Directory Copyright Info webmaster@tis.com
Gauntlet Internet Firewall-Frequently Asked Questions
Table of Contents
1. Purpose of this document
The purpose of this document is to answer questions about the Gauntlet Internet Firewall and internetwork firewalls.
2. What is an Internet firewall?
A firewall is "a system or combination of systems that enforces a boundary between two or more networks." (All definitions in quotes are from the National Computer Security Association's standard Firewall Functional Summary template.) It is a controlled gateway between one network and another. Typically, people discuss putting a firewall between a private, trusted network and the public Internet. It is analogous to a guard post in the lobby of a building, or at the gatehouse of an enclosed installation. For more detail, see what we recommend for further reading near the end of this document.
3. What will a firewall do for me?
Connecting your private, internal network to an outside, untrusted network can be both a blessing and a curse. A blessing in that the exchange of computerized information (the lifeblood of modern commerce) is greatly facilitated. A curse in that you may be exposing your valuable network resources and the reputation of your organization to the whims of Internet hackers or industrial spies. These problems have been extensively documented in the technical media (see TIS' web page at www.tis.com). To minimize the risk while maximizing the benefit requires that an organization develop a comprehensive Network Security Plan. This should include user security awareness training, qualified network security system administrators, and a network architecture that promotes structured security and the use of appropriate network security components. The Gauntlet Internet Firewall is one of the important components of a well-designed network security architecture.
The Gauntlet Internet Firewall is designed to be the single point in your network through which all communications between your internal network and all outside, untrusted networks must pass. This is also the point at which the Network Security Administrator may monitor and control the flow of information between the networks. The Gauntlet Internet Firewall supports strong authentication mechanisms to insure that only authorized users can enter your protected network. The Gauntlet Internet Firewall is capable of preventing unauthorized communications in either direction, and provides a log of all connections across the firewall in either direction. Properly configured, the Gauntlet firewall presents an impenetrable barrier to even the most persistent hackers seeking to access your network.
See our further reading list for more detailed information.
4. What will a firewall not do for me?
An Internet firewall is a controlled gateway. It cannot stop attacks from malicious insiders, nor can it take the place of education and security policies and procedures. It is part of an overall security plan.
5.What is a "network security perimeter?"
A network security perimeter is established by the methods and mechanisms used to secure the network against outside intrusion.
6. What is "defense in depth?"
Defense in depth, also called host-based security, is "the security approach whereby each system on the network is secured to the greatest possible degree. [It] may be used in conjunction with firewalls."
7. What is a "perimeter defense?"
Also known as perimeter-based security, it is " a network by controlling access to all entry and exit points of the network."
Before launching into a description of different types of firewalls, the concept of a perimeter defense should be understood because of its importance to the proper function of a firewall. To a site administrator, establishing a perimeter defense means that all communications between the internal network and external, untrusted networks must pass through the firewall(s) in order to monitor and control the traffic. The organization's Network Security Plan should specify that any form of connection to or from machines outside the internal network is strictly forbidden without review and authorization from the security administrator. This should include modems, leased lines to other networks, etc. Users should be aware that connections between their secure internal network and any outside network, including that of a trading partner or client, may expose the internal network to attackers that have broken into the other network. It makes little sense to have a strong, well-protected front door (the firewall) if the back door and all the windows are left open.
8. What are the different types of firewalls?
There are four types of firewalls: filtering gateways, circuit gateways, application gateways, and hybrid or complex gateways.
Filtering Gateway
Filtering firewalls use routers and packet filtering rules to grant or deny access from one source address (host) and port (service) to a second destination address and port. Also called a screening router, it is "a router configured to permit or deny traffic based on a set of permission rules installed by the administrator."
For example, the administrator can use the router rules to permit a particular machine on the external network to FTP to a specific machine on the internal network, but deny that same machine the ability to TELNET to the internal machine. Similarly, one specific address on the external network can be permitted to FTP to a specific address on the internal network while all other addresses are denied permission to FTP to that address on the internal network.
The advantages of a packet filtering firewall are that they are fast, generally inexpensive, very flexible, and transparent. Also, they can be implemented on routers, and most organizations already have routers. Routers support static (unchanging) filtering.
Another type of filtering, dynamic filtering, tries to make sense out of higher-level protocols and adapt filtering rules to accommodate protocol-specific needs (e.g., simulated connections for connectionless protocols such as NFS and RPC services).
A disadvantage of a filtering gateway is once access has been granted by the router to a host on the internal network, the attacker has direct access to any exploitable weaknesses in either the software or the configuration of that host.
Another disadvantage of a packet filter is the source and destination addresses and ports contained in the IP packet header are the only information available to the router for making the decision to grant or deny access to the internal network. Unfortunately, source destinations and ports can be spoofed so that you cannot be sure who is really making the request for access. This is a critically important concept to understand. In reality it means that if you permit anyone to come through your router and access software on one of your internal host machines, everyone can access that software on that host. And if the software being accessed cannot do strong authentication, or has a hole in it, the intruder has gained access to your network.
