Device and Specialty Firewalls

Major Feature Set The SonicWALL Firewall provides the following major features: • Packet filter stateful • Network Address Translator dynamic, static... Minor Feature Set The SonicWALL F

Device and Specialty Firewalls

Overview

There are two kinds of firewalls—software based and hardware based The previous chapters have

examined firewalls that run as applications on conventional operating systems such as Windows NT

or versions of Unix This chapter describes those firewalls that provide their own underlying

operating system With these firewalls you just turn them on, or (at most) insert a floppy disk and

turn them on Also in this chapter, we talk about a couple of firewalls that run on unusual platforms(for firewalls) such as AS/400 or NetWare

The nicest thing about a device based firewall is that you only worry about keeping one piece of−

software current—that of the firewall itself, usually in the form of a firmware update You don't have

to download operating system patches, new kernels, service packs, or security updates This makes

keeping the firewalls current considerably easier It also gives you one vendor to point your finger atwhen a weakness is found

Device based firewalls are also often much easier to set up and get running than software based− −firewalls They arrive with the software already installed in the device, and all you have to do is give

it valid IP addresses to use Policy configuration is usually just a matter of installing and using a

Windows application or web interface to manage the machine

This chapter also covers those firewalls that run on standard computers (all PCs, actually) but do

not use a standard Unix distribution or Windows NT as their host operating system Despite the

hype, Windows NT and Unix are not the only operating systems in existence Firewalls for other

operating systems abound and are, in many cases, more secure

Because these firewalls are based on unusual operating systems, hackers have not yet created a

trove of the various attacks against them, such as exploiting buffer overruns in the Unix sendmail

daemon or exploiting bugs in Internet Information Server on Windows NT platforms Many of these

operating systems were uniquely developed by their vendors to support a specific firewall product,

so they are completely proprietary This lends a strong measure of "security through obscurity," and

keeps the hordes of typical hackers (those who merely read and repeat known attacks rather thandeveloping new ones) completely at bay

Obscurity has its price, however Almost all of this type of firewall require unique adapter drivers andwill only work with specific adapter models Patches for these firewalls are rare, so if an exploit for

one of them is developed, it usually takes until the next revision of the software before it's fixed

Some of these firewalls operate on platforms with arcane user interfaces that you may not be

familiar with

These firewalls also suffer from a lack of complete features They are either based on genericSOCKS proxies or stateful inspection, and usually do not provide any support for the opposite type

of firewall The firewalls also suffer from a generational lag behind the firewalls developed for Unix

and NT because software is much harder to develop for smaller market operating systems.−

NetWare is well entrenched in the server market, and thousands of "red" (Novell only) networks−

exist Managers in these environments rightly balk at the requirement to become an expert in a

foreign operating system for the sole purpose of establishing a firewall Novell markets a very strong

firewall that runs on NetWare called BorderWare for these environments

The mainframes of yesteryear have been converted to the application servers of today VAX and

AS/400 machines running VMS and OS 400 now serve as web servers, e mail hosts, and− −

e commerce engines They also require protection, so there are firewalls available for them.−

I've rolled these smaller market operating systems together into a chapter because of the limited−

fields they represent In many cases, the firewalls I profile here are the only serious firewallsavailable for the platform shown

Keep in mind that your choice of application or file server doesn't constrain your choice of

firewall—you can use an NT firewall in a Novell network and a Unix firewall to protect an AS/400

Because of the high cost of small market software, it's usually more economical to use a−

larger market platform for generic services like firewalling To run an OS 400 firewall on the− −

AS/400 will cost you tens of thousands of dollars, compared to the few thousand for a robust PC

These costs should be balanced against the cost of training administrators on an unfamiliar

operating system and the security risk of operating a firewall in an environment that may not becompletely familiar

SonicWALL

If you want the no holds barred easiest to use firewall you can buy, get a SonicWALL You just− −drop it in, point a web browser at it to configure it, and then use it There's not a whole lot to

configure, just the interface addresses and what ports you want to let in and out If you want a VPN,

you set up the shared secret IKE keys and the hosts to allow, and then, again, you just use it

