Articles
The following article is from the September 1999 issue of PC Magazine:
Firewalls: Guard Your PerimeterBy Robert P. Lipschutz
PC Magazine
August 6, 1999
The gates of the freewheeling Internet are firewalls. They are used primarily to protect your internal server and desktop resources from outside intruders; they can also be used to protect what runs your public Web site. For example, you'll want to limit visitors to accessing only Web pages at your company's site. This means putting the site behind the firewall and connecting it in a special area not directly joined to your network. Without a firewall, someone could use your Web site as a gateway into your company's internal files.
We discuss two primary techniques
that a firewall can use to filter content: application proxies
and stateful inspection. Both use rules to allow or deny
traffic passing through the firewall. Application proxies
serve as middlemen, accepting certain connections and then
forwarding them; a stateful-inspection firewall checks the
data packets as they pass through.
FireWall-1, Version 4.0
The
best combination of functionality and ease of use makes
Check Point's FireWall-1 the choice for implementing the
core element of your corporation's protection scheme. No
other product offers as clean an interface for managing
your firewall or even multiple firewalls across your network.
You can observe almost all of your rules from a single window,
something that most other products make you do in a collage
of open screens.
FireWall-1 also offers a winning mix of stateful inspection and application proxy architectures to offer more complete screening on both sides of the firewall. By adopting this approach, FireWall-1 can take advantage of the speed of the former and the security of the latter.
Scorecard
| FireWall-1 | Gauntlet | Raptor | Sidewinder Security Server | |
| Basic services | Excellent | Good | Good | Excellent |
| Advanced services* | Good | Excellent | Good | Good |
| Management | Excellent | Fair**/Good*** | Good | Fair |
| Reporting/logging | Good | Fair | Fair | Fair |
| *
Advanced services refers to how well the product
handles special cases such as custom applications
and sophisticated authentication, filtering options,
scanning for Java and ActiveX, and options for third-party
plug-ins that allow for URL filtering or virus scanning. ** For Microsoft Windows NT. *** For Solaris. |
||||
No matter how sophisticated or complete a firewall product
is, it can be an effective tool only if users clearly understand
how to configure and maintain a secure rule base. FireWall-1
is the strongest product in this area, gaining our confidence
that administrators will know exactly what, when, and to
whom they are granting access. It also has an underlying
sophistication and network service support that matches
or exceeds that of other products in this roundup. FireWall-1's
maturity also shows in its clean and powerful management
interface, rounding out its offering and making it an excellent
choice for protecting your network.
The clarity of FireWall-1's management interface is an advantage whether you are administering a single firewall or multiple firewalls throughout your company. The security policy interface clearly displays all rules on all firewalls in table format. In fact, you can observe almost all of your rules from a single window, a notable and convenient feature.
FireWall-1's logging features are standouts as well. Tracking can be turned on or off for each rule, and the reporting interface is color-coded and includes a filtering utility to find just the entries you want.
No other firewall offers a true single point of management for multiple firewalls (although Gauntlet's next version promises to include this feature). Where the other products in the roundup require a separate log-on to each remote firewall, FireWall-1 uses a single set of rules with a field indicating which firewalls to install the rules on. This saves administrators time and ensures consistent security throughout the network.
FireWall-1 does have a couple of small glitches. Installation enables traceroute, which lets users gather network architecture information by default (we suggest that it be disabled by default). Also, we were able to ascertain the underlying operating system of the firewall using our vulnerability scanning software. Although these are not major problems, you don't want to give hackers any advantage, and this information could give a hacker a lead as to what type of attack to launch against your network.
Although FireWall-1 has long been the champion of stateful inspection, its architecture has begun to incorporate aspects of proxy-based products. In cases where scanning a packet's data field is necessary, FireWall-1 passes the packets to a Content Security Server, which basically acts as a proxy. By using stateful inspection and proxies in concert, FireWall-1 can take advantage of the former's speed and the latter's security. Of course, other vendors in this roundup are also blurring the line between proxies and packet filtering (Gauntlet's Adaptive FTP proxy, for example), but FireWall-1 is in the driver's seat to take advantage of both.
FireWall-1 provides strong security
and the cleanest, most flexible administration and monitoring
in this review group.
Gauntlet, Version 5.0
Gauntlet, Network Associates'
firewall solution, is effective, but its clumsy, tab-based
Windows NT management interface (soon to be revamped) and
configuration quirks hold it back from being top-notch.
The Solaris version was easier to navigate and, in fact,
more Windows-like then the Win NT version.
Configuring Gauntlet is done slightly differently from other products in this roundup. Rather than setting up rules in a manner that parallels router access-control lists, as FireWall-1 and Sidewinder do, Gauntlet uses a set of policies and policy maps to create its firewall rules. Each policy includes a set of proxies that are permitted and denied by that policy and an option as to whether authentication is required for access.
We found this a little cumbersome in the Windows NT version. We would have preferred creating groups of source addresses and then mapping each group to a policy; this would have eased the process of handling a related set of people that might not have a contiguous set of IP addresses.
