http://www.tis.com/docs/products/gauntlet/gauntletfaq.html
<!-- Copyright 1997 Trusted Information Systems -->
Table of Contents
- Purpose of this document
- What is an Internet firewall?
- What will a firewall do for me?
- What will a firewall not do for me?
- What is a "network security perimeter?"
- What is "defense in depth?"
- What is a "perimeter defense?"
- What are the different types of firewalls?
- What are stateful multilevel inspection firewalls?
- Which is the most secure type of firewall?
- What are application gateways (proxies
- Aren't application gateways and proxies different things?
- Aren't application gateways, or proxies, outmoded, old technology?
- What is the Gauntlet Internet Firewall?
- What services are supported by the Gauntlet Firewall?
- Are Gauntlet proxies easy to use?
- If I use the Gauntlet Firewall, do I have to modify software on inside machines?
- What are the customer needs addressed in version 4.0 of the Gauntlet firewall?
- What new features will I find in version 4.0 of the Gauntlet firewall?
- What are some of the services supported for secure multimedia communications?
- Can I use multiple Gauntlet Firewalls at an Internet gateway?
- Do I need special software or a certain operating system to use the Gauntlet Management GUI?
- What is a Virtual Private Network?
- What's a Virtual Network Perimeter?
- What are the benefits of VPNs and VNPs?
- Are Gauntlet Firewalls with encryption available outside the USA?
- Doesn't the strong encryption require government escrowing of keys?
- Why do you say you are the only firewall vendor to export strong cryptography? Vendor XYZ is doing it.
- Can a Gauntlet Internet Firewall be used in a VPN with a different firewall?
- What is network address translation (NAT)?
- Does the Gauntlet Internet Firewall support NAT?
- Does the Gauntlet Internet Firewall support E-mail and DNS?
- What is meant by the term "strong user authentication?"
- Do Gauntlet products support strong user authentication?
- Can I use reusable passwords for outbound connections?
- What are the qualifications of a firewall administrator?
- Can you guarantee that my Gauntlet Firewall will never crash?
- What kind of logging does the Gauntlet firewall do?
- What firewall activity reports come with Gauntlet firewalls?
- If I have a Gauntlet box, do I still need a router?
- On what operating systems do Gauntlet products run?
- Why is it important to "harden" an operating system for a firewall?
- Does the Gauntlet Internet Firewall support FDDI, Token Ring, or ATM?
- Should user accounts be permitted on a firewall?
- Should general servers, such as WWW servers, be permitted on a firewall?
- Does the Gauntlet Internet Firewall allow UDP or ICMP through?
- Does the Gauntlet Internet Firewall check for viruses?
- Is the Gauntlet Internet Firewall available in my country?
- Isn't the Gauntlet Internet Firewall based on freeware?
- What are the differences between the Gauntlet Internet Firewall and the TIS Internet Firewall Toolkit (FWTK)?
- Does TIS support the FWTK?
- Doesn't the availability of source code make a firewall more vulnerable to attacks?
- Isn't making source code available contrary to good security practices?
- What is an "intranet?"
- What is the Gauntlet Intranet Firewall?
- Isn't the Gauntlet Intranet Firewall just a Gauntlet Internet Firewall with a different name?
- What's the Gauntlet Net Extender?
- What is the Gauntlet PC Extender?
- Does Gauntlet PC Extender run on Windows 95 or Windows NT?
- With what PC network products does the PC Extender work?
- What do we have to do before we install our Gauntlet firewall?
- What is the price of the Gauntlet Internet Firewall?
- How can TIS claim that it has "The Most Secure FirewallsSM"?
- What is your design approach?
- What can you recommend for further reading?
- How is TIS different from other firewall vendors?
- How do I contact TIS for more information?
The purpose of this document is to answer questions
about the Gauntlet Internet Firewall and internetwork firewalls.
A firewall is "a system or combination of systems
that enforces a boundary between two or more networks." (All
definitions in quotes are from the National Computer Security
Association's standard Firewall Functional Summary template.)
