Originating publication
April 27, 1998, Issue: 786
Section: Test Center

FireWall Round-UP 1998
New York- Firewall deployment is like heart surgery: Both are considered somewhat routine these days, yet everyone wants a specialist no matter how simple the procedure. Security resellers are reaping windfall profits as experts in an arcane field and frightening environment.

Consider these headlines from just the past three months: "Teenage Hacker Disables Airport Tower" and "Pentagon Computer Systems Infiltrated."

The demand for qualified resellers is no surprise given the statistics of computer-related crime, roughly defined as a host of acts ranging from theft of proprietary information to system penetration by outsiders to viruses and spoofing.

According to the study of 520 United States corporations, government agencies, financial institutions and universities conducted by the Computer Security Institute and the FBI, 64 percent reported computer security breaches in 1997-a rise of 16 percent over the previous year.

Almost three-quarters of respondents hacked admitted financial losses from the intrusions for a collective cost of $136.8 million. Although the so-called 80/20 rule that 80 percent of all break-ins are from insiders is less the case, this is only because Internet attacks have increased. Roughly half of all points of attack come from the Internet. The report is available from CSI at www.gocsi.com/prelea11.htm.

The firewall-a device that controls the flow of communication between internal networks and external networks and provides a barrier of safe and secure communication-is becoming an integral part of the information infrastructure.

More than ever, firewalls are performing more duties like enterprisewide management and fail-safing critical systems. In revisiting Web firewalls, the Test Center called for firewalls that provide the proper fail-safes and management tools to support a global enterprise network.

The Test Center looked at nine firewall solutions that run on Microsoft's Windows NT 4.0 platform. These vendors include industry leaders, newcomers and established products. The Test Center looked at products from Check Point Software Technologies, Computer Software Manufaktur, Digital Equipment Corp., Internet Dynamics, Microsoft, NetGuard, Network-1 Software & Technology, Raptor Systems and Secure Computing.

The Wild, Wild West

Resellers must remember no matter how robust a firewall may be, it is only a perimeter defense. Teenagers are not the only ones who compromise firewalls; an uneducated user can seriously breach the firewall.

Consider the case of the user who unwittingly opens the door to outsiders by simply opening a private modem account from an unprotected system. Even if the workstation is not logged on to the corporate network, a crafty hacker could have a field day by viewing the diagnostic portals of network and device information and trapping SNMP messages.

Traditionally, hackers-sometimes referred to as crackers-view breaking into a system in much the same way mountain climbers explain their motivation for scaling a cliff: because it is there. The ever-increasing numbers of corporations interconnecting their information technologies to the Internet creates gold-mine opportunities. It gets even scarier if a hacker is an insider and a member of the IT staff.

Resellers specializing in firewall deployment work in an environment where networks are dynamically changing, requiring routine restructuring of the network topology and the firewall configuration. Access control lists and policies on firewalls can be numerous and confusing. Constant checking is necessary to ensure a firewall has been set up correctly. Resellers must predict what user actions could weaken a firewall and prepare for them through system administration, user training and policy initiatives.

The Architecture Debate

Firewalls come in two basic flavors: packet filters and application filters. Packet filters look at message routing information such as source, destination and port number. Conversely, application filters use an intermediary to analyze and forward data between the private and public networks. In essence, packet filters work at the network level. Application filters usually require a proxy that the user logs on to, ensuring that there is no direct connection to the public network. A separate proxy usually is required for each type of application such as FTP, HTTP and DNS.

Stateful inspection is a highbred packet filter that remembers the state of the connection. For example, remembering the port number used by a connection and ensuring that access to the port is disabled when the connection is terminated. This is handy for applications that open multiple ports, such as FTP. Hackers often scan the higher ports in hope of finding an open one left by a long-gone FTP user.

Some Assembly Required

Resellers must balance strict security enforcement with convenience for the users and their collaborative nature. This can only be achieved by a strong firewall infrastructure with multiple checkpoints and constant monitoring, auditing and fixing. The diagram on this page outlines components and architecture for an industrial-strength firewall.

Firewall maintenance also is important. Resellers maintaining networks for large customers should convince clients to maintain firewalls with a full-time monitoring staff.

In addition to vulnerable points in the front of the firewall, resellers must remove vulnerabilities behind the firewall. This accomplishes two goals: It creates a second line of defense should the Internet firewall become compromised, and it creates a defense for the "blitzkrieg" attack around the firewall through a modem or other unprotected gateway, such as a mainframe-to-IP gateway.