Also, routers do not generally provide robust (if any) logging facilities, making it difficult to know when your network is under attack, or how to recover from a successful attack.
Further, packet filtering firewalls do not support the concept of strong user authentication, and access from untrusted networks should not be granted without strong authentication (see the question on strong user authentication).
Another problem is that both the hardware and software of routers may contain exploitable weaknesses. Routers are generally designed for performance, not security.
Finally, router rules are complex and are very difficult to "get right." Even highly qualified network professionals will occasionally add or modify a rule in the router's rule-base, and in so doing, accidentally open a hole through the router.
Circuit Gateway
A circuit level firewall is a means of handing an outgoing connection request from a client on the internal network to a single machine acting as a firewall, such that it will appear to the remote site that the connection request actually came from the firewall.
The principal advantage of a circuit level firewall is that it prevents direct connection between internal and external machines. All incoming requests are blocked. If a user on an internal machine writes code that listens on some non-standard port, users on external hosts have no way to reach that port. This gives the Security Administrator a single point at which to control incoming connection requests.
A disadvantage, or limitation of a circuit level gateway, is client software on the internal network may have to be modified to do the necessary "handshake" with the circuit level gateway software (for example SOCKS), and source code for the client software may be unavailable.
Application Level Gateway
An application gateway is "a firewall system in which service is provided by processes that maintain complete TCP connection state and sequencing. Application level firewalls often re-address traffic so that outgoing traffic appears to have originated from the firewall, rather than the internal host."
An application level firewall is generally considered to be the most secure type firewall. The Gauntlet Internet Firewall is an application level firewall. Like the circuit level firewall, the Gauntlet firewall is configured to be the only host address visible to the outside network, requiring all connections to the internal network to go through the firewall. An application level firewall is distinguished by the use of proxies (application gateways) for services such as FTP, TELNET, etc., which prevent direct access to services on the internal network.
One advantage of this type of firewall, is that proxies prevent direct connection between internal hosts and external, untrusted hosts. All incoming requests for services such as HTTP, FTP, TELNET, RLOGIN, etc., regardless of which host on the internal network will be the final destination, must first go through the appropriate proxy software on the firewall.
For example, consider a host on the external network requesting a connection to port 25 on any one of the many hosts on a network not protected by the Gauntlet Internet Firewall. Every host on the internal network could be running a different implementation of Sendmail, or different versions of the same implementation, each with known security problems. Because an attacker has direct access to every host on your internal network, he can try port 25 on every host on the internal network until he finds one running an implementation of Sendmail with an exploitable hole. From there he can gain access to the machine, and then to your entire internal network.
To protect against this type of attack, you can either secure every computer in your organization (usually impossible to enforce), or require that all connections go through a control point on which you have already made the security adjustments.
Strong user authentication (see below) should be required for all incoming connection requests before granting access to the requested service on the internal host when the protocol supports it. Application gateways, or proxies, allow enforcement of user authentication.
Comprehensive logging at the application level can be performed by proxies.
Since all communications between the internal and external networks are required to go through one of the application proxies, the proxies can restrict those communications to transactions appropriate to the specific service being used. They are also in position to do content-type filtering, such as blocking Java code from coming in from the outside.
The principal limitation of application gateway firewalls is that in some environments, there may be a requirement for data transfer rates in excess of the capacity of the firewall. The capacity of the Gauntlet Internet Firewall has not been determined, but it has demonstrated throughput of 10 Megabits/second (Ethernet speed), exceeding the capacity of a T1 link (about 1.5 Megabits/second).
Hybrid or Complex Gateways
Hybrid gateways, combine two or more of the above methods. If these methods are added in parallel, the network security perimeter will be only as secure as the least secure of all methods used. If they are added in series, the overall security is enhanced. All commercial firewalls that are hybrid systems, have the mechanisms in parallel.
A vendor who claims that a hybrid firewall is more secure by virtue of being more complex does not understand security. A useful truism of security to keep in mind is "complexity and security are often inversely proportional."
9. Which is the most secure type of firewall?
Experts agree that the most permissive, and least secure, type of firewall is the filtering gateway, and the most secure is the application gateway. Experts, such as Cheswick and Bellovin -- see reference in the "further reading" area of this document, Ted Julian in IDC's Firewall Marketing report dated February 1996, and Rik Farrow, for example in the May 1996 issue of UniForum's "IT Solutions" magazine.
Bill Cheswick, well known firewall and Internet security expert, pointed out (in the June 17, 1996 issue of LAN TIMES), "Packet filters can protect your [network] quite adequately if they are properly designed. The hard part is getting the rules right and testing the filter to see if it is truly secure."