It is a controlled gateway between one network and another. Typically,
people discuss putting a firewall between a private, trusted network
and the public Internet. It is analogous to a guard post in the
lobby of a building, or at the gatehouse of an enclosed installation.
For more detail, see what we recommend for further reading near
the end of this document.
What will a firewall do for me?
Connecting your private, internal network to an outside,
untrusted network can be both a blessing and a curse. A blessing
in that the exchange of computerized information (the lifeblood
of modern commerce) is greatly facilitated. A curse in that you
may be exposing your valuable network resources and the reputation
of your organization to the whims of Internet hackers or industrial
spies. These problems have been extensively documented in the
technical media (see TIS's web page at www.tis.com). To minimize
the risk while maximizing the benefit requires that an organization
develop a comprehensive Network Security Plan. This should include
user security awareness training, qualified network security system
administrators, and a network architecture that promotes structured
security and the use of appropriate network security components.
The Gauntlet Internet Firewall is one of the important components
of a well-designed network security architecture.
The Gauntlet Internet Firewall is designed to be
the single point in your network through which all communications
between your internal network and all outside, untrusted networks
must pass. This is also the point at which the Network Security
Administrator may monitor and control the flow of information
between the networks. The Gauntlet Internet Firewall supports
strong authentication mechanisms to insure that only authorized
users can enter your protected network. The Gauntlet Internet
Firewall is capable of preventing unauthorized communications
in either direction, and provides a log of all connections across
the firewall in either direction. Properly configured, the Gauntlet
firewall presents an impenetrable barrier to even the most persistent
hackers seeking to access your network.
See our further reading list for more detailed information.
What will a firewall not do
for me?
An Internet firewall is a controlled gateway. It
cannot stop attacks from malicious insiders, nor can it take the
place of education and security policies and procedures. It is
part of an overall security plan.
What is a "network security perimeter?"
A network security perimeter is established by the
methods and mechanisms used to secure the network against outside
intrusion.
Defense in depth, also called host-based security,
is "the security approach whereby each system on the network
is secured to the greatest possible degree. [It] may be used in
conjunction with firewalls."
What is a "perimeter defense?"
Also known as perimeter-based security, it is "the
technique of securing a network by controlling access to all entry
and exit points of the network."
Before launching into a description of different
types of firewalls, the concept of a perimeter defense should
be understood because of its importance to the proper function
of a firewall. To a site administrator, establishing a perimeter
defense means that all communications between the internal network
and external, untrusted networks must pass through the firewall(s)
in order to monitor and control the traffic. The organization's
Network Security Plan should specify that any form of connection
to or from machines outside the internal network is strictly forbidden
without review and authorization from the security administrator.
This should include modems, leased lines to other networks, etc.
Users should be aware that connections between their secure internal
network and any outside network, including that of a trading partner
or client, may expose the internal network to attackers that have
broken into the other network. It makes little sense to have a
strong, well-protected front door (the firewall) if the back door
and all the windows are left open.
What are the different types of firewalls?
There are four types of firewalls: filtering gateways,
circuit gateways, application gateways, and hybrid or complex
gateways.
Filtering Gateway
Filtering firewalls use routers and packet filtering rules to
grant or deny access from one source address (host) and port (service)
to a second destination address and port. Also called a screening
router, it is "a router configured to permit or deny traffic
based on a set of permission rules installed by the administrator."
For example, the administrator can use the router rules to permit
a particular machine on the external network to FTP to a specific
machine on the internal network, but deny that same machine the
ability to TELNET to the internal machine. Similarly, one specific
address on the external network can be permitted to FTP to a specific
address on the internal network while all other addresses
are denied permission to FTP to that address on the internal network.
The advantages of a packet filtering firewall are that they are
fast, generally inexpensive, very flexible, and transparent. Also,
they can be implemented on routers, and most organizations already
have routers. Routers support static (unchanging) filtering.
Another type of filtering, dynamic filtering, tries to make sense
out of higher-level protocols and adapt filtering rules to accommodate
protocol-specific needs (e.g., simulated connections for connectionless
protocols such as NFS and RPC services).
A disadvantage of a filtering gateway is once access has been
granted by the router to a host on the internal network, the attacker
has direct access to any exploitable weaknesses in either the
software or the configuration of that host.
