Firewalls buyers' guide - The burning question

The network security market is a complex and overcrowded one that features a dizzying variety of solutions. We present this guide in order to help you to cut through the confusion.

We are all aware by now that security is of the utmost importance ifatures a dizzying variety of solutions. We present this guide in order to help you to cut through the confusion. we wish to maintain a successful business in today's internet-driven world. We also know that the sheer number of products on the market make it a bit of a headache to do so.

We at Network News have taken a delve into the firewall market in an attempt to create some order from the apparent chaos.

There are a number of decisions you need to make when deciding what firewall to buy, the first of which is your company-wide security policy. In short, this means what level of risk you are willing to adopt in order to take better advantage of the internet and its applications.

At one end of the scale you can remove internet access altogether. This would certainly reduce the risk of hackers, but the loss in productivity you experience as a result renders it unrealistic. At the other end of the scale you can leave your network wide open for anyone and everyone to access.

Once the security policy has been determined it is possible to decide on the level of monitoring and control that you require. What should and should not be allowed, who will be allowed to do it and to what level, should all be looked at.

There are, in general, two types of firewall: the filtering firewall and the proxy firewall, both are well respected. However, some vendors favour one or the other while some prefer a combination of the two.

The filtering firewall is considered to be the most simple of the two.

It looks at the header of each individual TCP/IP packet and determines whether it should be accepted or discarded. This decision is based upon the source, destination and port number of each packet; e-mail or SMTP uses port 23, and HTTP uses port 80, for example.

A comprehensive approach

The proxy firewall is more complex than the filtering approach. It tackles the problem by not allowing any direct connection between two networks.

All communications are instead routed through specific applications that run on the firewall, called proxy servers. Proxy firewalls are also far more comprehensive in the logging and auditing of traffic passing through them.

This is an important function of the firewall, for more than one reason.

The logging of attempted hack attacks is essential if you are to succeed in maintaining a security policy. Not only can the information be used to incriminate thieves, but it will also let you know where your strengths and weaknesses lie.

Choosing the right firewall is a daunting task, as making a mistake could cost your company dearly. However, thorough research of both the market and your needs will greatly reduce this risk.

A way to further improve the functionality and effectiveness of firewalls is to implement DMZs (demilitarised zones). As the name suggests it refers to a section of the network that is neither part of the internal or external network - but in between the two.

A router/firewall will determine what traffic from the external network is allowed into the DMZ, then another will do the same for traffic going to the internal network from the DMZ. The aim of the DMZ is to provide a further level of security. Data that should be made available to the public, such as web servers, will reside within the DMZ.

Strengthening the OS

The operating system that firewalls run on top of is very important and will determine, to a certain extent, how solid the product will turn out to be. A firewall running on NT may not be the most impenetrable product on the market, as it has to cover up the potential security holes in the OS before considering hackers.

NT-based firewalls do, however, tend to be less expensive and so more of an entry-level choice. The more expensive firewalls will be based upon proprietary OSs - mostly Unix; BSD-Unix is a popular choice. The firewall will use a hardened version of the original OS in order to limit the potential problems that can be encountered through weak operating systems.

Keeping track of the different attacks that hackers use is vital if you are to maintain a secure network. The unfortunate fact is that there are literally hundreds of them; some more dangerous than others. The good news is that most firewalls will, as default, protect against the vast majority of them.

The attacks fit into a number of different categories:

- ICMP redirects and redirect bombs - ICMP redirects are used legitimately to redirect packets that have been given a bad route to a particular destination.

If these redirect packets can be forged, all sorts of damage can be done.

- Denial of Service (DoS) - DoS attacks are both well known, and extremely easy to carry out. Not a lot of thought goes into a DoS attack, and at the end of the day it is a brute force, and low-skill attack. In short, an overload of IP traffic is sent to a router, which becomes overrun with data, stops working and downtime is experienced as a result.

Unfortunately DoS attacks are very difficult to prevent, as there are simply too many links in the chain.

- SMTP Session Hijacking - This is where a spammer will take thousands of copies of a message and send it on to a huge list of mail addresses.

To make it easier for the spammer they will use a third-party SNMP server, such as yours, to deliver it. You will then appear to be the cause of the problem.

- Exploiting bugs in applications - A lot of software out there contains bugs that hackers can use to their advantage. Working remotely they can use these bugs to do anything from crashing applications to gaining complete control of the machine via the root or administrator account.

- Bugs in Operating Systems - OSs that are new to IP networking will always have vulnerabilities and NT is a prime example of this. As a result many firewalls need to strengthen an already weak OS, while trying to deny hack attempts at the same time.

Certifiably secure

One of the most important aspects to internet security products is certification.

If you buy a certified product, you immediately know that it complies to certain standards and quality assurances.

ICSA is a provider of internet security assurance, and products without its certification are few and far between. The company claims that it uses a risk-reduction framework to develop criteria by which industry-wide categories of products are tested.

Another certification framework based on the US TCSec specification, was taken up by the UK, Germany, France and the Netherlands during the 1980s - the result being the ITSec (IT Security) Evaluation Manual.

Most of the vendors mentioned in the table are in the process of applying for ITSec approval. So far only two have completed the proceedings, because, though worthwhile, it takes an extraordinary amount of time to complete the procedure.

The table lists a number of different features that firewalls deliver.

Unfortunately, the sheer complexity of the products deems it all but impossible to list all the different functions. However, one important aspect that should be looked into is authentication.

Although fairly standard in today's security-conscious internet-driven businesses, authentication is key to confirming the identity of users.

Many of the products rely solely on standard authentication methods, such as Radius, and Tacacs. Others, however, go one step further and employ third-party authentication products. This can include smart cards or other such devices.

This may well increase the amount you can expect to pay, but then depending on your security policy, it may well be a necessity.

Proxies and protocols

The list of protocols that firewalls need to support and recognise is huge, and it is well worth checking this out before you buy. If you use a lot of multimedia, and require your firewall to recognise and check them, there is no point investing in a product that does not support streaming media, for example.

Proxies are also important and an extensive list of them should be supported by the firewall that you purchase. This includes things like Telnet, SMTP, Gopher, PoP3, and FTP among others.

Our table of products covers a range of available firewalls from an overcrowded market. Some are high-end, while others are not quite so high-end. A product such as the GTA GNATbox, although seemingly good on paper and with an extremely attractive price, is simply not powerful enough for large corporate use.

But the table does cover many that are, however. The Cisco PIX is extremely powerful, but not quite as feature-rich as some of the others. Watchguard has developed an extremely impressive piece of kit with its Firebox II.

Although these are both hardware-based firewall solutions, this doesn't mean that it is always the best approach.

The first line of defence

Checkpoint, Network Associates, Borderware, Secure Computing, and AltaVista, among others, have all developed products that can compete on a level playing field.

At the end of the day, it is up to you to decide which approach to security best suits your needs. In many large organisations security will not be based upon one single product, rather a combination of products, and this could be the best way to go to optimise your corporate network against external attacks.

However, it is important to remember that a firewall alone will not be enough to ensure the security of your network. You may also want to look at third-party security analysis software. Axent, ISS and Network Associates all offer this type of product, which will check your whole network infrastructure for possible weaknesses.

This is a very worthy addition, as it can become easy to overlook things when configuring and maintaining a firewall. Unless the firewall is completely watertight then if a hacker wants to gain access, they will.

Firewalls are the first line of defence and with this in mind you have to get out there and take a look at what the market has to offer. It won't take long for you to rule out most of the products available, and before you know it your security policy will be up and running.

The ISS Internet Scanner is reviewed on page 23.