Gauntlet Internet Firewall FAQ Original is at http://www.tis.com/docs/products/gauntlet/gauntletfaq.html ¡ http://www.tis.com/docs/products/gauntlet/gauntletfaq.html
Table of Contents
The purpose of this document is to answer questions about the Gauntlet Internet Firewall and internetwork firewalls.
A firewall is "a system or combination of systems that enforces a boundary between two or more networks." (All definitions in quotes are from the National Computer Security Association's standard Firewall Functional Summary template.) It is a controlled gateway between one network and another. Typically, people discuss putting a firewall between a private, trusted network and the public Internet. It is analogous to a guard post in the lobby of a building, or at the gatehouse of an enclosed installation. For more detail, see what we recommend for further reading near the end of this document.
What will a firewall do for me?
Connecting your private, internal network to an outside, untrusted network can be both a blessing and a curse. A blessing in that the exchange of computerized information (the lifeblood of modern commerce) is greatly facilitated. A curse in that you may be exposing your valuable network resources and the reputation of your organization to the whims of Internet hackers or industrial spies. These problems have been extensively documented in the technical media (see TIS's web page at www.tis.com). To minimize the risk while maximizing the benefit requires that an organization develop a comprehensive Network Security Plan. This should include user security awareness training, qualified network security system administrators, and a network architecture that promotes structured security and the use of appropriate network security components. The Gauntlet Internet Firewall is one of the important components of a well-designed network security architecture.
The Gauntlet Internet Firewall is designed to be the single point in your network through which all communications between your internal network and all outside, untrusted networks must pass. This is also the point at which the Network Security Administrator may monitor and control the flow of information between the networks. The Gauntlet Internet Firewall supports strong authentication mechanisms to insure that only authorized users can enter your protected network. The Gauntlet Internet Firewall is capable of preventing unauthorized communications in either direction, and provides a log of all connections across the firewall in either direction. Properly configured, the Gauntlet firewall presents an impenetrable barrier to even the most persistent hackers seeking to access your network.
See our further reading list for more detailed information.
What will a firewall not do for me?
An Internet firewall is a controlled gateway. It cannot stop attacks from malicious insiders, nor can it take the place of education and security policies and procedures. It is part of an overall security plan.
What is a "network security perimeter?"
A network security perimeter is established by the methods and mechanisms used to secure the network against outside intrusion.
Defense in depth, also called host-based security, is "the security approach whereby each system on the network is secured to the greatest possible degree. [It] may be used in conjunction with firewalls."
What is a "perimeter defense?"
Also known as perimeter-based security, it is "the technique of securing a network by controlling access to all entry and exit points of the network."
Before launching into a description of different types of firewalls, the concept of a perimeter defense should be understood because of its importance to the proper function of a firewall. To a site administrator, establishing a perimeter defense means that all communications between the internal network and external, untrusted networks must pass through the firewall(s) in order to monitor and control the traffic. The organization's Network Security Plan should specify that any form of connection to or from machines outside the internal network is strictly forbidden without review and authorization from the security administrator. This should include modems, leased lines to other networks, etc. Users should be aware that connections between their secure internal network and any outside network, including that of a trading partner or client, may expose the internal network to attackers that have broken into the other network. It makes little sense to have a strong, well-protected front door (the firewall) if the back door and all the windows are left open.
What are the different types of firewalls?
There are four types of firewalls: filtering gateways, circuit gateways, application gateways, and hybrid or complex gateways.
Filtering Gateway
Filtering firewalls use routers and packet filtering rules to grant or deny access from one source address (host) and port (service) to a second destination address and port. Also called a screening router, it is "a router configured to permit or deny traffic based on a set of permission rules installed by the administrator."
For example, the administrator can use the router rules to permit a particular machine on the external network to FTP to a specific machine on the internal network, but deny that same machine the ability to TELNET to the internal machine. Similarly, one specific address on the external network can be permitted to FTP to a specific address on the internal network while all other addresses are denied permission to FTP to that address on the internal network.