Another disadvantage of a packet filter is the source and destination
addresses and ports contained in the IP packet header are the
only information available to the router for making the decision
to grant or deny access to the internal network. Unfortunately,
source destinations and ports can be spoofed so that you cannot
be sure who is really making the request for access. This
is a critically important concept to understand. In reality
it means that if you permit anyone to come through your
router and access software on one of your internal host machines,
everyone can access that software on that host. And if
the software being accessed cannot do strong authentication, or
has a hole in it, the intruder has gained access to your network.
Also, routers do not generally provide robust (if any) logging
facilities, making it difficult to know when your network is under
attack, or how to recover from a successful attack.
Further, packet filtering firewalls do not support the concept
of strong user authentication, and access from untrusted networks
should not be granted without strong authentication (see the question
on strong user authentication).
Another problem is that both the hardware and software of routers
may contain exploitable weaknesses. Routers are generally designed
for performance, not security.
Finally, router rules are complex and are very difficult to "get
right." Even highly qualified network professionals will
occasionally add or modify a rule in the router's rule-base, and
in so doing, accidentally open a hole through the router.
Circuit Gateway
A circuit level firewall is a means of handing an outgoing connection
request from a client on the internal network to a single machine
acting as a firewall, such that it will appear to the remote site
that the connection request actually came from the firewall.
The principal advantage of a circuit level firewall is that it
prevents direct connection between internal and external machines.
All incoming requests are blocked. If a user on an internal machine
writes code that listens on some non-standard port, users on external
hosts have no way to reach that port. This gives the Security
Administrator a single point at which to control incoming connection
requests.
A disadvantage, or limitation of a circuit level gateway, is client
software on the internal network may have to be modified to do
the necessary "handshake" with the circuit level gateway
software (for example SOCKS), and source code for the client software
may be unavailable.
Application Level Gateway
An application gateway is "a firewall system in which service
is provided by processes that maintain complete TCP connection
state and sequencing. Application level firewalls often re-address
traffic so that outgoing traffic appears to have originated from
the firewall, rather than the internal host."
An application level firewall is generally considered to be the
most secure type firewall. The Gauntlet Internet Firewall is an
application level firewall. Like the circuit level firewall, the
Gauntlet firewall is configured to be the only host address visible
to the outside network, requiring all connections to the internal
network to go through the firewall. An application level firewall
is distinguished by the use of proxies (application gateways)
for services such as FTP, TELNET, etc., which prevent direct access
to services on the internal network.
One advantage of this type of firewall, is that proxies prevent
direct connection between internal hosts and external, untrusted
hosts. All incoming requests for services such as HTTP, FTP, TELNET,
RLOGIN, etc., regardless of which host on the internal network
will be the final destination, must first go through the appropriate
proxy software on the firewall.
For example, consider a host on the external network requesting
a connection to port 25 on any one of the many hosts on a network
not protected by the Gauntlet Internet Firewall. Every
host on the internal network could be running a different implementation
of Sendmail, or different versions of the same implementation,
each with known security problems. Because an attacker has direct
access to every host on your internal network, he can try port
25 on every host on the internal network until he finds one running
an implementation of Sendmail with an exploitable hole. From there
he can gain access to the machine, and then to your entire internal
network.
To protect against this type of attack, you can either secure
every computer in your organization (usually impossible to enforce),
or require that all connections go through a control point on
which you have already made the security adjustments.
Strong user authentication (see below) should be required for
all incoming connection requests before granting access to the
requested service on the internal host when the protocol supports
it. Application gateways, or proxies, allow enforcement of user
authentication.
Comprehensive logging at the application level can be performed
by proxies.
Since all communications between the internal and external networks
are required to go through one of the application proxies, the
proxies can restrict those communications to transactions appropriate
to the specific service being used. They are also in position
to do content-type filtering, such as blocking Java code from
coming in from the outside.