Winn Schwartau, president of InterPact, Inc., a security consulting company added, in the same article, "Don't bother [with packet filters]. They are a waste of money. ... if you are going to have no control over user activities, why bother?"
10. What are application gateways (proxies)
The terms "application gateways" and "proxies" mean the same thing. A proxy in a firewall is a software mechanism that acts on behalf of another. It will sit between a client on one side of the firewall and a server on the other. To the client it looks and acts like a server; to the server it looks like client software. It acts as a proxy for both sides.
All application data flows through the proxy. Because of this the proxy is in a unique position to log information (time of connection, number of bytes transferred, etc.) and enforce access rules (who can connect to what for which service at what time).
11. Aren't application gateways and proxies different things?
No, they are different technical terms for the same mechanism. Anyone who tells you otherwise, doesn't know what they are talking about or is blowing smoke. It is possible that some people use them to mean different things in their marketing literature, but they are synonymous terms.
12. Aren't application gateways, or proxies, outmoded, old technology?
Of course not. Application gateways have been around only a few years. As discussed above, they are the most secure kind of firewall mechanisms. Anyone who says otherwise disagrees with the experts, and is probably blowing marketing smoke.
We have very sophisticated electronic surveillance mechanisms available in the latter part of the 1990s, but they haven't replaced human guards. Applications gateways are much more secure than any other kind of firewall mechanism, certainly more so that any filter-based solution.
13. What is the Gauntlet Internet Firewall
The Gauntlet Internet Firewall is an application-based firewall, featuring the most secure firewall design in the industry. The Gauntlet product features:
complete firewall transparency through the proxies (and so, without sacrificing security),
industry standard firewall-to-firewall encryption (strong encryption that is exportable),
the only "Crystal Box" firewall -- source code standard,
support for more strong user authentication devices than any other firewall,
a secure, integrated graphical user interface (GUI) management tools (via any web browser),
a cryptographic system integrity checker,
built in "smoke alarms" -- allowing real-time notification of unauthorized activities,
secure information gateway allowing safe deployment of web or FTP server on firewall system,
and a set of application gateways (proxies).
14. What services are supported by the Gauntlet Firewall?
The Gauntlet Internet Firewall includes proxies for the following services:
Terminal Services (TELNET, Rlogin, TN3270)
File Transfer (FTP)
Electronic Mail (SMTP, POP3)
World Wide Web (HTTP, SSL, and SHTTP)
Gopher
X Window System (X11)
Printer
Remote Execution (Rsh)
RealAudio
Sybase SQL
There is also a proxy that acts as a "patch panel" for simple services in a one-to-one or one-to-many configuration, called the "plug gateway." Through this gateway, the Gauntlet Internet Firewall supports
Finger
Usenet News (NNTP)
Whois
The HTTP proxy supports Java Guard.
15. Are Gauntlet proxies easy to use?
All proxies supplied with the Gauntlet Internet Firewall can be installed for "transparent mode" operation. In transparent mode, the user just issues the command to connect to a machine on the other side of the firewall, and the connection is made. All communication goes through the appropriate application gateway. It just seems like a direct connection to the user.
16. If I use the Gauntlet Firewall, do I have to modify software on inside machines?
None of the Gauntlet Internet Firewall proxies require modification of the software on the internal network.
17. What are the new features in version 3.2 of the Gauntlet firewall?
The Gauntlet Internet Firewall Version 3.2 has the following new features:
Java Guard
Remote Firewall Management
Remote Private Connection through the Gauntlet PC Extender
Web Access Control
Sybase SQL Proxy
18. What is "Java Guard?"
Java Guard is a mechanism for blocking Java scripts at the firewall. Because the Gauntlet Internet firewall is a proxy-based firewall, we can provide this specific level of protection unavailable in filter- based firewalls.
19. Why would I want to block Java scripts?
Java is an incredibly exciting and powerful tool. It also has been shown to contain software bugs in its security model and implementation allowing potential hackers to gain access to data on the client computer, or worse.
When a Java script is access via a web browser an executable program is copied to the client system and executed on the user's behalf. Usually, the user has no idea that by clicking on something on a web page, a program has been copied to the local machine.
According to an article in LAN TIMES (June 17, 1996), "no commercial tools are available to check Java code [for viruses] ëon the fly' before it executes on a client workstation. In fact, it will likely be difficult to check Java in a way that won't slow it down dramatically. Until the security problems are ironed out, experts say the safest strategy is to disable Java in the browser."
20. Why do I need Java Guard, then, if all my users need to do is turn Java off in their browser?
That is a solution some of our competitors have recommended. With that solution, you are trusting that all employees will remember to do this and will not turn Java back on in their browser software. With our solution, Java scripts are stopped at the perimeter of the network.
