wall does not require the use of a router, but routers may be employed to enable certain configurations and architectural options. While most customers employ routers when connecting to a WAN, filtering rules installed in the router are only used as a way to reduce network "noise," rather than protect the Gauntlet Firewall. The Gauntlet Internet Firewall is designed to be a self-contained security system, not relying on other network components for its own or the internal network's security. TIS will assist Gauntlet Internet Firewall clients in determining the need for routers.
On what operating systems do Gauntlet products run?
The Gauntlet Firewall Software is available for the following operating system platforms:
BSD/OS operating system from Berkeley Software Design, Inc.
HP-UX from Hewlett-Packard
Solaris from Sun Microsystems
Windows NT from Microsoft
TIS has hardened these operating systems for use with the Gauntlet firewall.
Additionally, Gauntlet Firewall Software for IRIX is available from Silicon Graphics.
Why is it important to "harden" an operating system for a firewall?
The operating system is the base platform for firewall software. Most commercial operating systems are created to allow general use and access and provide many services useful for multiuser, server systems (services such as NFS), but too insecure to allow on a firewall. The base operating system must be "tightened" to disallow insecure services and to apply security patches. Unfortunately, most firewall vendors do not bother to do this. Consequently, their firewalls may be installed on insecure systems, devaluing the firewall's security.
Does the Gauntlet Internet Firewall support FDDI, Token Ring, or ATM?
Gauntlet Firewall Software supports all network interfaces supported by the operating systems. The turnkey version of the Gauntlet Internet Firewall supports only Ethernet connections at this time.
Should user accounts be permitted on a firewall?
No! The only account on the firewall is that of the Firewall Administrator, and he should either be required to use strong authentication, or be restricted to logging in from the firewall console.
Should general servers, such as WWW servers, be permitted on a firewall?
Only if you are using the secure servers available with the Gauntlet Internet Firewall, version 3.1 and later. Every application that is in any way directly accessible to attack from untrusted networks runs the risk of opening holes into the protected network. Only software specifically written to be secure, and rigorously reviewed for security relevant flaws (such as the proxies), should be placed on the firewall.
Does the Gauntlet Internet Firewall allow UDP or ICMP through?
The Gauntlet Internet Firewall does not standardly permit any connectionless protocols such as UDP or ICMP across the firewall. Because their connectionless nature makes it impossible to determine their actual source, all such applications must be considered inherently insecure and inconsistent with conservative firewall security. These services may be run through a VNP. Select services - SNMP, RealAudio, and Finger, for example - are supported securely through Gauntlet firewalls.
If anyone tries to sell you a firewall that allows generic UDP services through, ask to see their security assessment paper on the service, so you can understand why they think they can secure such services.
Does the Gauntlet Internet Firewall check for viruses?
Virus scanning software is supported by the Gauntlet Internet Firewall. Check with your sales representative for products and support options.
Is the Gauntlet Internet Firewall available in my country?
Yes. The Gauntlet Internet Firewall may be purchased from a growing list of resellers throughout the world, including Africa, Asia, Australia, Europe, and North and South America. Please contact TIS for a list of resellers.
Isn't the Gauntlet Internet Firewall based on freeware?
The Gauntlet Internet Firewall was originally based on the TIS Internet Firewall Toolkit, but is no longer. The TIS Internet Firewall Toolkit is licensed and freely available, but it is not "freeware," "public domain," nor "shareware." The FWTK has been downloaded by more than 50,000 individuals.
