/

Reviews /

Review: Firewalls

Vendors fan out with new products and enhanced functions, but Check Point Software's FireWall-1 still tops the pile.

By Joel Snyder
Network World, 6/1/98

We've all learned to be skeptical when confronted with anything billed "new and improved," but those two words best describe the developments in the firewall marketplace. New and improved features include the following:

Management interfaces that make safe configuration and monitoring easier than ever.
Intelligent proxies for virus scanning, URL blocking and Java filtering.
User authentication for remote users that provides more secure and less intrusive access to corporate resources.
Security roadblocks to prevent protocol-based attacks, such as the Ping of Death and TCP SYN floods.

On top of all that, firewall vendors are integrating into their products network edge functions, such as Web page caching, virtual private networks and bandwidth management.

We invited more than a dozen vendors into our lab for testing as part of this Buyer's Guide to firewalls. Eight accepted, and of those, we found two that stood out. Check Point Soft-ware's FireWall-1 won our Blue Ribbon on the strength of its sheer breadth of features that make it a good fit in diverse enterprise networks. CyberGuard Corp.'s CyberGuard Firewall, free of its former proprietary hardware platform, is also very impressive. It has most of the features of Firewall-1, plus a variety of security features built into its operating system that should suit people who are as worried about internal security as they are about external security.

Also praiseworthy is Cisco Systems, Inc.'s PIX, which has a robust simplicity that should be attractive to network managers who want to control access and need little else.

Meanwhile, a couple of newcomers have strong entries. Watchguard Technologies, Inc.'s Watchguard Security System and NetGuard, Inc.'s Guardian both are worth evaluating. Each goes beyond our top-rated choices in one or two ways. Though slightly immature, they have the potential to be strong competitors.

Ukiah Software, Inc.'s NetRoad FireWALL for Windows NT, Elron Software, Inc.'s Elron Firewall/Secure 32OS and Microsoft Corp.'s Proxy Server (which the company touts as a firewall) all had strong points, particularly for small networks, but enterprise-minded network managers may find them too limiting and inflexible.

Configuration counts

Getting started with a firewall requires an intuitive configuration utility. Without one, you may be inclined to put off the inevitably necessary configuration changes. While early firewalls were a pastiche of tools and utilities, a common goal of vendors today is a single unified interface that provides a clean window into the health, status and configuration of the firewall. The best products take into account the fact that the firewall interface is used infrequently, meaning online documentation and assistance is vital.

One of the first vendors to build an easy-to-use configuration utility was Check Point, in its FireWall-1. The interface helped catapult the product into market leadership. The FireWall-1 interface, with its source and destination orientation and simple top-down ordering, fits well with the way network managers view their networks.

Although the FireWall-1 interface continues to be easy to use, Check Point has added so many features it has stretched its original interface paradigm beyond its limits. We were told a graphical user interface (GUI) face lift will be included in a version to be released shortly; that's good - it's overdue. Some properties windows, for example, have eight or nine tabs, making them cumbersome. Still, the product is easy to configure.

Products such as Ukiah Software's NetRoad and NetGuard's Guardian, with the same style of interface, are likewise easy to configure. In fact, they're easier because they don't do as much as FireWall-1 and, therefore, don't test the limits of user interface design.

Remote management has become commonplace. Generally, remote management involves a client application on a workstation communicating over an encrypted link to the firewall. Some firewalls, such as Cisco's PIX, Elron Software's Elron Firewall and Watchguard Technologies' Watchguard Security System, require a second system for configuration and management. Of the products we tested, only Ukiah Software's NetRoad FireWALL has no support for remote management.

FireWall-1 offers simultaneous management of an entire network of firewalls from one Windows or Unix management station. Although other vendors, including Microsoft, CyberGuard and NetGuard, allow one management console to control multiple firewalls, none uses the integrated "one policy for all" approach that FireWall-1 offers. With FireWall-1's management interface, one network security policy controls firewalls and any routers that implement security through access rules and filters. Rules are applied throughout the network with pieces of the policy set wherever appropriate. This approach means security policies common to all firewalls need be entered, managed and edited only once. Other vendors require you to maintain each firewall policy separately, significantly increasing the burden and fostering configuration errors.

Elron Software's Elron Firewall takes a slightly different approach in its user interface, focusing on services rather than systems. Service-based configurations base their rules on applications: Is Domain Name System let through? How about telnet? System- or address-based reverse the process: What can this or that address do? In a homogeneous network, the service-based approach is even simpler than the system-oriented one used by Check Point, Ukiah Software and NetGuard. We found Elron Firewall the easiest to configure, but only for simple configurations. More complex environments, particularly ones in which systems do not have similar attributes, can be immensely difficult to construct. Those environments can be even harder to maintain because the detailed part of the configuration is buried several layers deep.

