Evaluating Flexibility and Features

With a firewall, the term “flexibility” can also imply insecurity. With some firewalls, such as Digital’s AltaVista Firewall and LSLI’s PORTUS, you don’t have a lot of flexibility. On the other hand, this lack of flexibility makes it almost impossible to screw up and build an insecure configuration. Firewalls are as susceptible to feature creep as any Microsoft product. For example, Check Point’s Firewall-1 started out as a sophisticated packet filter. Today, it is a stateful inspection engine with additional part-time application proxies, NAT, and an encrypted virtual private network (VPN) gateway.

The king of the features is certainly TIS’s Gauntlet. As the oldest continually enhanced product, Gauntlet includes more application-level proxies than any other. It also has a wide range of authentication options for users, including four different kinds of one-time passwords. Add in encrypted VPN support, packet filtering, an integrity checker, and content filtering of HTTP queries to get a complex but flexible full-featured system. The feature list in Gauntlet will appeal to any network manager who has to satisfy a broad security policy and who wants to get into the bowels of the firewall.

Gauntlet has good competition in Raptor’s Eagle. Eagle has many of the features of Gauntlet, but with fewer proxies, no packet filtering, and no VPN in the NT version (VPN is available in the Unix version). Eagle provides a much better management and configuration interface, along with built-in real-time reporting of intrusion attempts. Eagle, however, suffers from a lack of maturity in some of its proxies. For example, its SMTP relay doesn’t support any well-accepted RFC extensions, including PIPELINING, SIZE or 8BIT, and its FTP proxy is unacceptably intolerant of FTP clients.

Other products vary in the effectiveness of the way they handle SMTP relays, VPN, and other features.

None of the SMTP relays in the firewalls are especially intelligent or useful. Handling e-mail in firewalls by running it through sendmail—which is what all SMTP relays except for AltaVista Firewall do—is a little like handling eggs by giving them to a small child. You would be better off using a secure mail server in the first place and piping your mail through the firewall via proxy rather than relay.

Virtual private networks (sometimes called “encrypted tunnels”) are also on the hot list. Using VPNs, an organization can build a secure communications path either internally or across a public network, such as the Internet. VPN support is built into Check Point’s Firewall-1, the Unix version of Raptor’s Eagle, Milkyway’s Black Hole, and TIS’s Gauntlet. Digital offers VPN support using a separate layered product, AltaVista Tunnel.

VPNs are most often used when two firewalls build a tunnel between them for encrypted communications. However, the new feature people are clamoring for personal tunneling, which gives a single user on an insecure network (such as the Internet) the capability to connect securely through the firewall. Only Digital and Raptor offer personal tunneling at this time.

Firewalls also differentiate themselves in the breadth of their authentication capabilities. Most network managers are turning to one-time passwords to increase security when authenticating users for remote (and sometimes local) access. Popular choices include the free S/Key system, Security Dynamics Technologies, Inc.’s time-based SecurID, and DES-based systems from Digital Pathways, Inc. or CryptoCard Corp. The widest choices come in TIS’ Gauntlet, LSLI’s PORTUS, and Milkyway’s Black Hole, which offer all three.

---

Note:  One-time passwords are just that—a password used only one time. A one-time password is good for one time, one username. It cannot be used ever again. If someone happens to capture it traveling over the Internet, or see you type it in, it doesn’t matter—it’s not useful anymore. With some one-time password systems, such as Security Dynamics’ SecurID, the password is simply generated by some software or hand-held token (which looks like a pocket calculator). In others, such as Digital Pathway’s SNK, the token (or software) calculates the right password given a challenge issued by the authentication system (which you may have to enter from your screen).

Most one-time passwords are also known as “two factor” authentication systems. The two factors, in this case, are two different things that you must bring together to authenticate yourself. Normally, this is divided into “something you know” and “something you have.” For example, you may have to send both a secret PIN and the generated one-time password to gain access. That way if someone steals your token, it’s useless without your PIN.

---

Certain newer features are just making it into the firewall product lines. For example, HTTP URL and content-based filtering is a hot topic in the security community; firewalls are just beginning to add this. Currently, content-based filters can be used to keep Java and ActiveX programs from entering the local network. Global Internet’s Centri, TIS’s Gauntlet, and Check Point’s Firewall-1 were the first to add this feature.