By David Hafke
A s a security-conscious network administrator, you know that you must protect your Internet connections from external threats. That typically means evaluating and deploying firewall technology, which serves as a crossing guard between the Internet and your private systems.
As we discussed last month (see NT Feature, October), there are three types of firewalls: packet filters, application-level proxy servers and stateful inspection servers. This month, we'll review two proxy servers (Digital Equipment's AltaVista Firewall 97 and Raptor Systems' EagleNT) and two stateful inspection servers (Check Point's FireWall-1 and Network-1's Firewall/Plus), which are generally more secure than basic packet filters. The firewalls reviewed here run on Windows NT Server, and are certified by the National Computer Security Association (NCSA), a Carlisle, Pa., company that tests security gear.
Application-level firewalls, such as AltaVista Firewall 97 and EagleNT, are essentially proxy servers with packet filtering capabilities. Such firewalls typically support local caching of Web content and address translation-which hides your internal IP addresses from curious eyes on the Internet.
AltaVista Firewall 97
While most firewall manufacturers expect you to be well-versed in NT security, Digital holds your hand as you set up AltaVista Firewall 97. Compared with the other firewalls in this review, it is by far the easiest to install and configure.
AltaVista Firewall 97 provides proxies for HTTP, FTP, Telnet, Finger, NNTP, SMTP and RealAudio. Should you require additional protocol support, you can create your own generic TCP proxies.
This firewall's user-friendly install program offers diagrams and detailed text to help novices understand the deployment process. It is the only firewall in this review that further secures NT before installing the firewall. For instance, it recommends changing the name of the default administrator account, thereby making it more difficult for an attacker to gain access.
In the event of an attack, AltaVista Firewall 97 alerts your firewall administrator's workstation. During normal security status, the workstation's background wallpaper is green; if suspicious activity is detected, the wallpaper turns yellow, orange or red-depending on the alert's urgency. AltaVista Firewall 97 can also e-mail alerts to administrators, disable specific proxies or shut down your entire Internet connection as means of protecting your network.
When we inspected AltaVista Firewall 97 for vulnerabilities using Internet Security Systems' Internet Scanner (see NT Feature, October), we found no weaknesses. In fact, the firewall even detected that it was being scanned and went into code yellow.
Of the firewalls we reviewed, AltaVista Firewall 97 wins top marks for its installation program and user interface.
You should have no trouble customizing its configuration or security policy.
We did find a few minor shortcomings, including the lack of stateful inspection server technologies and support for only two network connections. That means you can't build a demilitarized zone (DMZ), because a DMZ requires at least three network connections: one external link, one internal link for outbound Net access and a second internal link leading to a DMZ. This DMZ link typically contains Web servers (but no other corporate systems)
EagleNT
Raptor's EagleNT firewall includes all of the proxies supported by AltaVista Firewall 97-plus a variety of others, such as ICMP and NTP.
Due to Raptor's UNIX roots, EagleNT takes some getting used to. If you're accustomed to Windows, you'll find the firewall's graphical interface a bit atypical. For example, it has scroll bars, but clicking on them is fruitless. You must right-click and drag on the text inside the window to scroll.
EagleNT has two major components: Eagle and Hawk. Eagle is the firewall engine that sits on an NT server located between your network and the Internet; Hawk is a management utility that runs on a system of your choice, such as the firewall itself or a workstation.
On the plus side, EagleNT supports virtual private networks (VPNs), which are encrypted links between two or more firewalls that let you create secure Internet connections between branch offices and central offices. By contrast, AltaVista Firewall 97 supports VPNs via Digital's optional AltaVista Tunnel product (from $995 for 50 users). Moreover, EagleNT supports an unlimited number of internal and external network connections, making it an ideal choice for linking multiple LANs to the firewall and implementing a DMZ.
We found no vulnerabilities when scanning EagleNT, but we did find one cause for alarm. The firewall's configuration information is stored in several text files on the firewall's hard drive. While no outsiders should be able to access your firewall's hard drive or change the text file, an internal user (for instance, an irate network administrator) could make alterations that open extensive security holes.
Further complicating matters, EagleNT doesn't support some network interface cards (NICs), including selected adapter cards from Advanced Micro Devices (AMD) and Standard Microsystems Corp. (SMC)
Stateful inspection servers
For the latest and greatest in firewall technology, give stateful multilayer inspection servers a try. Stateful inspection firewalls are much more flexible than their application-level counterparts. While proxy servers require a proxy for every application you wish to use, stateful inspection servers don't suffer from this limitation. Their foundations are similar to packet filters in that you decide which packets will pass through your firewall based on the protocol, port, and source and destination of IP addresses.