21. What if we need access to Java applets?
In keeping with our design philosophy, the Gauntlet Internet Firewall does not impose a security policy, but rather is configurable to match your security policy. If your security policy allows Java scripts, you may allow Java through the firewall.
22. What is "remote firewall management?"
Multiple Gauntlet firewalls can be managed from a central, master, Gauntlet Internet Firewall. This allows cloning of firewall configurations and the rapid deployment of new firewalls or new firewall configurations. This is used to support the other members of the Gauntlet Firewall Family, the Gauntlet Intranet Firewall and the Gauntlet Net Extender, mentioned elsewhere in this document.
23. What is "remote private connection?"
This is achieved through the use of the Gauntlet PC Extender, a PC IP stack encryption product mentioned elsewhere in this document. This allows privacy in connections for a remote user (home, hotel room across the Internet), and additionally allows that user to gain access to the whole inside, private network.
24. What do you mean by "web access control?"
Many of our customers have communicated the need for some to control over who can access the WWW, and when they can access it. Access control requires strong user authentication (more than passwords), but web browsers do not support this. Further, the protocol is unfriendly to this: every click on a URL makes a new connection and every new connection would require user authentication.
TIS' implementation supports strong user authentication by enforcing an uninterrupted connection from the client to the HTTP proxy. The user is presented with an authentication screen at the first attempted access. This, of course, is under the control of the firewall administrator.
25. Can I use multiple Gauntlet Firewalls at an Internet gateway?
Many of our customers install multiple Gauntlet units in parallel at gateways for load balancing and redundancy. This configuration works very well.
26. Do I need special software or a certain operating system to use the Gauntlet Management GUI?
The management system can be accessed using any "Web browser" program (e.g., Mosaic, Netscape) from any platform that supports them (e.g., Windows, Mac, UNIX). No special software is needed.
27. Isn't using a management interface that is HTTP-based insecure?
As Mike Zboray of Gartner pointed out in a Research Note entitled "Trends in the Firewall Market" in March of 1996, this method of management might be insecure and depends on the security of the web server software residing on the firewall. On the Gauntlet Internet Firewall, a secure HTTP server is used to provide management, and management of the firewall requires strong user authentication. Not all firewall vendors have implemented a secure management system.
28. What is a Virtual Private Network?
A virtual private network, or VPN, through encryption, provides privacy for all allowed network traffic between two gateways. In a VPN, no level of trust between the networks need be assumed. A VPN provides privacy only. A VPN is not necessarily a Virtual Network Perimeter.
29. What's a Virtual Network Perimeter?
This term was coined by TIS in a technical paper (#1 in the reading list later in this document). A VNP is a Virtual Network security Perimeter: network that appears to be a single protected network behind firewalls, which actually encompasses encrypted virtual links over untrusted networks. The use of firewalls, encryption, and standard administration, control, and policies that allows an organization to extend a network to include multiple locations that may be connected over an untrusted network, such as the Internet. In a VNP, all network services may be opened up between the trusted networks, allowing even "insecure" network services, by virtue ofthe protection allowed by the network security perimeter. A VNP is also a Virtual Private Network.
30. What are the benefits of VPNs and VNPs?
For sake of example, envision a corporate headquarters in Maryland with a branch office in California. Each site has a private local area network protected by a Gauntlet Internet Firewall. Without encryption, all of the traffic passing between the two sites would go across the Internet "in the clear," meaning that anyone with a "sniffer" attached to one of the many network links between Maryland and California could read and understand the traffic. If I were sending e-mail, they could read my e-mail. If I were sending a proposal via FTP, they could read the proposal.
Now let's assume that we turn on encryption between the two firewalls. As traffic leaves the site in Maryland, the firewall uses a secret key known only to the firewall in California to scramble the traffic in such a way that it cannot be read or understood by anyone as it passes across the Internet. Your e-mail, or proposal, would look like unintelligible garbage to anyone using a sniffer.
There are two main benefits to using firewall-to-firewall encryption. The obvious benefit is that traffic cannot be "seen" by others (including intruders) as it passes across the Internet between the two firewalls. This prevents sensitive information from falling into the wrong hands, and denies intruders access to information they might use to attack your network. The less obvious benefit of such encryption is that traffic between the two firewalls is no longer restricted to the services provided by the firewall proxies. Now any application can safely be used. Client/server database or financial applications can be used. TELNET logins can be permitted without the need for strong authentication. The encrypted link between the firewalls turn the two protected networks into a single trusted environment.
31. Are Gauntlet Firewalls with encryption available outside the USA?
Yes, Gauntlet Internet Firewalls with strong encryption can be shipped outside the US. TIS can provide you with the details.