The advantages of a packet filtering firewall are that they are fast, generally inexpensive, very flexible, and transparent. Also, they can be implemented on routers, and most organizations already have routers. Routers support static (unchanging) filtering.
Another type of filtering, dynamic filtering, tries to make sense out of higher-level protocols and adapt filtering rules to accommodate protocol-specific needs (e.g., simulated connections for connectionless protocols such as NFS and RPC services).
A disadvantage of a filtering gateway is once access has been granted by the router to a host on the internal network, the attacker has direct access to any exploitable weaknesses in either the software or the configuration of that host.
Another disadvantage of a packet filter is the source and destination addresses and ports contained in the IP packet header are the only information available to the router for making the decision to grant or deny access to the internal network. Unfortunately, source destinations and ports can be spoofed so that you cannot be sure who is really making the request for access. This is a critically important concept to understand. In reality it means that if you permit anyone to come through your router and access software on one of your internal host machines, everyone can access that software on that host. And if the software being accessed cannot do strong authentication, or has a hole in it, the intruder has gained access to your network.
Also, routers do not generally provide robust (if any) logging facilities, making it difficult to know when your network is under attack, or how to recover from a successful attack.
Further, packet filtering firewalls do not support the concept of strong user authentication, and access from untrusted networks should not be granted without strong authentication (see the question on strong user authentication).
Another problem is that both the hardware and software of routers may contain exploitable weaknesses. Routers are generally designed for performance, not security.
Finally, router rules are complex and are very difficult to "get right." Even highly qualified network professionals will occasionally add or modify a rule in the router's rule-base, and in so doing, accidentally open a hole through the router.
Circuit Gateway
A circuit level firewall is a means of handing an outgoing connection request from a client on the internal network to a single machine acting as a firewall, such that it will appear to the remote site that the connection request actually came from the firewall.
The principal advantage of a circuit level firewall is that it prevents direct connection between internal and external machines. All incoming requests are blocked. If a user on an internal machine writes code that listens on some non-standard port, users on external hosts have no way to reach that port. This gives the Security Administrator a single point at which to control incoming connection requests.
A disadvantage, or limitation of a circuit level gateway, is client software on the internal network may have to be modified to do the necessary "handshake" with the circuit level gateway software (for example SOCKS), and source code for the client software may be unavailable.
Application Level Gateway
An application gateway is "a firewall system in which service is provided by processes that maintain complete TCP connection state and sequencing. Application level firewalls often re-address traffic so that outgoing traffic appears to have originated from the firewall, rather than the internal host."
An application level firewall is generally considered to be the most secure type firewall. The Gauntlet Internet Firewall is an application level firewall. Like the circuit level firewall, the Gauntlet firewall is configured to be the only host address visible to the outside network, requiring all connections to the internal network to go through the firewall. An application level firewall is distinguished by the use of proxies (application gateways) for services such as FTP, TELNET, etc., which prevent direct access to services on the internal network.
One advantage of this type of firewall, is that proxies prevent direct connection between internal hosts and external, untrusted hosts. All incoming requests for services such as HTTP, FTP, TELNET, RLOGIN, etc., regardless of which host on the internal network will be the final destination, must first go through the appropriate proxy software on the firewall.
For example, consider a host on the external network requesting a connection to port 25 on any one of the many hosts on a network not protected by the Gauntlet Internet Firewall. Every host on the internal network could be running a different implementation of Sendmail, or different versions of the same implementation, each with known security problems. Because an attacker has direct access to every host on your internal network, he can try port 25 on every host on the internal network until he finds one running an implementation of Sendmail with an exploitable hole. From there he can gain access to the machine, and then to your entire internal network.
To protect against this type of attack, you can either secure every computer in your organization (usually impossible to enforce), or require that all connections go through a control point on which you have already made the security adjustments.