Like the Raptor and Sidewinder firewalls, Gauntlet primarily uses application proxies. It has a complete set, including H.323, LDAP, Point-to-Point Tunneling Protocol (PPTP), RealAudio, Windows Media, and Microsoft, Oracle, and Sybase SQL. The SQL proxies are useful for those companies with dynamic database-driven Web sites, where the Web servers are is in a demilitarized zone but your databases reside within your network.
In general, Gauntlet's management, reporting, and alert features are merely adequate. Remote management of your Windows NT-installed firewall is not done automatically over a secure link. The Solaris and HP-UX platforms support secure management, as will Version 6.0 of the Windows NT product. Gauntlet 6.0 will also include the ability to manage multiple firewalls on multiple OSs through one console; the manager for NT will be able to manage HP-UX, NT, and Solaris versions of Gauntlet.
The daily and weekly reports you
can generate aren't much more than lists of log entries,
and you can't sort or filter the information without a third-party
product. And alerts aren't nearly as granular or flexible
as those in Raptor. For example, you can't set alerts for
a specific service proxy such as HTTP.
Raptor for Windows NT, Version
6.0
A vastly improved management interface and the inclusion
of some additional proxies enhance the usability of the
latest version of Raptor, whose fundamental strengths from
its application proxy architecture remain. Check Point's
FireWall-1, however, offers more powerful management options
as well as elements that Raptor lacks, such as single log-on
and logging features.
Raptor does more content scanning out of the box than any product in this roundup. Operating at the application layer, Raptor can delve into the data portion of e-mail messages, Web requests, and FTP to maintain granular control over what does and doesn't pass into and out of your network. For example, you can prevent an internal user from browsing to specific Web addresses or from using Java applets. You can allow FTP downloads (gets) while denying FTP uploads (puts), and you can check inbound e-mail messages to see whether they originate from known spammers.
One drawback of Raptor's proxy architecture is that each new application requires a new proxy. Raptor covers common services such as DNS, FTP, HTTP, and SMTP; the recent addition of Ping (unique in this roundup) and H.323 helps round out the offering. The advantage of having a wider range of proxies available is that you don't have to let any traffic from the Internet into your network if you have the corresponding proxy, thus making your network safer. But UDP-based applications, such as streaming audio and voice-over IP, are a problem for an application proxy firewall.
Raptor's management console has been integrated into the Microsoft Management Console (MMC). Raptor is the only product in this roundup to have this, and the current version is a vast upgrade from previous ones. Security administrators can manage remote firewalls from a single management station but must log on to each firewall separately, unlike in FireWall-1, which lets you log on with a single password.
You can capture a wide variety of message types to Raptor's log files, including standard informational messages such as the number of packets sent and received by the firewall and alert messages describing potential attacks. A filtering screen helps separate out pertinent messages when diagnosing a problem. But the absence of a sorting feature made scanning through log files cumbersome.
Raptor has come a long way in its usability and provides a very solid application proxy-based firewall, but FireWall-1 shines brighter because of its superior management capabilities.
Raptor takes advantage of the familiar
confines of Windows NT's management console.
Sidewinder Security Server, Version
4.1
Clearly aimed at the high-security market where experts
are ready and able to configure a firewall, Sidewinder Security
Server, Version 4.1 includes granular control over common
services such as DNS, FTP, and SMTP mail, as well as advanced
features like an X.500 proxy. The catch is that Sidewinder
is more difficult to use than the other firewalls reviewed
here, especially for those without Unix experience. The
product is built on top of Secure Computing's own custom
version of BSD Unix, which provides additional power--but
at the cost of usability.
Sidewinder secures each and every service on the firewall so that no unknowns exist. Through what it calls type enforcement,Sidewinder separates the services from one another so that an attack on one will never give entry to another. For example, if a hacker tries to overrun the machine buffer with an attack on the SMTP mail proxy, he still won't be able to get telnet access.
You have fine-grain control over implementing your security policy because of Sidewinder's deep understanding of services. Sidewinder has proxies for standard services such as FTP, HTTP, and telnet but also includes Oracle SQL*Net and RealAudio proxies. The firewall includes two separate DNS servers for internal and external servers. Mail filters can be set up to look at subject name, recipient, sender, or any message text to identify potentially harmful messages, such as those containing the ExploreZip virus, or annoying ones from known spammers that clog network traffic.
You manage your Sidewinder firewall through a command line interface or through a visual editor called COBRA. We found the visual interface unsatisfying because of its disjointed nature, and Unix experts are going to use the command line anyway, especially for advanced configuration. You can configure your firewall remotely through a secured telnet session (which requires using the VPN client) or through an X Window session using the COBRA tools.
Sidewinder is an industrial-strength firewall that hasn't been prettied up for the masses. But if you've got the in-house Unix expertise to manage it, Sidewinder could be just the right product for a security-conscious company.
Back to Articles & Reviews | FireWall-1 | Corporate Info & News