|
|
| Previous | Table of Contents | Next |
The performance tests (summarized in table 7.2) were surprising and revealing. Opus One discovered that both the Raptor Eagle and Global Internet Centri firewall could not complete the 5-stream TTCP test. In Raptor’s case, the testers spent a lot of time on the phone with their technical support and with a protocol analyzer. Opus One discovered that Raptor’s generic proxy, which was the appropriate tool for our TTCP test, accepts connections without confirming that the other end is ready. Although many protocols wouldn’t care, the benchmark test was simple-minded and started dumping data into the Eagle as soon as the connection was made. The Eagle couldn’t handle it and ended up breaking the connection. It’s not a fatal flaw, but if you choose Raptor, you might have to re-engineer your applications because of poor implementation in the product.
When Eagle gets going, however, it does a good job. In the multi-stream FTP test, Eagle beat out all of the other products, both packet filter and proxy firewall alike.
The testers didn’t diagnose Global Internet’s problem as carefully as Raptor’s, but found a curious disparity between its TTCP and FTP performance. TTCP was extremely fast, second only to the first place performer, Digital’s AltaVista Firewall. FTP, however, was miserably slow with single-stream performance at about 500 KB/second. If a Centri was standing between you and the Internet, traditionally a very slow network, the Centri could end up as the bottleneck. In packet filtering of TTCP, the Centri turned in a good set of numbers.
Another slow FTP performer was Check Point Software’s Firewall-1 in “proxy mode.” Proxies—Check Point calls them Security Servers—were added recently to Firewall-1, and it’s clear that whoever implemented them didn’t have the same dedication to performance that has given Firewall-1 a reputation as such a fast firewall. Packet-filtered FTPs were very speedy, beating everyone in single-stream performance and coming in a very close second in multi-stream. But when proxy FTP was tested, Firewall-1 turned into a dog with an embarrassingly slow 300 KB/second.
Although Firewall-1 didn’t beat AltaVista or Centri at pure TCP throughout (a surprising result considering conventional wisdom about firewalls), it did provide good throughput all the way around at 4 to 6 MB/second—when packet filtering and not proxying.
Network-1’s Firewall/Plus was generally a mediocre performer, especially given the packet filtering orientation of the product. Not as fast as the other packet filters at FTP (2 to 3 MB/second) and not as fast as anyone during raw TCP (2 to 4 MB/second), the Firewall/Plus seemed overwhelmed by our test network.
The best proxying performer was Digital’s AltaVista Firewall. Although Raptor’s Eagle edged it out in FTP performance, AltaVista did an exceptionally good job with the TTCP benchmark, hitting the highest throughput of the entire test: 8.3 MB/second.
The product evaluated in this section is ISS SAFEsuite.
An important part of a successful firewall implementation is verification that the firewall is actually doing what it’s supposed to—keeping the bad guys out, letting the good guys through, and not being vulnerable to any well-known attacks. Simply concentrating on the firewall itself is not sufficient. Instead, you must look at the entire network environment around the firewall to see the weakest link.
Evaluating firewall security is something you must do before you install the firewall, immediately after the installation, and periodically after that.
To test and verify installation properly means taking multiple views of the same system. These perspectives range from the physical security of the machines to the configuration of the firewalls to the trustworthiness of workers. The history of industrial espionage has been in the physical world and thus numerous practices have been developed to handle this portion of security assessment. The age of network-based industrial espionage has a brief history and thus less developed security assessment practices.
The security profile of a network of machines can be assessed from three principle vantage points, listed below:.
Each of these perspectives will reveal unique security vulnerabilities. Removing the vulnerabilities as seen from outside the enterprise is the first step to halting the efforts of the casual hacker in the industrial espionage age. Removing the vulnerabilities as they appear from behind the firewall accomplishes two goals. It creates a second line of defense should the firewall become compromised. It also creates a defense for the “blitzkrieg” attack around the firewall through a modem or other non-protected entryway. Finally, evaluating security from the machines themselves will close vulnerabilities that could be exploited through a firewall or from other machines on the network. It also hardens the security of the machines, restricting the avenues of attack for the disgruntled worker or the co-opted contractor.
| Previous | Table of Contents | Next |