Cisco's PIX continues to be largely command-line driven, an iconoclast in a world of GUIs. Although Cisco has made available a Java-based GUI, it is slightly more difficult to use and understand than the command-line interface. While we don't mind its familiar Cisco-style command line, we're still waiting for Cisco to develop a GUI that frees the network manager from having to learn a command-line interface.

Still, the PIX, with only about 20 configuration commands available, is elegant and sparsely simple. Most configurations can be displayed on no more than one screen, and the commands are intuitive enough that they can be learned quickly.

Further down in the GUI hole is Microsoft's Proxy Server. Although configuration is exposed via a number of interfaces - the Microsoft Management Console (MMC), a Web browser or even a DOS command line -- this first version with firewall capabilities needs some shaking out. That's because Microsoft insists on having the GUI fit its MMC, rather than matching management to the needs of network managers.

Although Microsoft's product is capable, with Web caching, protocol translation, firewall and SOCKS capabilities built in, the configuration interface is more complex than it has to be and often depends on subtle terminology to differentiate related functions.

Watchguard Technologies' Watchguard Security System has an innovative configuration approach. Although it has a service-oriented configuration similar to that of Elron Software's Elron Firewall, Watch-guard has done a better job at parceling out configuration tasks and issues. For example, the software allows you to create a separate list of "always blocked" TCP ports that sits as a complement to (and overrides) the service-oriented rule base. Considering the extreme flexibility of the product, we were surprised at how quickly (and with how little help) we were able to become power users.

Watchguard Security System and Cisco's PIX impressed us by making us feel more in control of the product with less training -- an important plus when you consider you may only adjust your firewall configuration once every two or three weeks.

Security Strategy

The maturation of the firewall market has been accompanied by a further development in security strategies. While early firewalls picked one strategy -- network level (packet-based), transport level or application level - the successful firewalls we saw combined these strategies to the benefit of network security. High-end products also have added features such as protocol-based attack detection and real-time break-in avoidance.

In the meantime, support for the SOCKS authentication and proxy system has largely fallen by the wayside, with only CyberGuard and Microsoft supporting the protocol.

We focused on security strategies from two angles: the rules you can use to block or allow traffic, and the proxies that can make more intelligent decisions. Proxies intercept traffic at the application layer and understand the application protocol, which allows them to filter or modify traffic based on application issues rather than simply IP address or authenticated user. Proxies, for example, can stop ActiveX applets from being loaded from Web pages or allow internal users to fetch files via File Transfer Protocol (FTP) but not push them outside of the firewall. But we found most vendors overstated their product's proxy capabilities.

Proxies range from the barely functional (such as the FTP proxies from Elron Software and Cisco) to the massively complex, such as the HTTP proxy provided by Microsoft. The strongest proxy collections come in Check Point's FireWall-1 and CyberGuard's CyberGuard Firewall. Ukiah Software's NetRoad FireWALL, and Watchguard Technologies' Watchguard Security System sit on a second tier. For example, the well-designed FTP proxy in Ukiah's NetRoad FireWALL lets you enable or disable particular FTP commands and gives you the power to block certain file types from passing through the firewall.

Proxy power for HTTP reaches its peak in Microsoft's Proxy Server, which, after all, was originally nothing more than an HTTP proxy. Microsoft's server not only controls and remaps URLs, it also caches Web pages to speed access to Internet-based data. Check Point, CyberGuard, Ukiah Software and Watch-guard Technologies provide respectable and useful HTTP proxies with virus checking and URL blocking -- but no caching. Check Point's FireWall-1 and Watchguard Technologies' Watchguard Security System are especially smart, with automatic linking to external HTTP caching servers. Microsoft, Check Point and CyberGuard all also provide load balancing for incoming HTTP services, with Check Point providing the most sophisticated options. (Cisco offers load-balancing in a separate product line.)

None of the products we tested has a Simple Mail Transfer Protocol (SMTP) proxy worth using, though FireWall-1's ability to spoof the true sending IP address when forwarding stored e-mail is a clever innovation. Fortunately, we were able to disable the proxy behavior on all firewalls - a feature to look for. Most SMTP proxies we tested were designed to protect pre-1984 versions of sendmail. No product properly handled the newest SMTP service extensions that make up the Extended Simple Mail Transfer Protocol, a fact that reduces e-mail security.

For simpler services that don't need much intelligence in the proxies, such as telnet or ping, network managers generally focus on the rule side of the firewall. Here the differences are more subtle but less significant. For example, Watchguard Security System, Elron Firewall, Cisco's PIX and Microsoft's Proxy Server do not support time-of-day or day-of-week restrictions. Yet few network managers significantly change their security policies just because 5 p.m. rolls around.