Strong user authentication (see below) should be required for all incoming connection requests before granting access to the requested service on the internal host when the protocol supports it. Application gateways, or proxies, allow enforcement of user authentication.
Comprehensive logging at the application level can be performed by proxies.
Since all communications between the internal and external networks are required to go through one of the application proxies, the proxies can restrict those communications to transactions appropriate to the specific service being used. They are also in position to do content-type filtering, such as blocking Java code from coming in from the outside.
The principal limitation of application gateway firewalls is that in some environments, there may be a requirement for data transfer rates in excess of the capacity of the firewall. The capacity of the Gauntlet Internet Firewall has not been determined, but it has demonstrated throughput of 10 Megabits/second (Ethernet speed), exceeding the capacity of a T1 link (about 1.5 Megabits/second).
Hybrid or Complex Gateways
Hybrid gateways, combine two or more of the above methods. If these methods are added in parallel, the network security perimeter will be only as secure as the least secure of all methods used. If they are added in series, the overall security is enhanced. All commercial firewalls that are hybrid systems, have the mechanisms in parallel.
A vendor who claims that a hybrid firewall is more secure by virtue of being more complex does not understand security. A useful truism of security to keep in mind is "complexity and security are often inversely proportional."
What are stateful multilevel inspection firewalls?
Stateful inspection can also be called stateful filtering, as it is basically a filtering type of firewall (see above) with additional granularity. Stateful filters parse IP packets and keeps state about connections in the operating system kernel. They may be faster than proxies - the proxy mechanism is at a lower level - but are also more complex.
If an interface for a particular service has protocol specific knowledge, a SMLI firewall will have more security for that particular service than a more simpler packet filter would. (And so, to add new services requires additional code, just like for a proxy-based firewall.) If it does not have protocol specific knowledge, then there is no added security - it has the same level of security as a filtering gateway.
Which is the most secure type of firewall?
Experts agree that the most permissive, and least secure, type of firewall is the filtering gateway, and the most secure is the application gateway. Experts, such as Cheswick and Bellovin -- see reference in the "further reading" area of this document, Ted Julian in IDC's Firewall Marketing report dated February 1996, and Rik Farrow, for example in the May 1996 issue of UniForum's "IT Solutions" magazine.
Bill Cheswick, well known firewall and Internet security expert, pointed out (in the June 17, 1996 issue of LAN TIMES), "Packet filters can protect your [network] quite adequately if they are properly designed. The hard part is getting the rules right and testing the filter to see if it is truly secure."
Winn Schwartau, president of InterPact, Inc., a security consulting company added, in the same article, "Don't bother [with packet filters]. They are a waste of money. ... if you are going to have no control over user activities, why bother?"
What are application gateways (proxies)?
The terms "application gateways" and "proxies" mean the same thing. A proxy in a firewall is a software mechanism that acts on behalf of another. It will sit between a client on one side of the firewall and a server on the other. To the client it looks and acts like a server; to the server it looks like client software. It acts as a proxy for both sides.
All application data flows through the proxy. Because of this the proxy is in a unique position to log information (time of connection, number of bytes transferred, etc.) and enforce access rules (who can connect to what for which service at what time).
Aren't application gateways and proxies different things?
No, they are different technical terms for the same mechanism.. It is possible that some people use them to mean different things in their marketing literature, but they are synonymous terms.
Aren't application gateways, or proxies, outmoded, old technology?
Of course not. Application gateways have been around only a few years. As discussed above, they are the most secure kind of firewall mechanisms. Anyone who says otherwise disagrees with the experts, and is probably blowing marketing smoke.
Applications gateways are much more secure than any other kind of firewall mechanism, certainly more so that any filter-based solution. At a CSI conference during the Meet the Enemy session, hackers fingered a stateful inspection firewall as their "favorite firewalls" to come up against. Hackers would rather not find an application gateway firewall such as the Gauntlet Internet Firewall.