The principal limitation of application gateway firewalls is that
in some environments, there may be a requirement for data transfer
rates in excess of the capacity of the firewall. The capacity
of the Gauntlet Internet Firewall has not been determined, but
it has demonstrated throughput of 10 Megabits/second (Ethernet
speed), exceeding the capacity of a T1 link (about 1.5 Megabits/second).
Hybrid or Complex Gateways
Hybrid gateways, combine two or more of the above methods. If
these methods are added in parallel, the network security perimeter
will be only as secure as the least secure of all methods used.
If they are added in series, the overall security is enhanced.
All commercial firewalls that are hybrid systems, have the mechanisms
in parallel.
A vendor who claims that a hybrid firewall is more secure by virtue
of being more complex does not understand security. A useful truism
of security to keep in mind is "complexity and security are
often inversely proportional."
What are stateful multilevel inspection
firewalls?
Stateful inspection can also be called stateful filtering,
as it is basically a filtering type of firewall (see above) with
additional granularity. Stateful filters parse IP packets and
keeps state about connections in the operating system kernel.
They may be faster than proxies - the proxy mechanism is at a
lower level - but are also more complex.
If an interface for a particular service has protocol
specific knowledge, a SMLI firewall will have more security for
that particular service than a more simpler packet filter would.
(And so, to add new services requires additional code, just like
for a proxy-based firewall.) If it does not have protocol specific
knowledge, then there is no added security - it has the same level
of security as a filtering gateway.
Which is the most secure type of firewall?
Experts agree that the most permissive, and least
secure, type of firewall is the filtering gateway, and the most
secure is the application gateway. Experts, such as Cheswick and
Bellovin -- see reference in the "further reading" area
of this document, Ted Julian in IDC's Firewall Marketing report
dated February 1996, and Rik Farrow, for example in the May 1996
issue of UniForum's "IT Solutions" magazine.
Bill Cheswick, well known firewall and Internet security
expert, pointed out (in the June 17, 1996 issue of LAN TIMES),
"Packet filters can protect your [network] quite adequately
if they are properly designed. The hard part is getting the rules
right and testing the filter to see if it is truly secure."
Winn Schwartau, president of InterPact, Inc., a security
consulting company added, in the same article, "Don't bother
[with packet filters]. They are a waste of money. ... if you are
going to have no control over user activities, why bother?"
What are application gateways (proxies)?
The terms "application gateways" and "proxies"
mean the same thing. A proxy in a firewall is a software mechanism
that acts on behalf of another. It will sit between a client on
one side of the firewall and a server on the other. To the client
it looks and acts like a server; to the server it looks like client
software. It acts as a proxy for both sides.
All application data flows through the proxy. Because
of this the proxy is in a unique position to log information (time
of connection, number of bytes transferred, etc.) and enforce
access rules (who can connect to what for which service at what
time).
Aren't application gateways and proxies
different things?
No, they are different technical terms for the same
mechanism.. It is possible that some people use them to mean different
things in their marketing literature, but they are synonymous
terms.
Aren't application gateways, or proxies,
outmoded, old technology?
Of course not. Application gateways have been around
only a few years. As discussed above, they are the most secure
kind of firewall mechanisms. Anyone who says otherwise disagrees
with the experts, and is probably blowing marketing smoke.
Applications gateways are much more secure than any
other kind of firewall mechanism, certainly more so that any filter-based
solution. At a CSI conference during the Meet the Enemy session,
hackers fingered a stateful inspection firewall as their "favorite
firewalls" to come up against. Hackers would rather not find
an application gateway firewall such as the Gauntlet Internet
Firewall.
What is the Gauntlet Internet Firewall?
The Gauntlet Internet Firewall is an application-based
firewall featuring the most secure firewall design in the industry.
The Gauntlet product features:
- Complete firewall transparency through the proxies
(so, without sacrificing security)
- Industry standard firewall-to-firewall encryption
(strong encryption that is exportable)
- The only "Crystal Box" firewall --
source code can be inspected
- Support for more strong user authentication devices
than any other firewall
- Secure, integrated graphical user interface (GUI)
management tools (via any web browser)
- A cryptographic system integrity checker
- Built in "smoke alarms" -- allowing
real-time notification of unauthorized activities
- Secure information gateway allowing safe deployment
of web or FTP server on firewall system
- And a set of application gateways (proxies)
What services are supported by the
Gauntlet Firewall?
