Cyberguard Firewall by iik16908


More Info
firewalling: Raise your
     perimeter IQ

       Joel Snyder
        Opus One

                                         • Products from Check
                                           Point, Cyberguard,
                                           NetScreen, Nortel
                                           Networks, Symantec,
                                           Secure Computing,
                                         • Support from Andy
                                           Briney, Neil Roiter at
                                           Information Security
Firewalls have been around for a
         very long time
 “[AT&T’s gateway creates] a sort of crunchy shell around a
    soft, chewy center.” (Bill Cheswick, Design of a Secure
    Internet Gateway, April, 1990)

    First firewalls      “Firewalls and       CheckPoint
    deployed in          Internet Security”   revenues
    Internet-connected   published            cross $100m
                           Cisco buys         WatchGuard
    TIS toolkit                               introduces 1st
                           PIX (Network
    commonly                                  FW appliance

1989 1991 1993 1995 1997 1999 2001 2003 2005
  Surely firewall makers have
    been busy since 1999 ?
  Clear market trends       Clear product trends
• Faster                   • Add VPN features
                              Site-to-site
• Cheaper
                              Remote Access (?)
• Smaller                  • Add policy-based
   New Guard:               URL control
    NetScreen (Juniper),      Websense-type
    SonicWALL              • Add interfaces
   Old Guard: Cisco,         No longer just inside,
                               outside, DMZ
    Check Point
 Shirley firewall makers have
   been busy since 1999 ?
  Clear market trends       Clear product trends
• Faster                   • Add VPN features
                              Site-to-site
• Cheaper
                              Remote Access (?)
• Smaller                  • Add policy-based
   New Guard:               URL control
    NetScreen (Juniper),      Websense-type
    SonicWALL              • Add interfaces
   Old Guard: Cisco,         No longer just inside,
                               outside, DMZ
    Check Point
Incremental improvements are
      not very exciting

• Smaller, cheaper, faster: that’s great
• VPNs, more interfaces: that’s great

• But what have you done for me lately?

• To answer that, we need to digress to the
  oldest battle in all of firewall-dom: proxy
  versus packet filter!
Arguments between Proxy and
    Stateful PF continued
         Proxy                   Stateful PF
• More secure because    •   Faster to write
  you can look at        •   Faster to adapt
  application data       •   Faster to run
                         •   Faster also means
• More secure because        cheaper
  you have independent
  TCP stacks
        Proxy-based firewalls aren’t
             dead… just slow!
                                       Proxy             Space


Inside network =                        TCP/IP                      Outside net =                                               

                   Src=                      Src=
                    Dst=                       Dst=

                                   Packet Filtering
          Firewall Landscape:
             five years ago
•   IBM eNetwork         •   NetGuard
•   Secure Computing     •   WatchGuard
•   Altavista Firewall   •   SonicWALL
•   TIS Gauntlet         •   Check Point
•   Raptor Eagle         •   Livermore Software
•   Elron                •   Milkyway
•   Cyberguard           •   Borderware
•   Ukiah Software       •   Global Internet
      Stateful Packet Filtering
       dominates the market
Check Point   Freeware-based        FW Newcomers:
Cisco         products: Ipchains,   Fortinet, Toshiba,
NetScreen     IPF, Iptables, IPFW   Ingate, Enterasys,
SonicWALL                           many others


              Stateful Packet Filtering
 But… the core argument was
       never disputed

• Proxy-based firewalls do have the
  possibility to give you more control
  because they maintain application-layer
  state information

• The reality is that proxy-based firewalls
  rarely went very far down that path
   Why? Market demand, obviously…
         Firewall Evolution:
        What we hoped for…
• Additional granular       • Vastly improved
  controls on a wide          centralized
  variety of applications     management systems

• Intrusion detection       • More flexible
  and prevention              deployment options
          Firewall Evolution:
           What we found…
• Additional granular    • Vastly improved
  controls on some         centralized
  a wide variety of        management systems
                         • More flexible
• Limited intrusion        deployment options
  detection and
                        Why? Market demand,
 Additional Granular Controls
focused on a few applications
• Everybody loves           • Other applications are
  HTTP management             piecemeal
   Header filtering           FTP
   File type & MIME type      SMTP
   Embedded Data              VoIP
    blocking (Javascript)      File Sharing
   Virus scanning, URL
                      HTTP-oriented features
                     served “pressure points”
                               Filename &                                                Can Block
               HTTP Action     MIME type       Header        SOAP          URL           within           Virus           URL filtering/
               Controls        blocking        Filtering     controls      Translation   HTTP…            detection       blocking
                                                                                         ActiveX, Java,
               Post/Put/       Filename; no                                              Javascript,      Yes, external
CyberGuard     Delete          MIME blocking   Full          Basic         Yes           VBScript, XML    server          WebSense