What is the Gauntlet Internet Firewall?
The Gauntlet Internet Firewall is an application-based firewall featuring the most secure firewall design in the industry. The Gauntlet product features:
What services are supported by the Gauntlet Firewall?
The Gauntlet Internet Firewall includes proxies for the following services:
There is also a proxy that acts as a "patch panel" for simple services in a one-to-one or one-to-many configuration, called the "plug gateway." Through this gateway, the Gauntlet Internet Firewall supports
An authenticated circuit gateway allows the firewall manager to configure certain "plug gateway" services to be available on a per user basis after users authenticate themselves to the firewall.
An authentication server supports the use of strong user authentication (identification) via security tokens or one-time password mechanisms.
Additionally, the Gauntlet Internet Firewall provides optional support for extended content security;
Are Gauntlet proxies easy to use?
All proxies supplied with the Gauntlet Internet Firewall can be installed for "transparent mode" operation. In transparent mode, the user just issues the command to connect to a machine on the other side of the firewall, and the connection is made. All communication goes through the appropriate application gateway. It just seems like a direct connection to the user.
If I use the Gauntlet Firewall, do I have to modify software on inside machines?
None of the Gauntlet Internet Firewall proxies require modification of the software on the internal network.
What are the customer needs addressed in version 4.0 of the Gauntlet firewall?
The Gauntlet Internet Firewall Version 4.0 addresses the following customer needs:
Secure Multimedia Communications
Extended Content Security
Support for Enterprise Network Management
Extended DBMS Security
Enhanced Native Management
What new features will I find in version 4.0 of the Gauntlet firewall?
Streaming Multimedia Support For Most Popular Real-Time Information Services
Support For Virus Scanning of Mail, FTP, and HTTP Traffic
HP Network Management Support (OpenView)
New JAVA-Based GUI for Local and Remote Management
Extended DBMS Security with Oracle SQL*NET proxy
What are some of the services supported for secure multimedia communications?
ReadAudio/RealVideo, Xing, NetShow, VDOLive, are all supported through specialized proxies.
Can I use multiple Gauntlet Firewalls at an Internet gateway?
Many of our customers install multiple Gauntlet units in parallel at gateways for load balancing and redundancy. This configuration works very well.
Do I need special software or a certain operating system to use the Gauntlet Management GUI?
The management system can be accessed using any "Web browser" program (e.g., Microsoft Internet Explorer, Netscape Navigator) from any platform that supports them. No special software is needed.
What is a Virtual Private Network?
A virtual private network, or VPN, through encryption, provides privacy for all allowed network traffic between two gateways. In a VPN, no level of trust between the networks need be assumed. A VPN provides privacy only. A VPN is not necessarily a Virtual Network Perimeter.
What's a Virtual Network Perimeter?
This term was coined by TIS in a technical paper (#1 in the reading list later in this document). A VNP is a Virtual Network security Perimeter: network that appears to be a single protected network behind firewalls, which actually encompasses encrypted virtual links over untrusted networks. The use of firewalls, encryption, and standard administration, control, and policies that allows an organization to extend a network to include multiple locations that may be connected over an untrusted network, such as the Internet. In a VNP, all network services may be opened up between the trusted networks, allowing even "insecure" network services, by virtue of the protection allowed by the network security perimeter. A VNP is also a Virtual Private Network.
What are the benefits of VPNs and VNPs?
For sake of example, envision a corporate headquarters in Maryland with a branch office in California. Each site has a private local area network protected by a Gauntlet Internet Firewall. Without encryption, all of the traffic passing between the two sites would go across the Internet "in the clear," meaning that anyone with a "sniffer" attached to one of the many network links between Maryland and California could read and understand the traffic. If I were sending e-mail, they could read my e-mail. If I were sending a proposal via FTP, they could read the proposal.