The Gauntlet Internet Firewall
includes proxies for the following services:
- Terminal Services (TELNET, Rlogin)
- File Transfer (FTP)
- Electronic Mail (SMTP, POP3)
- World Wide Web (HTTP, SHTTP, AHTTP, SSL)
- Gopher
- X Window System (X11)
- Printer
- Remote Execution (Rsh)
- Sybase SQL
- Oracle SQL*Net
- RealAudio and RealVideo
- Xing
- Netshow
- VDOLive
- SNMP
There is also a proxy that acts as a "patch
panel" for simple services in a one-to-one or one-to-many
configuration, called the "plug gateway." Through this
gateway, the Gauntlet Internet Firewall supports
- Finger
- USENET News (NNTP)
- Whois
- Lotus Notes
- AOL
An authenticated circuit gateway allows the firewall
manager to configure certain "plug gateway" services
to be available on a per user basis after users authenticate themselves
to the firewall.
An authentication server supports the use of strong
user authentication (identification) via security tokens or one-time
password mechanisms.
Additionally, the Gauntlet Internet Firewall provides
optional support for extended content security;
- Virus scanning of file transfers, web access,
and electronic mail
- URL Screening
Are Gauntlet proxies easy to use?
All proxies supplied with the Gauntlet Internet Firewall
can be installed for "transparent mode" operation. In
transparent mode, the user just issues the command to connect
to a machine on the other side of the firewall, and the connection
is made. All communication goes through the appropriate application
gateway. It just seems like a direct connection to the user.
If I use the Gauntlet Firewall, do
I have to modify software on inside machines?
None of the Gauntlet Internet Firewall proxies require
modification of the software on the internal network.
What are the customer needs addressed
in version 4.0 of the Gauntlet firewall?
The Gauntlet Internet Firewall Version 4.0 addresses
the following customer needs:
Secure Multimedia Communications
Extended Content Security
Support for Enterprise Network Management
Extended DBMS Security
Enhanced Native Management
What new features will I find in version
4.0 of the Gauntlet firewall?
Streaming Multimedia Support For Most Popular Real-Time
Information Services
Support For Virus Scanning of Mail, FTP, and HTTP
Traffic
HP Network Management Support (OpenView)
New JAVA-Based GUI for Local and Remote Management
Extended DBMS Security with Oracle SQL*NET proxy
What are some of the services supported
for secure multimedia communications?
ReadAudio/RealVideo, Xing, NetShow, VDOLive, are
all supported through specialized proxies.
Can I use multiple Gauntlet Firewalls
at an Internet gateway?
Many of our customers install multiple Gauntlet units
in parallel at gateways for load balancing and redundancy. This
configuration works very well.
Do I need special software or a certain
operating system to use the Gauntlet Management GUI?
The management system can be accessed using any "Web
browser" program (e.g., Microsoft Internet Explorer, Netscape
Navigator) from any platform that supports them. No special software
is needed.
What is a Virtual Private Network?
A virtual private network, or VPN, through encryption,
provides privacy for all allowed network traffic between two gateways.
In a VPN, no level of trust between the networks need be assumed.
A VPN provides privacy only. A VPN is not necessarily a Virtual
Network Perimeter.
What's a Virtual Network Perimeter?
This term was coined by TIS in a technical paper
(#1 in the reading list later in this document). A VNP is a Virtual
Network security Perimeter: network that appears to be a single
protected network behind firewalls, which actually encompasses
encrypted virtual links over untrusted networks. The use of firewalls,
encryption, and standard administration, control, and policies
that allows an organization to extend a network to include multiple
locations that may be connected over an untrusted network, such
as the Internet. In a VNP, all network services may be opened
up between the trusted networks, allowing even "insecure"
network services, by virtue of the protection allowed by the
network security perimeter. A VNP is also a Virtual Private Network.
What are the benefits of VPNs and
VNPs?