32. Can a Gauntlet Internet Firewall be used in a VPN with a different firewall?
While we cannot understand why anyone would use any other firewall, the answer is "yes." Many firewall vendors, including TIS, are involved in standards efforts to allow just such interoperability. Gauntlet Internet Firewalls will work with IPSEC when this standard and related key-exchange standards are fully formulated.
33. What is network address translation (NAT)?
Devices that support NAT, allow networks to use unregistered or "illegal" (unsupported or unassigned) IP address on a network on one side of the NAT device, while being connected on the other side to the Internet. The NAT device translates the illegal address into a legal address for outside use.
34. Does the Gauntlet Internet Firewall support NAT?
Yes, because the firewall is your only connection to the outside world, the outside network has no knowledge of IP addresses on the inside network. The Gauntlet Internet Firewall, by nature of its design as an application gateway-based firewall, translates all internal addresses to the firewall's address, and is designed to hide internal addresses from the "untrusted" network.
35. Does the Gauntlet Internet Firewall support E-mail and DNS?
Yes, since a firewall often acts as an internetwork gateway to an organization, the Gauntlet Internet Firewall includes an e-mail gateway and DNS set-up. Both the e-mail gateway and the name server hide internal addresses from the outside.
36. What is meant by the term "strong user authentication?"
This discussion of strong user authentication is from our paper "A Network Perimeter With Secure External Access":
"We use ëauthentication' as defined by the National Computer Security Center's ëRed Book' [2] as ë(1) to establish the validity of a claimed identity or (2) to provide protection against fraudulent transactions by establishing the validity of ... the individual ....' Identification of a user is often accomplished on computers through the use of a user name and password pair. The password is kept secret and must be difficult to guess; only the user knows the proper name and password pair to use. In reality, passwords are often weak (guessable). Further, in the case of identifying users over outside communication links, there exist opportunities for capture of the user name and password information (although the password is usually not echoed, it is transmitted over the communications link ëin the clear'). Consequently, while it would seem that a user name and password pair constitute good identification criteria, the password is too easily guessed or captured. [With strong user authentication], authentication of a user is done in such a fashion that we can apply a high degree of trust to the identification. This can be accomplished with one-time passwords, or authentication devices ..."
37. Do Gauntlet products support strong user authentication?
The network authentication server provides a generic authentication service for firewall proxies. Its use is optional, required only if the firewall interactive proxies are configured to require authentication. It acts as a piece of "middleware" that integrates multiple forms of authentication, permitting an administrator to associate a preferred form of authentication with an individual user. This permits organizations that already provide users with authentication tokens to enable the same token for authenticating users to the firewall. Several forms of challenge/response cards are supported, along with software-based one-time password systems, and plaintext passwords. Use of plaintext passwords over the Internet is strongly discouraged, due to the threat of password sniffing attackers.
The Gauntlet Internet Firewall supports the following devices:
CryptoCard, from CryptoCard
Digipass
Fortezza from NSA (as an option)
SafeWord AS from Enigma Logics
S/Key software from Bellcore (freely available)
SecurID from Security Dynamics
SecurNet Key from Digital Pathways
Vasco
We will be adding support for additional devices on an ongoing basis.
38. Can I use reusable passwords for outbound connections?
Many sites would like to be able (usually for accounting purposes) to have users on the internal network use a password for outbound TELNET or FTP connections. However, since they do not want to go to the expense of providing all of their internal users strong authentication tokens, the question becomes "Can I require them to use the normal username and reusable passwords like the ones they use for logging into the internal network in the first place?" In general, the answer is a guarded "yes."
39. What are the qualifications of a firewall administrator?
The firewall administrator should be a qualified TCP/IP network administrator. This is not because others cannot easily learn to make necessary changes to the firewall using the firewall maintenance interface, but rather because the peripheral TCP/IP issues (such as DNS configuration, etc.) are important to understanding how the firewall will function in a network environment. The firewall is only one component in a complex architecture of interdependent components, and the firewall administrator should understand how changes to the firewall will affect the rest of the network.
40. Can you guarantee that my Gauntlet Firewall will never crash?
No, firewalls run on computers, and computers occasionally fail. Since the firewall is the only link to networks outside the private network, if the firewall fails you lose your connection to those outside networks until the firewall machine can be repaired. Because some sites have a critical need for continuous access to and from the Internet or other private networks, TIS permits clients of the Gauntlet Internet Firewall to maintain a cold backup capability. A cold backup refers to a machine identical to the firewall, with all of the Gauntlet Internet Firewall software, the operating system, system files, etc., sitting on a shelf ready to replace a failed machine. The only restriction is that the primary firewall machine and the backup machine cannot be actively operating as a firewall at the same time. If your organization feels a backup unit is necessary, ask your TIS sales representative about the current cost of a backup unit.