Now let's assume that we turn on encryption between the two firewalls. As traffic leaves the site in Maryland, the firewall uses a secret key known only to the firewall in California to scramble the traffic in such a way that it cannot be read or understood by anyone as it passes across the Internet. Your e-mail, or proposal, would look like unintelligible garbage to anyone using a sniffer.
There are two main benefits to using firewall-to-firewall encryption. The obvious benefit is that traffic cannot be "seen" by others (including intruders) as it passes across the Internet between the two firewalls. This prevents sensitive information from falling into the wrong hands, and denies intruders access to information they might use to attack your network. The less obvious benefit of such encryption is that traffic between the two firewalls is no longer restricted to the services provided by the firewall proxies. Now any application can safely be used. Client/server database or financial applications can be used. TELNET logins can be permitted without the need for strong authentication. The encrypted link between the firewalls turn the two protected networks into a single trusted environment.
Are Gauntlet Firewalls with encryption available outside the USA?
Yes, Gauntlet Global Virtual Private Networks (GVPNs) are available worldwide. Strong cryptography (56 bit DES and Triple DES) are available. Gauntlet firewalls are the only firewalls available worldwide with strong, standard cryptography.
Doesn't the strong encryption require government escrowing of keys?
No, not at all. TIS can export 56 bit DES free and clear. Triple DES can be exported in conjunction with TIS's RecoverKey technology. This patented technology requires no escrowing of keys, and has been available on the Gauntlet firewall since January of 1996.
We say it because it is true. If you look closely, vendor XYZ supports DES only the in the US. They cannot export DES from their home (non-US) country. They use a proprietary encryption algorithm that has been approved by their government for export. They are not exporting DES worldwide. They may not export DES from the US nor from their home country. Also, they do not suport Triple DES at all.
Can a Gauntlet Internet Firewall be used in a VPN with a different firewall?
While we cannot understand why anyone would use any other firewall, the answer is "yes." Gauntlet firewalls can communicate over a VPN with any product supporting IPSEC and ISAKMP.
What is network address translation (NAT)?
Devices that support NAT, allow networks to use unregistered or "illegal" (unsupported or unassigned) IP address on a network on one side of the NAT device, while being connected on the other side to the Internet. The NAT device translates the illegal address into a legal address for outside use. Does the Gauntlet Internet Firewall support NAT?
Yes, because the firewall is your only connection to the outside world, the outside network has no knowledge of IP addresses on the inside network. The Gauntlet Internet Firewall, by nature of its design as an application gateway-based firewall, translates all internal addresses to the firewall's address, and is designed to hide internal addresses from the "untrusted" network.
Does the Gauntlet Internet Firewall support E-mail and DNS?
Yes, since a firewall often acts as an internetwork gateway to an organization, the Gauntlet Internet Firewall includes an e-mail gateway and DNS set-up. Both the e-mail gateway and the name server hide internal addresses from the outside.
What is meant by the term "strong user authentication?"
This discussion of strong user authentication is from our paper "A Network Perimeter With Secure External Access":
"We use 'authentication' as defined by the National Computer Security Center's 'Red Book' [2] as '(1) to establish the validity of a claimed identity or (2) to provide protection against fraudulent transactions by establishing the validity of ... the individual ....' Identification of a user is often accomplished on computers through the use of a user name and password pair. The password is kept secret and must be difficult to guess; only the user knows the proper name and password pair to use. In reality, passwords are often weak (guessable). Further, in the case of identifying users over outside communication links, there exist opportunities for capture of the user name and password information (although the password is usually not echoed, it is transmitted over the communications link 'in the clear'). Consequently, while it would seem that a user name and password pair constitute good identification criteria, the password is too easily guessed or captured. [With strong user authentication], authentication of a user is done in such a fashion that we can apply a high degree of trust to the identification. This can be accomplished with one-time passwords, or authentication devices ..."
Do Gauntlet products support strong user authentication?