The FWTK is a licensed, freely available set of tools for building internetwork firewalls. It is made to be used by experts. The Gauntlet Internet Firewall is a complete, fully functional, fully supported product. This table provides a comparison:
Gauntlet Internet Firewall | TIS Internet Firewall Toolkit |
Source Code | Source Code |
TELNET Proxy | TELNET Proxy |
Rlogin Proxy | Rlogin Proxy |
FTP Proxy | FTP Proxy |
HTTP Proxy (WWW) | HTTP Proxy (WWW) |
Gopher Proxy | Gopher Proxy |
SMTP Proxy | SMTP Proxy |
NNTP Proxy | NNTP Proxy |
X11 Gateway | X11 Gateway |
Authentication Server | Authentication Server |
Java and ActiveX blocking | Java blocking (contributed) |
RSH Proxy | |
URL Screening (to control WWW access) | |
SSL | |
SHTTP | |
POP3 | |
Authenticated Circuit | |
Printer | |
Secure Server (FTP and HTTP) | |
E-mail Gateway | |
DNS Server | |
RealAudio | |
RealVideo | |
NetShow | |
VDOLive | |
Netmeeting | |
Sybase SQL | |
Oracle SQL*Net | |
Graphical Management Interface | |
Management Tools | |
Configuration Tester | |
Hardened Operating System | |
Smoke Alarms (intrusion probing alarms) | |
IP Spoof Protection | |
Routing Attack Protection | |
Transparent Access | |
Firewall-to-Firewall Encryption | |
Firewall-to-Desktop Encryption | |
Integrated Hardware Platform | |
Fully Integrated Software Components | |
Installation Support | |
Training | |
Telephone Support | |
Updates | |
TIS engineers will monitor the FWTK mailing lists, but no direct support is available. The fwtk-support list is used for support questions and answers; the user community provides its own support for the FWTK.
TIS distributes the FWTK, provides an FTP area for contributed software, and will package a new version, containing contributed code and bug fixes, at least every 12 months.
Doesn't the availability of source code make a firewall more vulnerable to attacks?
All firewalls are under the threat of attack. Vulnerability is a measure of whether a weakness exists that someone can exploit. We do not believe in security through obscurity. Our software has been developed using strong testing methods with the knowledge that it would be available in source code. We are depending on our design criteria and strong methods of development and testing rather than depending on the secrecy of our code. When ("when," not "if") someone's secret algorithm is reverse engineered, if they do not know it, they end up being vulnerable to attack, while still believing that they are safe.
Isn't making source code available contrary to good security practices?
On the contrary, formal security mechanisms are often based on open (well known) mechanisms. One example, is the Data Encryption Standard (DES). A characteristic of good security is that knowing the algorithm does not get you any closer to breaking the security, as with DES, knowing the input, the output, and the algorithm, does not get you the secret key.
According to the "Internet Marketing and Technology Report," Volume 2, Number 3, dated March 1996, "the term Intranet refers to an internal network that uses Internet technology and protocols (TCP/IP) to distribute informational resources to individuals within an organization." Think of it as internetworking within a trusted network. Even within a trusted network's security perimeter, an organization might want to compartmentalize systems and networks within networks. Firewalls within an organization's security perimeter can accomplish this.
What is the Gauntlet Intranet Firewall?
It is a firewall meant to be deployed within an organization's network security perimeter. It's used on the enterprise intranet. It is an add-on to an existing Gauntlet Internet Firewall, that allows you to place additional network strongholds within your network security perimeter.
Isn't the Gauntlet Intranet Firewall just a Gauntlet Internet Firewall with a different name?
It has most all the features of the Gauntlet Internet Firewall, at a lower price, but the main difference is that it is configured in conjunction with, and managed through an existing Gauntlet Internet Firewall. Operating within an organization's network security perimeter, the Gauntlet Intranet Firewall protects an enclave within an enclave. It's general access rules come from the controlling Gauntlet Internet Firewall. Additional access rules may be added. All logging is done via the logging rules defined by the master Gauntlet Internet Firewall. Encryption may be added. Additional services, normally considered insecure through an outer firewall, may be permitted through a Gauntlet Intranet Firewall. Also, because it is deployed within an organization's "trusted" network, firewall-to-firewall encryption is an option.
What's the Gauntlet Net Extender?
The Gauntlet Net Extender is a firewall for a remote office. It is an add-on to an existing Gauntlet Internet Firewall and has all the functionality of the Gauntlet Internet Firewall. Like the Gauntlet Intranet Firewall, it is managed through a master Gauntlet Internet Firewall and logging is done through the master firewall. The Gauntlet Net Extender must have an encrypted link to the master Gauntlet Internet Firewall. This can be used to set up a VPN or a VNP (see above). The Gauntlet net Extender "extends" the network security perimeter (see above discussion) to include other, remote offices.
What is the Gauntlet PC Extender?