For sake of example, envision a corporate headquarters
in Maryland with a branch office in California. Each site has
a private local area network protected by a Gauntlet Internet
Firewall. Without encryption, all of the traffic passing between
the two sites would go across the Internet "in the clear,"
meaning that anyone with a "sniffer" attached to one
of the many network links between Maryland and California could
read and understand the traffic. If I were sending e-mail, they
could read my e-mail. If I were sending a proposal via FTP, they
could read the proposal.
Now let's assume that we turn on encryption between
the two firewalls. As traffic leaves the site in Maryland, the
firewall uses a secret key known only to the firewall in California
to scramble the traffic in such a way that it cannot be read or
understood by anyone as it passes across the Internet. Your e-mail,
or proposal, would look like unintelligible garbage to anyone
using a sniffer.
There are two main benefits to using firewall-to-firewall
encryption. The obvious benefit is that traffic cannot be "seen"
by others (including intruders) as it passes across the Internet
between the two firewalls. This prevents sensitive information
from falling into the wrong hands, and denies intruders access
to information they might use to attack your network. The less
obvious benefit of such encryption is that traffic between the
two firewalls is no longer restricted to the services provided
by the firewall proxies. Now any application can safely be used.
Client/server database or financial applications can be used.
TELNET logins can be permitted without the need for strong authentication.
The encrypted link between the firewalls turn the two protected
networks into a single trusted environment.
Are Gauntlet Firewalls with encryption
available outside the USA?
Yes, Gauntlet Global Virtual Private Networks (GVPNs)
are available worldwide. Strong cryptography (56 bit DES and Triple
DES) are available. Gauntlet firewalls are the only firewalls
available worldwide with strong, standard cryptography.
Doesn't the strong encryption require
government escrowing of keys?
No, not at all. TIS can export 56 bit DES free and
clear. Triple DES can be exported in conjunction with TIS's RecoverKey
technology. This patented technology requires no escrowing of
keys, and has been available on the Gauntlet firewall since January
of 1996.
We say it because it is true. If you look closely,
vendor XYZ supports DES only the in the US. They cannot export
DES from their home (non-US) country. They use a proprietary encryption
algorithm that has been approved by their government for export.
They are not exporting DES worldwide. They may not export DES
from the US nor from their home country. Also, they do not suport
Triple DES at all.
Can a Gauntlet Internet Firewall be
used in a VPN with a different firewall?
While we cannot understand why anyone would use any
other firewall, the answer is "yes." Gauntlet firewalls
can communicate over a VPN with any product supporting IPSEC and
ISAKMP.
What is network address translation
(NAT)?
Devices that support NAT, allow networks to use unregistered
or "illegal" (unsupported or unassigned) IP address
on a network on one side of the NAT device, while being connected
on the other side to the Internet. The NAT device translates the
illegal address into a legal address for outside use.
Does the Gauntlet Internet Firewall
support NAT?
Yes, because the firewall is your only connection
to the outside world, the outside network has no knowledge of
IP addresses on the inside network. The Gauntlet Internet Firewall,
by nature of its design as an application gateway-based firewall,
translates all internal addresses to the firewall's address, and
is designed to hide internal addresses from the "untrusted"
network.
Does the Gauntlet Internet Firewall
support E-mail and DNS?
Yes, since a firewall often acts as an internetwork
gateway to an organization, the Gauntlet Internet Firewall includes
an e-mail gateway and DNS set-up. Both the e-mail gateway and
the name server hide internal addresses from the outside.
What is meant by the term "strong
user authentication?"
This discussion of strong user authentication is
from our paper "A Network Perimeter With Secure External
Access":
"We use 'authentication' as defined by the National
Computer Security Center's 'Red Book' [2] as '(1) to establish
the validity of a claimed identity or (2) to provide protection
against fraudulent transactions by establishing the validity of
... the individual ....' Identification of a user is often accomplished
on computers through the use of a user name and password pair.