The network authentication server provides a generic authentication service for firewall proxies. Its use is optional, required only if the firewall interactive proxies are configured to require authentication. It acts as a piece of "middleware" that integrates multiple forms of authentication, permitting an administrator to associate a preferred form of authentication with an individual user. This permits organizations that already provide users with authentication tokens to enable the same token for authenticating users to the firewall. Several forms of challenge/response cards are supported, along with software-based one-time password systems, and plaintext passwords. Use of plaintext passwords over the Internet is strongly discouraged, due to the threat of password sniffing attackers.
The Gauntlet Internet Firewall supports may third party authentication devices. Please contact TIS for an up-to-date list.
Can I use reusable passwords for outbound connections?
Many sites would like to be able (usually for accounting purposes) to have users on the internal network use a password for outbound TELNET or FTP connections. However, since they do not want to go to the expense of providing all of their internal users strong authentication tokens, the question becomes "Can I require them to use the normal username and reusable passwords like the ones they use for logging into the internal network in the first place?" In general, the answer is a guarded "yes."
What are the qualifications of a firewall administrator?
The firewall administrator should be a qualified TCP/IP network administrator. This is not because others cannot easily learn to make necessary changes to the firewall using the firewall maintenance interface, but rather because the peripheral TCP/IP issues (such as DNS configuration, etc.) are important to understanding how the firewall will function in a network environment. The firewall is only one component in a complex architecture of interdependent components, and the firewall administrator should understand how changes to the firewall will affect the rest of the network.
Can you guarantee that my Gauntlet Firewall will never crash?
No, firewalls run on computers, and computers occasionally fail. Since the firewall is the only link to networks outside the private network, if the firewall fails you lose your connection to those outside networks until the firewall machine can be repaired. Because some sites have a critical need for continuous access to and from the Internet or other private networks, TIS permits clients of the Gauntlet Internet Firewall to maintain a cold backup capability. A cold backup refers to a machine identical to the firewall, with all of the Gauntlet Internet Firewall software, the operating system, system files, etc., sitting on a shelf ready to replace a failed machine. The only restriction is that the primary firewall machine and the backup machine cannot be actively operating as a firewall at the same time. If your organization feels a backup unit is necessary, ask your TIS sales representative about the current cost of a backup unit.
What kind of logging does the Gauntlet firewall do?
The Gauntlet Internet Firewall provides detailed audit logs of sessions. All services accessed through the firewall are logged to the security log system. This is turned "on" by default at the highest level of logging. The following events are logged by default:
All operating system kernel warnings and errors
All file system warnings and errors
All attempted accesses to network services, whether successful, whether a supported service, including rejected source routed addresses and ICMP redirects.
All successful network accesses, logging source and destination addresses, service, time of day, disconnection time of day, number of bytes transferred (if applicable), commands accessed (FTP), and URLs accessed (HTTP)
All interactions with the user authentication server subsystem
What firewall activity reports come with Gauntlet firewalls?
The Gauntlet Internet Firewall is supplied with two log reduction reports. The first is a Summary Report in which the use of each service (such as FTP) is summarized by user and usage. For example, the firewall administrator might choose to have the report show him who the top 20 users of TELNET were (how many times they connected to that service, what address they connected to, and how many bytes of data they transferred, etc.)
The second report is the Exception Report. To produce this report, the firewall administrator specifies the information he is not interested in seeing, and everything else is included in the report. As a rule, administrators will quickly develop a feel for the normal activity of the firewall usage at their site. The exception report can then be used to examine closely any "unusual" activity.
In addition, because the firewall logs are human-readable UNIX syslogs, each site can have simple UNIX scripts written that look for specific events that are of special interest, and have the script perform such actions as send a message to the administrator's console if the event should occur.
More extensive logging, intrusion detection, etc. will be available through third party products in mid-1997.
If I have a Gauntlet box, do I still need a router?
The Gauntlet Internet Fire