Other differences are more important. For example, Ukiah Software's NetRoad FireWALL has no concept of a deny rule -- any rule in the database is an exception to the general policy of drop everything. Even those with simple network configurations may find this a difficult restriction. Similarly, Elron Firewall makes assumptions about the behavior of TCP/IP stacks, which makes it incompatible with systems that may use port numbers lower than 1,024 -- which are unusual but perfectly legal.

For small networks, the service-based approach, which defines the services that should be allowed or disallowed in each direction, generally is sufficient. Watchguard Security System and Elron Firewall take this approach. However, for larger networks or those with more complex connections to the outside world, the address-based approach used in most other products may be necessary in order to translate the network security policy into a firewall configuration.

Larger networks might also find address-based Proxy Server too restrictive because it requires Microsoft-provided Windows-only client software for all but HTTP, Gopher and FTP traffic.

Even among the address-based firewalls there are significant differences. For example, Check Point is the only vendor that lets you decide whether a denied connection should be silently ignored or rejected immediately.

We were impressed by the additional security features built into some products. For example, Watchguard Security System dynamically modifies the network security policy to restrict all traffic from some nodes if it detects an attempted break-in. Watchguard also can detect and evade some common attacker probing tools. Products from Micro-soft, Check Point, Cisco, CyberGuard, NetGuard and Ukiah Soft-ware also provide some protection against TCP SYN floods, a common denial-of-service attack. Check Point's strategy is particularly impressive; it not only documents the attack well but it also gives you several options for how to handle it.

Watching and counting

Even as firewall management evolves onto a secure management station, logging and monitoring tools remain fairly primitive, though usually adequate. An exception was Elron Firewall, which does not provide session logs. We think that's unacceptable in a firewall.

We were most impressed by the real-time display features built into CyberGuard's CyberGuard Firewall and NetGuard's Guardian. Guardian, for example, lets you look at current connections through the firewall, bandwidth utilization and other statistics, all updated in real time. During firewall configuration we found these displays to be helpful in understanding how the firewall was interpreting our rule sets. Similarly, during a suspected security emergency, this kind of summary information can help you pinpoint a problem.

Reporting on logs is a weak spot in most products. Generally, most products we looked at provide raw logs that you feed to a tool such as Perl to generate summaries. Cisco, Check Point, CyberGuard and Ukiah Software all take this approach. Watchguard Security System has stronger reporting tools, although they are separately licensed.

NetGuard offers some basic summary tools, as well. Microsoft leads the pack by providing additional analysis tools (installed, but not licensed, separately) for some logs and by optionally logging directly to a SQL or Open Database Connectivity-compliant database.

Documentation

Documentation, too, continues to be a weak point for many products. Leaders on the documentation front include Microsoft, which puts all its documentation in online form, including fairly extensive tutorial information. Microsoft, however, fails to include printed documentation, and printing from its online documents is cumbersome and results in enormous piles of paper.

Check Point's FireWall-1, CyberGuard's CyberGuard Firewall and Watchguard Technologies' Watch-guard Security System all have excellent online and printed documentation. They could, however, go further in explaining the theory and operation behind the firewalls.

Cisco's PIX has documentation to match the firewall: small and precise, combined with the CD-ROM version of Cisco's online information system. Although the documentation looks skimpy, we were able to configure and manage the firewall very well, which is the acid test of good documentation.

Elron Software's Elron Firewall, NetGuard's Guardian and Ukiah Software's NetRoad FireWALL all have average-to-poor documentation. The worst of the bunch is NetRoad FireWALL, which includes more than 100 pages of security tutorial, almost none of which is tied directly to product features and specifications. We spent more time on the phone with Ukiah Software than with any other vendor trying to understand how its product worked and how it could be configured. Elron Software does a slightly better job on its documentation but abbreviates the documentation set too much for comfort. For example, its product acts as a bridge, not a router. That's a perfectly valid way to build a firewall, but it's very unusual -- only one other firewall on the market, Network-1 Software & Technology, Inc.'s Firewall Plus, uses that approach. Yet this significant difference was never explained in the documentation; we had to find out for ourselves.

Buying time

We were happy to see that old favorites haven't rested on their laurels: Check Point's FireWall-1, CyberGuard's CyberGuard Firewall and Cisco's PIX all have made progress since we last tested them, unlike some of the products we've tested in past firewall Buyer's Guides. Even better, the young turks - Watchguard Technologies and NetGuard especially - put on a strong first showing.

Microsoft may have missed the mark on this first firewall-capable version of its proxy server but given the company's resources and marketing muscle, this is clearly a product to watch. Similarly, Ukiah Software and Elron Software are not at the top of our list but have taken good first steps. Elron should be particularly interesting if you have to deal with non-IP protocols, such as IPX, DECnet and AppleTalk.