FireWall-
Check Point Software Technologies developed and patented stateful inspection security, and offers it in FireWall-1, the company's flagship product.
Installing FireWall-1 on an NT server can be difficult. The FireWall-1 doesn't work well with AMD, Compaq Computer and SMC NICs. Check Point claims improved support for these cards should arrive shortly. After learning this, we started fresh using two Intel EtherExpress PRO cards. This time we had no trouble installing the firewall.
During installation, you'll notice three components: an authentication agent, the FW-1 engine and the graphical management utility. You must install the engine and authentication agent on the server, but you can install the management utility on any system on the network. That will allow you to perform remote management tasks.
FireWall-1 has an impressive object-oriented interface that makes setting up rules simple. Rules are created in a top-down hierarchy. The firewall tries to match the state of the packet with the criteria of a rule, starting at the top of the list and working downward.
FireWall-1 has several other strong features. First, like proxy servers, it supports address translation, which hides your internal systems' IP addresses from probing eyes on the Internet. Second, its documentation is very thorough: It includes books on installing the firewall, how stateful multilayer inspection works and how to configure the firewall using its GUI. Nevertheless, installation remains difficult, and FireWall-1 doesn't warn you about unsupported NICs.
Firewall/Plus
The final firewall we tested-Network-1's Firewall/Plus-is completely invisible to other systems on the network. It can't even be pinged by the internal systems that it's protecting.
Firewall/Plus is designed to be inserted between your private network and your Internet router. Once installed on an NT server, it acts like a packet sniffer by examining packets and forwarding those that are destined for the Internet.
The program's user interface is far from perfect, but it is workable once you get the hang of it. In fact, portions of the interface have gained fame because it depicts trusted nodes as angels and untrusted nodes as devils.
Though Firewall/Plus supports advanced stateful inspection technology, we found a few shortcomings. It does not run with Service Packs 1 or 2 installed on Windows NT because Microsoft made TCP.SYS changes in the operating system. Also, it only supports two network interfaces (one internal and one external), which means it won't support DMZs. Finally, Firewall/Plus has no address translation capabilities, although there are plans to add this in the future.
Decision day
Though Digital's AltaVista Firewall 97 wins kudos for its ease-of-use features, we generally don't recommend using a proxy server as your primary firewall because stateful inspection servers are typically more robust. With that in mind, Check Point Software's FireWall-1 should be at the top of your evaluation list. It offers the best of both worlds: stateful inspection and address translation. Once Firewall/Plus gets address translation (which should arrive shortly) and supports additional NICs and interfaces, give it a look. We certainly will.
HEAD TO HEAD: Firewalls
AltaVista Firewall 97
Bottom Line: Easy-to-configure application-level firewall with an intuitive interface
Price: 50 nodes, $3,995; 200 nodes, $7,995; unlimited nodes, $14,995
Pros: Further secures NT during setup; intuitive interface
Cons: Only supports two network connections; lacks stateful inspection technology
Strongest Rival: EagleNT
Digital Equipment Corp., 800-336-7890, 508-486-2308. Winfo #830
--
EagleNT
Bottom Line: Proxy-based firewall with many options and features
Price: 100 nodes, $6,500; 250 nodes, $11,000; unlimited nodes, $15,000
Pros: Supports virtual private network features
Cons: Poor user interface
Strongest Rival: AltaVista Firewall 97
Raptor Systems, 800-9-EAGLE6, 617-487-7700. Winfo #831
--
FireWall-
Bottom Line: A high-end device from the inventors of stateful inspection technology
Price: 25 nodes, $2,995; 50 nodes, $4,995; 100 nodes, $7,995; 250 nodes, $9,995; unlimited nodes, $18,995
Pros: Supports address translation, which hides your internal IP addresses from external hackers
Cons: Doesn't support some network interface cards
Strongest Rival: Firewall/Plus
Check Point Software Technologies Ltd., 800-429-4391, 650-562-0400. Winfo #832
--
Firewall/Plus
Bottom Line: A stateful inspection firewall that acts like a packet sniffer
Price: Enterprise Edition, $4,500 to $12,000; Server Edition, $750 to $2,250
Pros: Makes your network completely invisible to the world
Cons: No address translation; doesn't work with NT 4.0 Service Packs 1 or 2; only supports two network interfaces
Strongest Rival: FireWall-
Network-1 Software and Technology, 800-NETWRK1, 212-293-3068. Winfo #833
Copyright (c) 1997 CMP Media Inc.
CryptoSoft GmbH
Feedback: webmaster@cryptosoft.com
Copyright ©1995-1998 Cryptosoft GmbH
All Rights Reserved