RIK FARROW'S 1997 FIREWALL PRODUCT ANALYSIS

I have often used the analogy of an entrance guard for an office building to talk about firewalls. Like a firewall, an entrance guard's duty is to control traffic into, and sometimes out of, a building. For this control to be effective, there must be only a single entrance through which all traffic passes.

The guard may function at different levels. Perhaps a name badge attached to a person's pocket is sufficient authentication. More rigorous authentication might require a combination of the name badge and a PIN, and include a computerized recording of the badge number and time. The most rigorous authentication would involve a gateway with two doors, and each person subjected to a retinal scan before being allowed to enter the inner door. Armed guards stand by, just in case.

The entry guard might also be directed to examine the contents of large purses, briefcases or packages, looking for interesting items--recording devices, explosives, revolvers--even though we all know that surprises can come in many forms.

The firewall your organization uses provides the security at the entranceway to your network. If you permit individuals to use modems, your organization does not have a single entryway, but many ports of exposure. The firewall should function at the level required by your policy for authenticating traffic, collecting sufficiently detailed logging, and perhaps inspection of data which passes (for viruses or applets).

Most of all, your firewall is an implementation of your security policy. The policy itself should be based on examining your orgainzation's assets, and determing which level of access is appropriate when compared to the risk to those assets.

Firewall technologies vary as to each one's strengths and weaknesses, and it is up to you to choose the right technology and vendor. Who knows? You might have just hired a sleepy, bored, and near-sighted person to guard your front door.

Crucial Differences

This year's firewall products center around two competing technologies, application gateways and stateful inspection. Most products weigh-in with application gateway-based firewalls, but the market leader, Checkpoint Software's FireWall-1, relies on stateful inspection. Each technology has its advantages and disadvantages.

Let's examine each of the dominant technologies, along with the two other common methods for controlling traffic through firewalls: packet filtering and circuit relays.

You might recognise packet filtering as the oldest of the technologies, which first appeared as a capability in routers. Packet filtering operates at the internetworking level of TCP/IP (OSI layer 3, the Network layer), which means that all the code resides within the operating system. Packet filters examine both the IP and protocol headers, checking the IP and port addresses against a set of rules. Flags within the protocol header can also be checked, for example, to determine if a packet is part of an established TCP session.

Packet filters are stateless--each packet is examined isolated from what has happened in the past, forcing the packet filter to make a decision to permit or deny each packet based upon the access control list rules. For routers, this is a slow operation which reduces routing throughput by 30% or more. Logging of packets also occurs without regard to past history, and enabling logging results in another hit on routing performance. There are packet filters not based on routers, but they face similar limitations with regards to logging and control.

Stateful inspection handles packet filtering in a different manner. Working at OSI layer 3, stateful inspection technologies look at the same headers as packet filters, but can also peek into the packet's data where the application protocol appears. More importantly, stateful inspection technologies maintain `state' data, information about past packets. Stateful inspection only needs to compare the first packet in a connection to the rule set, and if the packet is permitted, adds information, the state, to an internal database. This state information permits subsequent packets n that conection to pass quickly through the firewall.

If the rule set for a type of service requires examining application data, then part of each packet must still be examined. As an example, FireWall-1 can react to seeing an FTP PORT command by creating a dynamic rule permitting a connection back from the FTP server.

Logging, or authentication as required by the rule set, occurs at the application layer (OSI layer 7). Although the opportunity for better logging is present, stateful inspection firewalls typically only log the source and destination IP addresses and ports, similar to logging with a router.

Router vendors are exploring adding state to their router products. Bay Networks is working with Checkpoint to embed FireWall-1's stateful inspection to their products. Cisco sells a stateful inspection-based firewall translator, PIX, and is designing routing technology which will work with TCP/IP and create state in the form of flows for higher performance.

Circuit relays operate at OSI layer 7, in user space. Circuit relays perform access control based on source and destination IP address and port, similar to the other technologies. The most popular implementation is SOCKS, but this technology is also found in several firewalls, often teamed up with packet filtering. Logging is similar to packet filtering or stateful inspection.

Proxies

Application gateways also operate at OSI layer 7, in user space. Access control starts with the typical source and destination IP address and port, but can include finer-grained control. For example, network access can be based not only on service, but also on time-of-day controls. Logging includes not only source and destination IP and port addresses, but also commands executed, names of files transferred, number of bytes transferred, and amount of time sent or received.