•

No hardware or software required No true Application level proxying−

Strong stateful inspection

easy to manage remotely and unlikely to suffer from failures that can't be corrected remotely We

routinely update the firmware on these devices remotely and have never run into any significantproblems

Major Feature Set

The SonicWALL Firewall provides the following major features:

• Packet filter (stateful)

• Network Address Translator (dynamic, static)

• Firewall high availability

• Logging including syslog and e mail notification−

The most obvious feature missing in the major feature set of the SonicWALL is proxy services Ifyou need to strip viruses from mail attachments, then you'll have to install a separate proxy server to

do it

The DMZ support includes a nice feature—the DMZ hosts supported can be configured to be in the

same (public) IP subnet that the firewall itself resides in The SonicWALL must of course be

installed between the DMZ Ethernet and the public Internet connection, but that way it can

transparently redirect and filter traffic between the DMZ and the Internet With a SonicWALL, you do

not set the IP address of the DMZ interface because it is set to be the same as the public interface,even though it is a physically separate connection

Minor Feature Set

The SonicWALL Firewall supports the following minor features:

• Scan detection, spoofing detection, and automatic blocking

• Limited HTTP content filtering

• DHCP

• Graphical administration

• Remote administration

• SYN flood protection−

• Anti spoofing control−

• High performance

The nicest thing about the SonicWALL is its web interface You don't have to install any special

software to configure it, and you can manage it from any machine in your LAN that has a

Java capable web browser, including Unix or the Macintosh (which is an important feature for those−

few institutional holdouts that haven't caved to the Microsoft monopoly) Most other device based−firewalls require you to install Windows specific software to control them You can even manage the−

SonicWALL from outside your network if you have configured the VPN properly and enabled the

feature

Installation, Interface, and Documentation

The SonicWALL is pretty much plug and play, with minimal web configuration Chapter 11,− −

"Configuring a Real Firewall," covers SonicWALL in detail because it is the "real firewall" used in the

chapter In summary, the installation is easy, the interface is simple, and the documentation is

straightforward, if a little shallow Figure 19.1 shows the Sonic WALL web configuration interface.−

Figure 19.1: SonicWALL's web interface is the easiest to use that we've seen.

Cost and Support

SonicWALL is neither cheap nor expensive, but when you add up the hardware and software costsfor anything but a free software firewall (see Chapter 16), the SonicWALL is very competitive in−price And if you instead add up the time and effort needed to configure a free software firewall,−

you'll most likely find that SonicWALL is still comparatively cheap SonicWALL's technical support is

a little anemic, but there's not much to go wrong with the device anyway

The devices range in price from about $400 for the SOHO small 10 user devices to around $3000−for the PRO VX (which is the most useful and should be considered the baseline device for

protecting a real network), all the way up to $27,000 for the top of the line SonicWALL GX 650.− − −One thing to keep in mind at the time of this writing: the Client VPN licenses for Sonic WALL cost−

around $70 each, and the VPN upgrade for the SOHO and XPRS firewalls (to enable the VPN

connectivity) is also around $500 The PRO devices and up all come with VPN enabled

One nice thing about SonicWALL that distinguishes it from the WatchGuard firebox (see later

section in this chapter) is that the SonicWALL firewalls are essentially the same in configuration and

use from the bottom of the line (the SOHO units) all the way up to the top of the line GX 650.− − −

They merely add a few features and use faster hardware as you go up the product line The

interface is the same from box to box The smallest Watch Guard (the FireBox SOHO) is really a−completely different device from the excellent Fire Box 1000 and is configured and interfaced to−

separately (via the Web instead of by a Windows client application)

WatchGuard Firebox 1000

If you want a full featured proxying firewall that doesn't take a rocket scientist to set up, the−

WatchGuard Firebox may be just what you're looking for This product vies with the SonicWALL in

price, capabilities, and ease of use, and just by looking at the two firewalls it's obvious that they're

fighting over the same market segment Of the two, the SonicWALL is easier to configure (requiring

only a web browser on a client inside the network), while the WatchGuard includes support forproxying and content filtering that the SonicWALL does not

