, ISA Server still supports SOCKS filtering (the SOCKS 4.3a standard), transparently routing client traffic from SOCKS-compatible applications through the firewall SOCKS proxy service. This is a unique feature compared to other products.

The solution supports caching and acceleration of proxy-enabled traffic. ISA Server also allows organizations to build client-to-server and LAN-to-LAN VPNs using L2TP protocol. However, the server is known to not interoperate with other VPN gateways (in other words, those powered by hardware solutions such as the ones described in this article). Also, the product can be implemented in firewall, caching or integrated mode; both VPN and caching features are available in integrated mode only. ISA Server is a great solution for predominantly Windows-based LANs and WANs.

Table 1. Comparison of firewall products.
Appliance Model ServGate EdgeForce SonicWall SOHO 3
Stateful inspection
Yes
Yes
MDZ Interface
Yes
No
No. of interfaces
3
2
Bridging mode ("transparent mode")
Yes
Yes
Web proxy and caching
Yes, up to 4 GB of caching space
No
URL filtering
Yes
Yes
Virus scanning
Yes (Network Associates)
Yes (Network Associates)
User authentication (RADIUS/LDAP)
Yes (for VPN, unit adminstrator and access to external network)
Yes (for VPN and unit administration)
Bandwidth management
Yes
Yes
Management
Web (SSL), SSH, serial console
Web (SSL), serial console, dial-up modem
VPN
Client-to-server, LAN-to-LAN
Client-to-server, LAN-to-LAN
Basic IDs
Yes
Yes
Scheduling of rules
Yes
No
Built-in DHCP server
Yes
Yes
Load balancing
No
No
Redundancy (high availability)
Yes (with another unit)
Yes (with another unit)
Real-time alarms
Yes (SNMP v3, syslog, e-mail)
Yes (SNMP v1, v2, syslog, e-mail)
Software upgrades
Yes (from Web interface)
Yes (from Web interface or directly from vendor)
Appliance Model Symantec Firewall/VPN Model 200R Microsoft ISA Server Standard Edition
Stateful inspection
Yes
Yes
MDZ Interface
No
Yes
No. of interfaces
2 WAN
8 LAN
Installed by user
Bridging mode ("transparent mode")
No
No
Web proxy and caching
No
Yes
URL filtering
No
Yes (supports third-party tools via ASAPI)
Virus scanning
No
No
User authentication (RADIUS/LDAP)
No
Yes (for VPN, unit administration and access to external network)
Bandwidth management
No
Yes
Management
Web, serial console
Locally or remotely via MMC
VPN
Client-to-server, LAN-to-LAN
Client-to-server, LAN-to-LAN
Basic IDs
Yes
Yes
Scheduling of rules
No
Yes
Built-in DHCP server
Yes
Yes (Windows 2000 Server)
Load balancing
Yes
No
Redundancy (high availability)
Yes (multiple lines within the same unit)
No (requires Enterprise Edition)
Real-time alarms
Yes (SNMP v1, syslog, e-mail)
Yes (console, Win2K event log, e-mail)
Software upgrades
Yes (via TFTP)
Yes (vendor patches)

Safe Swimming
Clearly, all modern firewall appliances are feature-packed. Most capabilities are similar, yet the units aren’t quite the same. The choice of a product should always depend on clearly defined network requirements, as well as a feasibility study to evaluate all needs and limitations. Each product reviewed has different features and is therefore better suited for a certain type of environment, implementation and architecture. In general, products that support layer 2 bridging protocols and layer 7 packet inspection are well-suited for DMZ-based architectures requiring inbound access from the Internet. Products supporting VPN, proxy services and intrusion detection can provide greater perimeter security. Ideally, the product chosen will represent the primary needs required by the security architecture, networking environment and operational needs of the business while remaining within budget.

Note that some products (such as the one from Symantec) are specifically designed to protect the network perimeter and act as a gateway between an ISP and the network. To add to the challenge of making a decision, vendors typically have a line of firewall solutions widely ranging in features, performance, reliability and cost. All vendors (except Microsoft) offer a wide range of security appliances.

So gear up with your best defenses and dive into the network ocean. The waters can be safer than you think. But bear in mind that even a shark cage won’t provide complete safety.

Featured