41. What kind of logging does the Gauntlet firewall do?
The Gauntlet Internet Firewall provides detailed audit logs of sessions. All services accessed through the firewall are logged to the security log system. This is turned "on" by default at the highest level of logging. The following events are logged by default:
All operating system kernel warnings and errors
All file system warnings and errors
All attempted accesses to network services, whether successful, whether a supported service, including rejected source routed addresses and ICMP redirects.
All successful network accesses, logging source and destination addresses, service, time of day, disconnection time of day, number of bytes transferred (if applicable), commands accessed (FTP), and URLs accessed (HTTP)
All interactions with the user authentication server subsystem
42. What firewall activity reports come with Gauntlet firewalls?
The Gauntlet Internet Firewall is supplied with two log reduction reports. The first is a Summary Report in which the use of each service (such as FTP) is summarized by user and usage. For example, the firewall administrator might choose to have the report show him who the top 20 users of TELNET were (how many times they connected to that service, what address they connected to, and how many bytes of data they transferred, etc.)
The second report is the Exception Report. To produce this report, the firewall administrator specifies the information he is not interested in seeing, and everything else is included in the report. As a rule, administrators will quickly develop a feel for the normal activity of the firewall usage at their site. The exception report can then be used to examine closely any "unusual" activity.
In addition, because the firewall logs are human-readable UNIX syslogs, each site can have simple UNIX scripts written that look for specific events that are of special interest, and have the script perform such actions as send a message to the administrator's console if the event should occur.
43. If I have a Gauntlet box, do I still need a router?
The Gauntlet Internet Firewall does not require the use of a router, but routers may be employed to enable certain configurations and architectural options. While most customers employ routers when connecting to a WAN, filtering rules installed in the router are only used as a way to reduce network "noise," rather than protect the Gauntlet Firewall. The Gauntlet Internet Firewall is designed to be a self-contained security system, not relying on other network components for its own or the internal network's security. TIS will assist Gauntlet Internet Firewall clients in determining the need for routers.
44. On what operating systems do Gauntlet products run?
The Gauntlet Firewall Software is available for the following operating system platforms:
BSD/OS operating system from Berkeley Software Design, Inc.
HP-UX from Hewlett-Packard
SunOS 4.1.X from Sun Microsystems
TIS has hardened these operating systems for use with the Gauntlet firewall.
Additionally, Gauntlet Firewall Software for IRIX is available from Silicon Graphics.
45. Why is it important to "harden" an operating system for a firewall?
The operating system is the base platform for firewall software. Most commercial operating systems are created to allow general use and access and provide many services useful for multiuser, server systems (services such as NFS), but too insecure to allow on a firewall. The base operating system must be "tightened" to disallow insecure services and to apply security patches. Unfortunately, most firewall vendors do not bother to do this. Consequently, their firewalls may be installed on insecure systems, devaluing the firewall's security.
46. Does the Gauntlet Internet Firewall support FDDI, Token Ring, or ATM?
Gauntlet Firewall Software runs on BSD/OS, HP-UX, IRIX, and SunOS, and supports all network interfaces supported by these operating systems. The turnkey version of the Gauntlet Internet Firewall supports Ethernet connections only at this time.
47. Should user accounts be permitted on a firewall?
No! The only account on the firewall is that of the Firewall Administrator, and he should either be required to use strong authentication, or be restricted to logging in from the firewall console.
48. Should general servers, such as WWW servers, be permitted on a firewall?
Only if you are using the secure servers available with the Gauntlet Internet Firewall, version 3.1 and later. Every application that is in any way directly accessible to attack from untrusted networks runs the risk of opening holes into the protected network. Only software specifically written to be secure, and rigorously reviewed for security relevant flaws (such as the proxies), should be placed on the firewall.
49. Does the Gauntlet Internet Firewall allow UDP (such as SNMP) or ICMP through?
The Gauntlet Internet Firewall does not standardly permit any connectionless protocols such as UDP (including SNMP) or ICMP across the firewall. Because their connectionless nature makes it impossible to determine their actual source, all such applications must be considered inherently insecure and inconsistent with conservative firewall security. These services may be run through a VNP.
If anyone tries to sell you a firewall that allows generic UDP services through, ask to see their security assessment paper on the service, so you can understand why they think they can secure such services.
50. Does the Gauntlet Internet Firewall check for viruses?
Not at this time. We are examining the viability and usefulness of doing virus checking on the Gauntlet Internet Firewall.
51. Is the Gauntlet Internet Firewall available in my country?
Yes. The Gauntlet Internet Firewall may be purchased from a growing list of resellers throughout the world, including Africa, Asia, Australia, Europe, and North and South America. Please contact TIS for a list of resellers.
52. Isn't the Gauntlet Internet Firewall based on freeware?
The Gauntlet Internet Firewall was originally based on the TIS Internet Firewall Toolkit, but is no longer. The TIS Internet Firewall Toolkit is licensed and freely available, but it is not "freeware," "public domain," nor "shareware."