•

No hardware or software required Can only be managed from Windows clients

Strong Application layer inspection−

Strongest device based firewall−

Highly reliable

We had to scrape to come up with a negative for the above table—this device functions exactly as a

theoretically perfect firewall would It contains no significant failure components so it's reliable, yet it

performs strong Application layer filtering and is easy to administer The interface isn't quite as−

easy as the SonicWALL devices, but it allows you to perform real time monitoring that the−

SonicWALL can't And when you consider that these devices cost about the same, they're thefirewall of choice for higher security environments with more experienced staff

Major Feature Set

The Firebox 1000 provides the following major features:

• Packet filter (stateful)

• Network Address Translator (dynamic, static)

• DMZ support

• Port redirection

• Proxies (DCE RPC, FTP, H323, HTTP, RealNetworks, RTSP, SMTP, Stream Works,− −

VDOLive)

• Secure authentication (Proprietary, Windows NT, RADIUS, SecurID, and CRYPTOCard)

• VPN (proprietary, DES, 3DES, IPSec/IKE, PPTP)

• VPN client software (Windows 98/NT/2000/XP, Unix, Linux)

• Bandwidth control and quality of service

• Logging and e mail notification−

The most impressive aspect of the Firebox 1000 is its built in proxy support, a feature not found in−

other device based firewalls (i.e., firewalls that don't expose you to the underlying operating−

system) Its VPN support, network address translation, packet filtering, and DMZ support are all first

rate, but the same could be said of most other firewalls of its class VPN support, which just a

couple of years ago was a novelty in a device based firewall, is now the order of the day—certainly−

in the future everybody's "drop in firewall" will have built in proxying, but if you want it now and you−

want it easy to use, the Firebox 1000 is pretty much it

Minor Feature Set

This firewall supports the following minor features:

• Network transparent drop in configuration−

• Content filtering (Java, virus scanning, URL blocking)

• Scan detection, spoofing detection, and automatic blocking

• DHCP

• Graphical administration

• Remote administration

• Centralized administration

• SYN flood protection−

• Anti spoofing control−

• Real time monitoring and reporting−

• Policy based configuration and management−

• High performance

Proxying is only half of securing ports for Application layer protocols like HTTP, SMTP, and FTP.−

Proxying is important because it makes sure that the ports are being used for the protocols theywere meant for, but it does not protect interior computers from malicious content (such as deviousActiveX controls and viruses) that are sent via those protocols Content filtering is the other half ofsecuring the ports, and the Firebox does that as well

The firebox is also good at incident detection—telling you when you're under attack (and what kind

of attack you're facing) The real time graphical monitor is nice to watch—you can see traffic−

pattern changes as they happen The lights on the front of the box are also helpful and intuitive: it is

obvious at a glance how much traffic is flowing to or from the DMZ and the Internet, the protected

LAN and the Internet, or between the DMZ and the protected LAN

A nice feature of the WatchGuard 1000 firewall is that if you already have a publicly routed subnet

that you want to protect, then you can place the firewall in "drop in" mode—where it is given an IP

address on that subnet (rather than being set up as a router for that subnet), and it transparently

intercepts the traffic between that subnet and the Internet You have to place it connection wise−

between the subnet and the router, but you don't have to reconfigure the clients or the router to

protect your LAN

Installation

After installing a number of command line based free firewalls (see Chapter 16) and firewalls that−

run on top of Unix or Windows (see Chapters 17 and 18), installing and configuring the Firebox

1000 was a breath of fresh air The graphical Windows application for administration was a breeze

to install and use After setting the IP addresses of its interfaces and giving it a range to supply for