                               Filename .EXE                                                              Yes, internal   WebSense
                               & .ZIP; no                                                                 or external     plus local URL
Ne tscreen     None            MIME blocking   No            No            No            ActiveX, Java    server          list
                                                                                         ActiveX, Java,
WatchGuard     Post            MIME blocking   Limited Set   No            No            Cookies          None            WebBlocker
                                                                                                          scanning, 2
                               Filename &                                                ActiveX, Java,   types           Smartfilter
                               MIME type                                                 Javascript,      (signature/he   and local URL
Secure Computing               blocking        Full          Block/Allow   No            VBScript         uristic)        list
                               Filename                                                                                   Rating system
               Can block       blocking by                                               WebDAV,          Local           and local URL
Symantec       'upload' only   extension       No            No            No            DCOM             scanning        list

                               Filename by                                               ActiveX, Java,
               Get/Post/       wildcard; no                                              Javascript,      Yes, external   OPSEC and
Check Point    Put/Head        MIME blocking   Full          Basic         Yes           Vbscript         server          local URL list
            Advanced Controls
       are diverse across products

CyberGuard       •   •    •     •    •      •        •    •
Netscreen        •        •                               •   •   •    •
WatchGuard       •        •                               •
Secure Computing •   •    •                               •       •         •     •
Symantec         •   •    •          •      •             •                           •
Check Point      •   •    •                          •    •                           •

         •Differentiating between “advanced” controls and
         “basic” controls was easy to do.
         •Proxy-based firewalls proved to be almost
         undistinguishable from their “insecure” stateful packet
         filtering brethren.
         •Vendors appear to be reactive, not proactive.
Virus Scans and Policy Controls
       are simple, right?
• No! Some firewalls      • No! Some devices
  insisted on having        don’t have virus
  virus and/or URL          scanning
  scanning happen “off
  box”                    • No! Some firewalls
                            don’t support a local list
• No! Some firewalls        of blocked URLs
  can’t configure where
  you scan for viruses
                          Conclusion: it’s not
We’ve learned how to write good
       GUIs, haven’t we?
 • Not in the firewall      • Products are …
   business, we haven’t       disappointing

 • Additional granularity
   means additional
   thinking about
                            The firewall people
                              have a lot to learn
                              from the SSL VPN
 Centralized management has
        improved a bit
• Folks who had it are    • Folks who didn’t have
  doing slightly better     it now generally have
  than they were            something

        We’re still missing a general policy
        management system for firewalls
        Many of the centralized management
        tools have very rough edges
“Intrusion” is the new buzzword
           in security
    Rate-based IPS         Content-based IPS
         technology              technology
• In firewalls, means    • Based on IDS-style
  “SYN flood protection”   thinking
• May be smart (NS)      • May have small
• May include shunning     signature base (NS,
  (SecComp, WG, CP)        CP)
                         • May be an “IDS with
                           the IPS bit on”
   So what’s going on in the
      firewall business?

• Products are diverging, not converging
• Personalities of products are distinct
• IPS is a step forward, but not challenging
  the world of standalone products
• Rate of change of established products is
  slow compared to new entries
What does this mean for me and
         my firewall?
• Products are        • Matching firewall to policy
  diverging             is hard; change in
• Personalities are     application or policy may
  distinct              mean changing product!

• IPS weaker than     • Aggressive adoption of
  standalone            new features unlikely in
• Change rate           popular products; need
  slow                  new blood to overcome
                        product inertia
Application-layer firewalling

        Joel Snyder
         Opus One
 Member, Information Security
   Magazine test alliance

Submit your questions to Joel by clicking on
 the Ask a Question link on the lower left
 corner of your screen.
                 Thank you

Thank you for participating in this
 SearchSecurity webcast. For more
 information on firewalls and an article by
 Joel, visit our Featured Topic. A copy of
 this presentation will be posted within the
 next 24 hours.

To top