53. What are the differences between the Gauntlet Internet Firewall and the TIS Internet Firewall Toolkit (FWTK)?
The FWTK is a licensed, freely available set of tools for building internetwork firewalls. It is made to be used by experts. The Gauntlet Internet Firewall is a complete, fully functional, fully supported product.
This table provides a comparison:
Gauntlet Internet Firewall TIS Internet Firewall Toolkit Source Code Source Code TELNET Proxy TELNET Proxy Rlogin Proxy Rlogin Proxy FTP Proxy FTP Proxy HTTP Proxy (WWW) HTTP Proxy (WWW) Gopher Proxy Gopher Proxy SMTP Proxy SMTP Proxy NNTP Proxy NNTP Proxy X11 Gateway X11 Gateway Authentication Server Authentication Server Java Guard Java blocking (contributed) RSH Proxy - URL Screening (to control WWW access) - SSL - SHTTP - POP3 - Authenticated Circuit - Printer - Secure Server (FTP and HTTP) - E-mail Gateway - DNS Server - RealAudio - SQL Proxy - Graphical Management Interface - Management Tools - Configuration Tester - Hardened Operating System - Smoke Alarms (intrusion probing alarms) - IP Spoof Protection - Routing Attack Protection - Transparent Access - Firewall-to-Firewall Encryption - Firewall-to-Desktop Encryption - Integrated Hardware Platform - Fully Integrated Software Components - Installation Support - Training - Telephone Support - Updates -
54. Does TIS support the FWTK?
TIS engineers will monitor the FWTK mailing lists, but no direct support is available. The fwtk-support list is used for support questions and answers; the user community provides its own support for the FWTK.
TIS distributes the FWTK, provides an FTP area for contributed software, and will package a new version, containing contributed code and bug fixes, at least every 12 months.
55. Doesn't the availability of source code make a firewall more vulnerable to attacks?
All firewalls are under the threat of attack. Vulnerability is a measure of whether a weakness exists that someone can exploit. We do not believe in security through obscurity. Our software has been developed using strong testing methods with the knowledge that it would be available in source code. We are depending on our design criteria and strong methods of development and testing rather than depending on the secrecy of our code. When ("when," not "if") someone's secret algorithm is reverse engineered, if they do not know it, they end up being vulnerable to attack, while still believing that they are safe.
56. Isn't making source code available contrary to good security practices?
On the contrary, formal security mechanisms are often based on open (well known) mechanisms. One example, is the Data Encryption Standard (DES). A characteristic of good security is that knowing the algorithm does not get you any closer to breaking the security, as with DES, knowing the input, the output, and the algorithm, does not get you the secret key.
57. What is an "intranet?"
According to the "Internet Marketing and Technology Report," Volume 2, Number 3, dated March 1996, "the term Intranet refers to an internal network that uses Internet technology and protocols (TCP/IP) to distribute informational resources to individuals within an organization." Think of it as internetworking within a trusted network. Even within a trusted network's security perimeter, an organization might want to compartmentalize systems and networks within networks. Firewalls within an organization's security perimeter can accomplish this.
58. What is the Gauntlet Intranet Firewall?
It is a firewall meant to be deployed within an organization's network security perimeter. It's used on the enterprise intranet. It is an add-on to an existing Gauntlet Internet Firewall, that allows you to place additional network strongholds within your network security perimeter.
59. Isn't the Gauntlet Intranet Firewall just a Gauntlet Internet Firewall with a different name?
It has most all the features of the Gauntlet Internet Firewall, at a lower price, but the main difference is that it is configured in conjunction with, and managed through an existing Gauntlet Internet Firewall. Operating within an organization's network security perimeter, the Gauntlet Intranet Firewall protects an enclave within an enclave. It's general access rules come from the controlling Gauntlet Internet Firewall. Additional access rules may be added. All logging is done via the logging rules defined by the master Gauntlet Internet Firewall. Encryption may be added. Additional services, normally considered insecure through an outer firewall, may be permitted through a Gauntlet Intranet Firewall. Also, because it is deployed within an organization's "trusted" network, firewall-to-firewall encryption is an option.
60. What's the Gauntlet Net Extender?
The Gauntlet Net Extender is a firewall for a remote office. It is an add-on to an existing Gauntlet Internet Firewall and has all the functionality of the Gauntlet Internet Firewall. Like the Gauntlet Intranet Firewall, it is managed through a master Gauntlet Internet Firewall and logging is done through the master firewall. The Gauntlet Net Extender must have an encrypted link to the master Gauntlet Internet Firewall. This can be used to set up a VPN or a VNP (see above). The Gauntlet net Extender "extends" the network security perimeter (see above discussion) to include other, remote offices.