DHCP, the box was ready to use in a minimally configured state

Security

A Firebox 1000 that is fully locked down with proxies in place is about as secure as you're going toget with a modern firewall Perhaps OpenBSD does a better job of obfuscating TCP sequence

numbers, perhaps Gauntlet has a better set of proxy services, but for the price and ease of use

there's no comparison Because the Firebox is based on Linux, its TCP sequence number generator

is considerably more random than most devices

The Windows client application that comes with the firewall for administration is easy to set up and

use The only easier way to administer a firewall is through your web browser (SonicWALL does

this, as do the majority of the little home office firewalls), because the management application−

limits you to configuring the machine from Windows (as opposed to, say, Solaris) See Figure 19.2

for a view of the Firebox management interface

Figure 19.2: Firebox's rule based interface−

The Windows application does have the advantage that you can do more from it, including real time−

monitoring of the status of the firewall The policy based rule editor is also easy to use, including−

allowing you to save a policy locally before uploading (so you can test out new configurations, forexample, and fall back if they're too restrictive)

Documentation

The installation booklet provided with the firewall concisely and clearly walks you through the

process of installing the firewall, but you'll have to look to the documentation supplied on the CD inPDF format for instructions on how to make policies to really secure your network

The PDF documentation walks you step by step through using every feature of the Firebox,− −

including establishing policies, setting up VPNs to other Fireboxes and to remote Windows clients,

blocking URLs, and setting up content filters It doesn't go into great detail explaining why you would

do any of these things, but another book (such as this one) can tell you what to do to protect your

network; the Firebox documentation will tell you how to do it

Cost and Support

A WatchGuard Firebox is not cheap; at the time if this writing the Firebox 1000 will cost you about

$3000 Getting the top of the line model (a model 4500) can cost $7700 The support is good− − −

though, including (in addition to your regular dial up support) online documentation, questions and−

answers, and a web based forum on which customers can exchange problems and solutions.−

The home unit, which is really a different device entirely but can be used to establish a VPN

connection to a model 1000, costs about $300, though the VPN upgrade for it costs another $400

Poor user interface design

Elron employs multilayer stateful inspection rather than proxy servers for filtering in the Application

layer This is somewhat similar to Firewall 1's support for HTTP and FTP filtering Filtering in the−

Application layer is capable of blocking numerous attacks, but filters may not recognize certain

attacks that proxies would not forward because the attack would not be created In other words,

filtering still passes the originally formed packet, so undetected malformations can still be routed

through Multilayer filtering is considerably more secure than Network layer filtering alone, but not as

secure as security Application layer proxies.−

Elron Firewall running on its own operating system is not subject to standard operating system

vulnerabilities Although a proprietary operating system is not necessarily more secure than astandard operating system, few hackers attempt hacks against operating systems that are not

widely deployed, so the firewall is not vulnerable to most of the exploits developed by hackers

Since superfluous firewalling services (like file and print sharing) are not provided, no holes exist in

the operating system

Elron software maintains that, because 32OS source code has not been released to the public,

there is virtually no possibility that hackers will be familiar with it While this may be true to some

extent, good hackers can read machine language source code through a process called

disassembly, where the binary image is turned back into human readable assembly language.−

While assembly language is not nearly as clear as the C programming language (relatively

speaking), hackers who are familiar with the i386 microprocessor and its descendants could read itand thereby understand in detail the operation of a piece of proprietary software I've done it, and so

can any decent programmer Though software based on a proprietary operating system will keep

the masses at bay, security through obscurity should never be relied upon Note also that 32OS

uses MS DOS as a boot loader, and could therefore be susceptible to certain types of RAM−

the result of using proprietary operating systems that aren't completely thought out.

Hardware requirements for the Elron Firewall are (SecureOS Version):

Major Feature Set

Elron Firewall provides the following major features:

• Stateful inspection packet filter

• Network Address Translation

• Encrypted authentication

• Virtual Private Networking

Elron Firewall's stateful inspection filter is unique in that it is capable of filtering the application(payload) portion of a packet for known content The firewall compares packets to bit patterns of−previously filtered packets before passing the packet into the protected network This ensures that

unknown deformations of packets will be filtered out

Elron Firewall's NAT option supports IP address hiding only by using the Firewall's IP address This

provides an upper limit of about 64,000 outbound connections, but that's generally high enough thatthis limitation is not serious for most organizations