The increased detail in the logs makes it possible to create detailed reports of network activity. TIS' Gauntlet, for example, creates reports with the top one hundred users of each service, making it simpler to spot unusual patterns of activity (like the executive who is emailing company data before jumping ship). ANS' Interlock includes indvidual usage reports, suitable for charging departments for Internet services.

The big difference between application gateways and all other technologies is that they actually implement the application protocol. The application gateway functions as a server for client applications (such as Web browsers), and as a client to the remote server. If a new TCP/IP service appears, the application gateway vendors must build new programs to support this service. This is the reason that the CSI Firewall Matrix always provides a place for application gateway vendors to list the services supported. Each application gateway represents a big investment in research and development to support.

Also, tunneling, that is, using rules which permits one application protocol to support other protocols, becomes difficult. For example, the other three technolgies typically permit all DNS traffic to pass unrestricted through a firewall. An insider could use this to copy data to a remote server as long as the server listened at the standard DNS port. If an outsider can coax a user to start a service at the DNS port, say, through a trojan horse, the outsider can have unrestricted access to this server through the firewall.

Although all four technologies can support user authentication, which identifies users rather than just the host involved in a transaction, circuit relays typically do not perform authentication. Authentication with packet filters can be very kludgy, for example, telnetting to a Cisco router or terminal server and using Cisco's TACACS+ to dynamically enable access control lists for a particular user. The stateful inspection and application gateway technologies deal much more gracefully with authenticating users.

Pro and Con

Vendors with packet filtering or stateful inspection technologies focus on the flexibility and performance of their products. FireWall-1, for example, comes with preconfigured support for over 120 different services, including a wildcard ("any"). You can also add new services by using the INSPECT language. A few difficult to implement services, such as talk, are not supported.

By comparison, application gateway firewalls provide support only for those services for which the application gateways have been written. Some offer limited support for other services through combinations of packet filters and circuit relays. But it is generally difficult to support new or in-house developed services. The other technologies are more flexible.

This flexibility comes with a price. It is quite possibly, in fact trivial, to configure packet filters or stateful inspection firewalls to permit dangerous services through the firewall. If anything, easy-to-use administration interfaces lend themselves to setup errors. During last winter's CSI conference in Chicago, during the Meet the Enemy session, hackers singled out a stateful inspection product as their "favorite firewalls" to encounter. Firewalls which offer dangerous services could include documentation at a minimum, or build-in `expert' advice, which warns administrators of dangerous configurations.

Application gateway firewalls make it more difficult to make mistakes during configuration by design. Most of these firewall vendors will not spend the time to write programs which support dangerous services, so there is no way to open your "firewall protected" network to attacks by merely pointing-and-clicking. Flexibility requires a great amount of expertise in networking and TCP/IP security, which most sites don't have. It is the task of the firewall vendor to supply this expertise, and some products supply flexibility instead.

Performance

The other big advantage that stateful inspection technologies can have over application gateway firewall is performance. Stateful inspection modules get installed as part of the operating system. The performance gain comes about because packets are filtered before the operating system begins processing them in the higher layers of the TCP/IP stack. Data in the packets does not need to be copied from the operating system into user space. Finally, a single, monolithic, module does all the work (with the exception of authenticating and logging, which is done by separate programs).

Application gateway firewalls run programs to support each different service. In many products, each individual connection is controlled through its own copy of a program. Just starting and managing all these programs requires processing time. Because these programs operate in user space, the programs must make system calls to exchange data and information with the operating system. All this adds overhead to application gateway designs.

Some firewall vendors have improved the performance of their application gateway programs by implementing a design used in Web servers. A single program for each service passes off connection requests to child processes, avoiding the overhead of starting new application gateways for each connection. And good operating system designs minimize the overhead of system calls and copying data from within the operating system to user space.

Data Communications magazine published a review of firewall performance back in November of 1995, and another review has been published this year. Their results showed that FireWall-1 outperformed application gateway firewalls at intermediate levels of network traffic, but that two application gateway-based firewalls (Gauntlet and Cyberguard) could support equivalent numbers of connections in a heavily loaded network. And for many people, these questions are only relevant for Intranet firewalls, where two or more Ethernet networks are connected. Most of the firewalls in the review could handle traffic at the T1 level of speeds found in most connections to the Internet.

Trade-Offs

A firewall is an implementation of your security policy, first and foremost. You must use your policy to create a requirements statement, then choose a product based on that list of requirements. If flexibility is your goal, with moderate logging, stateful inspection is the choice today. For better logging and tighter control, application gateways appear to be the appropriate technology.

CSI FIREWALL EXPERT ARCHIVES
MAIN FIREWALL PAGE