The password is kept secret and must be difficult to guess; only
the user knows the proper name and password pair to use. In reality,
passwords are often weak (guessable). Further, in the case of
identifying users over outside communication links, there exist
opportunities for capture of the user name and password information
(although the password is usually not echoed, it is transmitted
over the communications link 'in the clear'). Consequently, while
it would seem that a user name and password pair constitute good
identification criteria, the password is too easily guessed or
captured. [With strong user authentication], authentication of
a user is done in such a fashion that we can apply a high degree
of trust to the identification. This can be accomplished with
one-time passwords, or authentication devices ..."
Do Gauntlet products support strong
user authentication?
The network authentication server provides a generic
authentication service for firewall proxies. Its use is optional,
required only if the firewall interactive proxies are configured
to require authentication. It acts as a piece of "middleware"
that integrates multiple forms of authentication, permitting an
administrator to associate a preferred form of authentication
with an individual user. This permits organizations that already
provide users with authentication tokens to enable the same token
for authenticating users to the firewall. Several forms of challenge/response
cards are supported, along with software-based one-time password
systems, and plaintext passwords. Use of plaintext passwords over
the Internet is strongly discouraged, due to the threat of password
sniffing attackers.
The Gauntlet Internet Firewall supports may third
party authentication devices. Please contact TIS for an up-to-date
list.
Can I use reusable passwords for outbound
connections?
Many sites would like to be able (usually for accounting
purposes) to have users on the internal network use a password
for outbound TELNET or FTP connections. However, since they do
not want to go to the expense of providing all of their internal
users strong authentication tokens, the question becomes "Can
I require them to use the normal username and reusable passwords
like the ones they use for logging into the internal network in
the first place?" In general, the answer is a guarded "yes."
What are the qualifications of a firewall
administrator?
The firewall administrator should be a qualified
TCP/IP network administrator. This is not because others cannot
easily learn to make necessary changes to the firewall using the
firewall maintenance interface, but rather because the peripheral
TCP/IP issues (such as DNS configuration, etc.) are important
to understanding how the firewall will function in a network environment.
The firewall is only one component in a complex architecture of
interdependent components, and the firewall administrator should
understand how changes to the firewall will affect the rest of
the network.
Can you guarantee that my Gauntlet
Firewall will never crash?
No, firewalls run on computers, and computers occasionally
fail. Since the firewall is the only link to networks outside
the private network, if the firewall fails you lose your connection
to those outside networks until the firewall machine can be repaired.
Because some sites have a critical need for continuous access
to and from the Internet or other private networks, TIS permits
clients of the Gauntlet Internet Firewall to maintain a cold backup
capability. A cold backup refers to a machine identical to the
firewall, with all of the Gauntlet Internet Firewall software,
the operating system, system files, etc., sitting on a shelf ready
to replace a failed machine. The only restriction is that the
primary firewall machine and the backup machine cannot be actively
operating as a firewall at the same time. If your organization
feels a backup unit is necessary, ask your TIS sales representative
about the current cost of a backup unit.
What kind of logging does the Gauntlet
firewall do?
The Gauntlet Internet Firewall provides detailed
audit logs of sessions. All services accessed through the firewall
are logged to the security log system. This is turned "on"
by default at the highest level of logging. The following events
are logged by default:
All operating system kernel warnings and errors
All file system warnings and errors
All attempted accesses to network services, whether
successful, whether a supported service, including rejected source
routed addresses and ICMP redirects.
All successful network accesses, logging source and
destination addresses, service, time of day, disconnection time
of day, number of bytes transferred (if applicable), commands
accessed (FTP), and URLs accessed (HTTP)
All interactions with the user authentication server
subsystem
What firewall activity reports come
with Gauntlet firewalls?
The Gauntlet Internet Firewall is supplied with two
log reduction reports. The first is a Summary Report in which
the use of each service (such as FTP) is summarized by user and
usage. For example, the firewall administrator might choose to
have the report show him who the top 20 users of TELNET were (how
many times they connected to that service, what address they connected
to, and how many bytes of data they transferred, etc.)
The second report is the Exception Report. To produce
this report, the firewall administrator specifies the information
he is not interested in seeing, and everything else is
included in the report. As a rule, administrators will quickly
develop a feel for the normal activity of the firewall usage at
their site. The exception report can then be used to examine closely
any "unusual" activity.