User authentication clients are provided for Windows 9x and NT Authentication is password based−

and supports RADIUS and CHAP authentication The user authentication software also supports

periodic authentication

The included VPN option provides IP in IP tunneling, which provides a measure of internal security

by hiding the true source and destination addresses IPSec is used to encrypt the encapsulated IP

packet

Elron makes two completely separate Application layer filters called the InternetManager (HTTP)

and the MessageInspector (e mail, news, and FTP) These products run on their own Windows NT−

server and work with any firewall or security service The Message Inspector filter performs−

powerful keyword string matching and statistical analysis (for spam filtering) to block e mail,−

newsgroups, and FTP downloads

Minor Feature Set

Elron supports the following noteworthy minor features:

• IP and IPX filtering

• VPN continuous key regeneration

Elron supports both IP and IPX filtering IPX filtering is not usually a big concern unless you run alarge IPX network where internal security between divisions is important For most enterprises, IPXfiltering is not a function required of bastion hosts The firewall also supports IPX bridging

(forwarding all IPX packets transparently and irrespective of their contents), which is not a securityfunction and reduces the security posture of your network

The continuous key regeneration feature provides a facility somewhat akin to Kerberos ticketing

After an established amount of VPN traffic has passed between two firewalls, the firewalls will both

g e n e r a t e n e w k e y s a n d e x c h a n g e t h e m T h i s r e d u c e s t h e a m o u n t o f u s e f u l t i m e a

brute force decrypted key would be useful, thus moving the probability domain for a brute force− − −

attack from highly unlikely to practically impossible

Interface

Elron firewall is configured remotely through a Windows based policy manager The firewall itself is−

initially configured using the firewall management software on a Windows computer and transmitted

to the firewall located on the same Ethernet collision domain

The user interface bespeaks an amateurish attempt at design, suffering from such problems as a

non sizeable main window that takes up the entire screen and the use of purely modal dialogs−throughout the software, which prevents you from seeing two content windows at the same time

There seems to be an unwritten rule in the firewall industry that user interfaces aren't worthy ofprogramming effort Figure 19.3 shows the clunky management interface

Figure 19.3: The Elron Firewall Management Interface

The interface is not particularly easy to use since it doesn't conform to any specific interface

methodology In some cases, you right click to access features, while in others you double click.− −

There's also no indication of which interface elements can be activated and which can't

Security

Elron Firewall's multilayer inspection filter is the heart of the firewall The multilayer filter is

interesting because it can filter content in the Application layer to reject unrecognized information

The level to which this functionality is actually used varies from protocol to protocol, but

administrators can customize it on a per protocol basis.−

Customizing the firewall is not easy and requires a solid knowledge of TCP/IP and firewalling Ifyou've read through this book so far, you'll have no problems

Elron Firewall running on 32OS should be considered hardened, since no OS specific exploits are−

known for the operating system This makes it equivalent at least to a Windows NT installation with

no extra services running, no extra user accounts, and in a state of complete lockdown where

additional software (like Trojan horses) cannot be installed

Hardened operating systems are operating systems in which no extraneous services or exploitable

mechanisms exist because the operating system simply doesn't support them, or in which allsoftware functions not directly related to supporting the firewall have been disabled Hardening an

OS reduces considerably the number of vectors a hacker can attempt to exploit, and thereby

dramatically improves the security posture of the firewall system

Documentation, Cost, and Support

Documentation is provided in PDF format and is very strong It is highly task oriented, containing

detailed procedures for performing most firewall administrative tasks, yet adequately covers the

theory behind the features used Most administrators will have no trouble getting the firewall up

using the supplied documentation.

