|
|
| Previous | Table of Contents | Next |
To be successful, the security audit must be thorough; it cannot leave out possible vulnerabilities. It must also be repeatable to provide a consistent perspective on the firm’s security practice. By its very nature, a security assessment will initially increase the workload for an MIS department. These seemingly conflicting goals can be met through the use of security audit tools that can provide a thorough and repeatable process with an effective means of implementing corrective actions.
One of the most popular tools for security assessment is the SAFEsuite line of security scanners from ISS. These scanners help to automate the process of scanning security across an enterprise and can look at security from all three vantage points: the outside, the inside, and on the machines themselves.
SAFEsuite is the most comprehensive line of security scanners, including a web scanner, a firewall scanner (which scans a single system for known vulnerabilities), an intranet scanner that scans all the systems on a network, and an O/S specific scanner for Unix systems.
Although SAFEsuite is one of the best tools you can add to your toolbox for verifying firewall installation and configuration, it can be relied upon too heavily. Almost by definition, all firewalls will know about all of the attacks ISS can throw at them. In the tests, Opus One didn’t learn anything exciting about the firewalls from ISS’s scanners. Opus One did learn some very interesting things, however, about the internal network behind the scanner. That alone makes something like SAFEsuite a good investment.
Table 7.3 summarizes the firewalls discussed in this chapter along four evaluation criteria: Management interface and GUI (how hard is it to configure and manage?), Flexibility and Features (can it fit into different environments and implement different security policies?), Reporting and Accounting (does the firewall provide reports of usage and alerts when a break-in is detected?), and Performance (how fast does the firewall pass packets?).
| Product | Mgmt I/F; GUI | Flexibility/Features | Reporting/ Accounting | Performance |
|---|---|---|---|---|
| Livingston IRX: | Command line; complicated. | Config helpers for Windows and Unix. | Packet filter only Via syslog | (not tested) |
| Cisco 2500: | Command line; complicated. | Built-in WWW-based configuration helper. | Packet filter only. Via syslog in newer versions | (not tested) |
| Digital AltaVista: | Solid; easy to build secure configurations. | Configuration is strictly limited to ease management. | Not tremendously flexible. Application firewall only. | Powerful reporting and alerting facilities. Automatically raises and lowers alert level based on outside criteria. |
| TIS Gauntlet: | Very difficult. | Most parameters file-based. Requires high level of expertise. King of the feature set. Many application proxies; can do packet filtering. Most featureful firewall. | Poor alerting capability but good reporting services. | (not tested) |
| Raptor Eagle | Very simple interface. | Relative lack of power compared to some (such as Gauntlet). Simpler firewall than Gauntlet, but with similar heritage. | No packet filtering! | Good reporting and altering. Among the lowest of all firewalls in speed. |
| Network-1 Firewall/Plus: | Very difficult to use interface. Hard to configure correctly and safely. | Extremely flexible. Can filter on any protocol and any bit patter. Hard to set up. | Almost none. | Average |
| Check Point Firewall-1: | Simple and powerful interface for multiple firewalls. On-line documentation lacking in details. | Feature creep susceptible, but still has a reasonable toolbox fore the security designer. | Poor alerting and reporting capabilities. | Varies, but generally high. |
| Global Internet Centri: | Nice interface. Simple configuration options. Well explained. | Designed for simpler environments. Does both packet filter and application proxy. Moderate power. | Reporting needs tuning. Alarming almost non-existent. | Good in single stream; multiple streams susceptible to failure. |
| Livermore Software Laboratories PORTUS: | File-based interface. Difficult to learn and understand. | Moderate feature level. Easily customized for unusual environments. | Average reporting capabilities. | High |
| Milkyway Networks Black Hole: | Object-oriented and databse-driven interface. | Many different configuration options. Broad spectrum of flexible policy implementations. | Average reporting capabilities. | (not tested) |
In this chapter, you’ve learned the most important steps in picking a firewall. By starting with your security policy, you can quickly narrow the marketplace to a manageable size. You’ve seen the different common architectures and the significant factors that distinguish one firewall from another.
You can use the criteria in this chapter (including the summary data in table 7.3) to help evaluate any new firewall or the new version of any firewall described here.
You’ve also seen some of the tools and methodologies you can use to test firewalls. In Chapter 8, “SATAN and the Internet Inferno,” you’ll learn about SATAN, a simple freeware firewall testing tool, and how people on the Internet will be testing your firewall for you—whether you like it or not!
| Previous | Table of Contents | Next |