61. What is the Gauntlet PC Extender?
The Gauntlet PC Extender is an add on to an existing Gauntlet Internet Firewall, extending the network security perimeter to include remote or mobile users. It allows for private and secure connections from home, hotel room, or remote Internet site, through your firewall into your private network. This means that a traveling user can use his or her PC in the same way and for the same services available when in the office, even services normally considered insecure (such as PC-NFS). Strong authentication and encryption provide the security needed. The Gauntlet PC Extender runs on Windows 3.1, and Windows 95.
62. Does Gauntlet PC Extender run on Windows NT?
We expect to support other platforms with future versions of the product.
63. With what PC network products does the PC Extender work?
Contact your Gauntlet sales representative for the latest list of tested products, which includes Beame & Whiteside TCP and Trumpet Winsock.
64. What do we have to do before we install our Gauntlet firewall?
TIS will send you a document explaining the questions that need answering and all preparations you need to make. This is a summary or key preparations:
If the installation is intended to connect the site to the Internet, an Internet connection available configured to the address of the Internet side of the firewall. This is to permit testing of the installed firewall.
A properly implemented firewall should be consistent with the goals of the site's Network Security Plan. The Network Security Plan should be made available to the firewall installer prior to installation.
The site should have a UNIX system administrator who is familiar with the site's various system files and network configuration available to work with the TIS installation personnel.
Prior to installation, a questionnaire is sent to the client's system administrator eliciting information concerning internal address schemes, DNS requirements, E-mail configuration requirements, etc. This questionnaire should be returned at least one week prior to installation.
65. What is the price of the Gauntlet Internet Firewall?
Contact TIS or your Authorized Gauntlet Reseller for current pricing and configurations.
66. How can TIS claim that it has "The Most Secure FirewallsSM"?
TIS bases its claim on the years of experience we have in formal computer, communications, and network security, and on building our firewall products using the most secure design approach in the industry.
67. What is your design approach?
Since an application gateway is the most secure type of internetwork firewall, TIS has designed the Gauntlet Internet Firewall to rely on proxies to provide services. Firewalls that combine application, circuit, and filtering gateway technology are only as secure as the weakest link of the three. In the Gauntlet Internet Firewall, all communication between one network and another is turned off. Network services are individually enabled through the application data bridges, called proxy software or proxies. Network packets are never passed between the networks, only application data. No direct connection is ever made between machines on opposite sides of the firewall.
The design approach, expanded in our functional summary document, combines the following seven tenets:
Simplicity in services provided and mechanisms
Simplicity in software design, development, and implementation
A "Crystal Box" approach, in which source code is distributed to allow for assurance reviews by our customers, our resellers, and other experts
No users are allowed on the firewall system itself
Anything that can be logged, should be logged, for a complete security audit trail
Strong user authentication methods and mechanisms must be supported and encouraged
A firewall should enforce an organization's network security policy, not impose one of its own
68. What can you recommend for further reading?
Frederick M. Avolio and Marcus J. Ranum, "A Network Perimeter with Secure External Access", TIS Report.
Frederick M. Avolio, "Building Internetwork Firewalls," Business Communications Review, January, 1994.
William Cheswick and Stephen M. Bellovin, Firewalls and Internet Security: Repelling the Wily Hacker, Addison-Wesley, 1994.
Steven B. Lipner, "Barbarians at the Gateway," Business Communications Review, January, 1995.
Marcus J. Ranum, "Thinking About Firewalls," Proceedings of Second International Conference on Systems and Network Security and Management (SANS-II), April, 1993.
69. How is TIS different from other firewall vendors?
TIS is not a new, one-product company. Since its founding in 1983, TIS' business has been computer, communications, and network security associated with today's local and wide area networking environment. The TIS staff has experience in computer and communication security evaluation; development of computer security systems; development and use of formal security methodologies and tools; and security evaluation, certification, and accreditation of systems and networks. The focus of TIS' corporate organization is in providing systems security engineering support.
TIS specializes in advancing the state of information security technology and in reconciling system security requirements with the functional and mission requirements of operational systems. TIS is internationally known and respected for its research and applications solutions. TIS provides security products, such as the Gauntlet Firewall Family of products. TIS' consulting services are well known for excellence, completeness, and integrity.
TIS has offices located in the Washington, DC area, with its headquarters in Glenwood, Maryland, and the headquarters of its Commercial Division in Rockville, MD. TIS also has offices in McLean, Virginia, Los Angeles, San Francisco, and London.
70. How do I contact TIS for more information?
For further information please send electronic mail to: gauntlet-sales@tis.com, call us toll-free at 888-FIREWALL, or (301) 527-9500, send a fax to (301) 527-0482, or write to us at:
Trusted Information Systems, Inc.
Gauntlet Sales Department
15204 Omega Drive
Rockville, MD 20850.