Elron has a small searchable knowledgebase online Technical support is available via e mail.−

Elron is a wholly owned U.S subsidiary of the Israel based Elron Electronic Industries.−

Elron Firewall comes in various user levels and prices:

GNAT Box is an ICSA certified stateful inspection packet filter and Network Address Translator that

runs on its own operating system, which it boots from a single floppy disk GNAT Box also includes

an SMTP proxy and a split DNS server GNAT Box protects against IP spoofing and common

denial of service attacks Although GNAT Box does not provide a Unix operating system− −

environment, its kernel and TCP/IP stack are derived from BSD, which is an open source Unix

operating system You can think of GNAT Box as a highly optimized firewall specific distribution of−

the BSD operating system

Runs on cheap hardware

No standard OS security holes

Fast

Inexpensive—less than $1,000 for unlimited use

The complete system requirements are:

• 386 or higher Intel compatible microprocessor−

No user authenticationCannot integrate with third party tools−

No content scanning or additional proxies

• 8MB RAM, 16MB recommended for e mail proxy, more than 32MB is not useful−

• Floppy disk drive

• Two network adapters

• Display adapter

• Printer port (to attach a copy protection key circuit)

As you can see, the requirements are quite minimal—you won't even need a hard disk drive, andnearly any obsolete PC you have lying around will work fine The big drawback to GNAT Box is itslimited support for network adapters Because the operating system is based on BSD, only network

adapter drivers for that operating system are available It appears that the vendor actively usurps

open source adapter drivers for its firewall So, many popular Ethernet models are available, but

you can forget about using adapters that are even slightly esoteric Support is provided for most

• Intel (except ISA bus adapters)

• Various others based on similar chipsets

A complete list is provided with the documentation If you have a problem getting your adapters to

work, you will need to purchase adapters from the supported list This is usually not a problem,

since most of the adapters are available for well under $100 each

GNAT Box performs faster than most Internet connections Performance is limited primarily by the

speed of the network adapters, so the performance of GNAT Box is at least as good as the fastest

PC based firewalls GNAT Box does not support VPN encrypted tunnels or remote user− −

authentication

You'll find that GNAT Box devices have a hard time dealing with multiple inbound connection

attempts at rates higher than 1.5MB The software is optimized for protecting office networks with

minimal interior services, not for protecting a bank of public servers

Tip A downloadable evaluation edition of GNAT Box is available at http://www.gnatbox.com/

Major Feature Set

The following major features are included in GNAT Box:

• Stateful inspection packet filter

• Network Address Translator

• DMZ support

• Port redirection

• VPN (AES, DES, 3DES, IPSec/IKE)

• VPN client software (PPTP, IPSec, SSH)

• Firewall high availability (1000GB)

• Logging and e mail notification−

• E mail and HTTP Proxy−

GNAT Box's stateful inspector is fairly sophisticated By detecting "hard to firewall" protocols like− −

FTP and real time multimedia protocols on the way out of your network, the firewall will create−

virtual cracks, a term GNAT Box uses to describe temporary holes created for the return channels

of these protocols This makes GNAT Box compatible with these protocols without compromising

security by simply opening up permanent holes

The e mail proxy receives and regenerates e mail messages It includes light anti spamming− − −

features, but does not include content filtering or attachment blocking The built in web proxy filters−

URLs; for a more sophisticated HTTP filter it can redirect web requests to an external HTTP proxy

Minor Feature Set

GNAT Box provides the following minor feature:

• Demand dialing of PPP connections

If configured to use a PPP connection as the external interface, GNAT Box will automatically dialthe interface on demand whenever an internal client requests Internet data The PPP interface canalso be set to dedicated (dial on boot) or manual enable mode (whenever the administrator enables−

the link)

Interface

The firewall itself has a text based console interface, but you need never use that interface unless−

you want to administer the box directly without a management workstation System administration is

performed on an administration computer that connects to the GNAT Box via a TCP port you define

Figure 19.4 shows the GBAdmin utility's interface

Figure 19.4: The GNAT Box administration interface

The GBAdmin utility requires Internet Explorer 3.0 or higher in order to operate correctly

You can use the GBAdmin utility to configure an existing GNAT Box over your network, or to create

a combined configuration and runtime floppy from which a fully configured GNAT Box will boot

Security

Because GNAT Box is absolutely the only software running on the firewall platform, it should beconsidered more hardened than any firewall running on a standard operating system There's noway to run an arbitrary program on a GNAT Box firewall, so hackers cannot directly exploit it There

are no extraneous services to exploit and no extra information leaking services that a hacker might

find useful The same machine cannot be used to support mail, web, or any other services GNAT