In addition, because the firewall logs are human-readable
UNIX syslogs, each site can have simple UNIX scripts written that
look for specific events that are of special interest, and have
the script perform such actions as send a message to the administrator's
console if the event should occur.
More extensive logging, intrusion detection, etc.
will be available through third party products in mid-1997.
If I have a Gauntlet box, do I still
need a router?
The Gauntlet Internet Firewall does not require
the use of a router, but routers may be employed to enable certain
configurations and architectural options. While most customers
employ routers when connecting to a WAN, filtering rules installed
in the router are only used as a way to reduce network "noise,"
rather than protect the Gauntlet Firewall. The Gauntlet Internet
Firewall is designed to be a self-contained security system,
not relying on other network components for its own or the internal
network's security. TIS will assist Gauntlet Internet Firewall
clients in determining the need for routers.
On what operating systems do Gauntlet
products run?
The Gauntlet Firewall Software is available for the
following operating system platforms:
BSD/OS operating system from Berkeley Software Design,
Inc.
HP-UX from Hewlett-Packard
Solaris from Sun Microsystems
Windows NT from Microsoft
TIS has hardened these operating systems for use
with the Gauntlet firewall.
Additionally, Gauntlet Firewall Software for IRIX
is available from Silicon Graphics.
Why is it important to "harden"
an operating system for a firewall?
The operating system is the base platform for firewall
software. Most commercial operating systems are created to allow
general use and access and provide many services useful for multiuser,
server systems (services such as NFS), but too insecure to allow
on a firewall. The base operating system must be "tightened"
to disallow insecure services and to apply security patches. Unfortunately,
most firewall vendors do not bother to do this. Consequently,
their firewalls may be installed on insecure systems, devaluing
the firewall's security.
Does the Gauntlet Internet Firewall
support FDDI, Token Ring, or ATM?
Gauntlet Firewall Software supports all network interfaces
supported by the operating systems. The turnkey version of the
Gauntlet Internet Firewall supports only Ethernet connections
at this time.
Should user accounts be permitted
on a firewall?
No! The only account on the firewall is that of the
Firewall Administrator, and he should either be required to use
strong authentication, or be restricted to logging in from the
firewall console.
Should general servers, such as WWW
servers, be permitted on a firewall?
Only if you are using the secure servers available
with the Gauntlet Internet Firewall, version 3.1 and later. Every
application that is in any way directly accessible to attack from
untrusted networks runs the risk of opening holes into the protected
network. Only software specifically written to be secure, and
rigorously reviewed for security relevant flaws (such as the proxies),
should be placed on the firewall.
Does the Gauntlet Internet Firewall
allow UDP or ICMP through?
The Gauntlet Internet Firewall does not standardly
permit any connectionless protocols such as UDP or ICMP across
the firewall. Because their connectionless nature makes it impossible
to determine their actual source, all such applications must be
considered inherently insecure and inconsistent with conservative
firewall security. These services may be run through a VNP. Select
services - SNMP, RealAudio, and Finger, for example - are supported
securely through Gauntlet firewalls.
If anyone tries to sell you a firewall that allows
generic UDP services through, ask to see their security assessment
paper on the service, so you can understand why they think they
can secure such services.
Does the Gauntlet Internet Firewall
check for viruses?
Virus scanning software is supported by the Gauntlet
Internet Firewall. Check with your sales representative for products
and support options.
Is the Gauntlet Internet Firewall
available in my country?
Yes. The Gauntlet Internet Firewall may be purchased
from a growing list of resellers throughout the world, including
Africa, Asia, Australia, Europe, and North and South America.
Please contact TIS for a list of resellers.
Isn't the Gauntlet Internet Firewall
based on freeware?
The Gauntlet Internet Firewall was originally based
on the TIS Internet Firewall Toolkit, but is no longer. The TIS
Internet Firewall Toolkit is licensed and freely available, but
it is not "freeware," "public domain," nor
"shareware." The FWTK has been downloaded by more than
50,000 individuals.
The FWTK is a licensed, freely available set of tools
for building internetwork firewalls. It is made to be used by
experts. The Gauntlet Internet Firewall is a complete, fully functional,