The Gauntlet PC Extender is an add on to an existing Gauntlet Internet Firewall, extending the network security perimeter to include remote or mobile users. It allows for private and secure connections from home, hotel room, or remote Internet site, through your firewall into your private network. This means that a traveling user can use his or her PC in the same way and for the same services available when in the office, even services normally considered insecure (such as PC-NFS). Strong authentication and encryption provide the security needed.
The Gauntlet PC Extender runs on Windows 3.1.
Does Gauntlet PC Extender run on Windows 95 or Windows NT?
Yes
With what PC network products does the PC Extender work?
Contact your Gauntlet sales representative for the latest list of tested products, which includes Chameleon, Beame & Whiteside TCP, and Trumpet Winsock.
What do we have to do before we install our Gauntlet firewall?
TIS will send you a document explaining the questions that need answering and all preparations you need to make. This is a summary or key preparations:
If the installation is intended to connect the site to the Internet, an Internet connection available configured to the address of the Internet side of the firewall. This is to permit testing of the installed firewall.
A properly implemented firewall should be consistent with the goals of the site's Network Security Plan. The Network Security Plan should be made available to the firewall installer prior to installation.
The site should have a UNIX system administrator who is familiar with the site's various system files and network configuration available to work with the TIS installation personnel.
Prior to installation, a questionnaire is sent to the client's system administrator eliciting information concerning internal address schemes, DNS requirements, E-mail configuration requirements, etc. This questionnaire should be returned at least one week prior to installation.
What is the price of the Gauntlet Internet Firewall?
Contact TIS or your Authorized Gauntlet Reseller for current pricing and configurations.
How can TIS claim that it has "The Most Secure Firewalls"?
TIS bases its claim on the years of experience we have in formal computer, communications, and network security, and on building our firewall products using the most secure design approach in the industry.
Since an application gateway is the most secure type of internetwork firewall, TIS has designed the Gauntlet Internet Firewall to rely on proxies to provide services. Firewalls that combine application, circuit, and filtering gateway technology are only as secure as the weakest link of the three. In the Gauntlet Internet Firewall, all communication between one network and another is turned off. Network services are individually enabled through the application data bridges, called proxy software or proxies. Network packets are never passed between the networks, only application data. No direct connection is ever made between machines on opposite sides of the firewall.
The design approach, expanded in our functional summary document, combines the following seven tenets:
Simplicity in services provided and mechanisms
Simplicity in software design, development, and implementation
A "Crystal Box" approach, in which source code is distributed to allow for assurance reviews by our customers, our resellers, and other experts
No users are allowed on the firewall system itself
Anything that can be logged, should be logged, for a complete security audit trail
Strong user authentication methods and mechanisms must be supported and encouraged
A firewall should enforce an organization's network security policy, not impose one of its own
What can you recommend for further reading?
How is TIS different from other firewall vendors?
TIS is not a new, one-product company. Since its founding in 1983, TIS's business has been computer, communications, and network security associated with today's local and wide area networking environment. The TIS staff has experience in computer and communication security evaluation; development of computer security systems; development and use of formal security methodologies and tools; and security evaluation, certification, and accreditation of systems and networks. The focus of TIS's corporate organization is in providing systems security engineering support.
Trusted Information Systems, Inc. (TIS) specializes in advancing the state of information security technology and in reconciling system security requirements with the functional and mission requirements of operational systems. TIS is internationally known and respected for its research and applications solutions. TIS provides security products, such as the Gauntlet Firewall Family of products. TIS's consulting services are well known for excellence, completeness, and integrity.
TIS is publicly traded on the NASDAQ, symbol TISX.
TIS has offices located in the Washington, DC area, with its headquarters in Glenwood, Maryland, and the headquarters of its Commercial Division in Rockville, MD. TIS also has offices in McLean, Virginia, Los Angeles, San Francisco, London, and Munich.
How do I contact TIS for more information?
For further information please send electronic mail
to:
gauntlet-sales@tis.com, call us toll-free at 888-FIREWALL,
or (301) 527-9500, send a fax to (301) 527-0482, or write to us
at:
Trusted Information Systems, Inc.
Gauntlet Sales Department
15204 Omega Drive
Rockille, MD 20850