Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Valentine's Day Patch Tuesday: Microsoft to issue 9 patches, 4 critical
Mobile World Congress sneak peek: Quad-core smartphones, Ice Cream Sandwich & more
Microsoft details 'Windows on ARM' program
March debut of 'iPad 3' a sure bet, says analyst
FBI unbolts Steve Jobs 1991 investigation file
Cisco boosted profit, sales in Q2 while cutting costs
Macs take on the enterprise
Four crazy tech ideas from Google's Solve for X project
Obama 2012 campaign playlist revealed courtesy of Spotify
Oracle buying Taleo for US$1.9 billion in direct hit at SAP
Amazon attacks Apple: You get 3 Kindle products for price of iPad 2
Pre-rendered pages highlight latest Google Chrome release
Microsoft exec: Lync-Skype integration a 'compelling opportunity'
The future of hypervisors
/

Reviews /

Axent: Response to firewall RFP

Today's breaking news
Send to a friendFeedback

Network World Fusion, 07/19/99

Synopsis

This document details the recommendations by Axent Technologies, Inc. (hereafter referred to as Axent) for the company Happy Pharmaceuticals, Inc. (hereafter referred to customer) with respect to their security needs as the company grows and expands it's network infrastructure. The company requires space for growth and increasing usage of the Internet. Each individual security component needs to fit into their network structure.

Some background on the Raptor Firewall

What is Raptor Firewall?

AXENT's Raptor Firewall is a multi-award winning, network security solution that enforces a network security policy for companies of all sizes connecting to the Internet. Raptor Firewall consists of three integrated components that address the security needs of any company connecting to the Internet and includes an application-level firewall, an integrated IPSEC-compliant virtual private network server and a Graphical User Interface for management of Raptor Firewalls. The Raptor Firewall is designed to be deployed using standard computing hardware and operating systems available on the market today and currently supports:

  • Windows NT on Intel-based servers
  • Solaris on Sun Sparc
  • HP/UX on PA-RISC
AXENT introduced the world's first Windows NT-based firewall in early 1996. It has been well received in the market as the most stable, feature-rich and secure NT-based firewall available today.

What Problems Does Raptor Firewall Solve?

The number one concern for companies connecting to the Internet is security. Security is a broad term to represent several needs that the Raptor Firewall can address. The most common needs include:

  • Basic Network Protection
  • Access Control
  • Application Control
  • Virtual Private Networking
The Raptor Firewall is designed to provide multiple levels of protection that combine to provide "airtight" security. This is accomplished by using application-aware security proxies that provide both physical and logical separations of all networks connected to the Raptor Firewall. Physical separation is accomplished by requiring each network to be connected to its own Network Interface Card (NIC) in the Raptor Firewall system; logical separation is accomplished by completely disabling routing of network traffic (layer 3) through the system.

This double separation and use of intelligent proxies ensures that the Raptor Firewall will have a bias to "fail-safe" - meaning that no traffic will accidentally pass through the firewall due to a critical failure in the operating system or firewall software. This is in contrast to packet-filtering firewalls that always route packets and will have a bias to "fail-open", allowing unauthorized traffic through.

Diagram showing basic Raptor security model

All Firewalls Do Not Provide the Same Level of Security

Many reviewers have assumed that all firewalls that pass some level of testing by the International Computer Security Association (ICSA) or withstand attacks from popular security scanners provide "enough security" or "the same security". The Raptor Firewall goes beyond the bare minimum security that any firewall should provide and takes security to a higher level to approach "airtight" and hassle-free security.

The most overlooked aspects are system hardening (securing the firewall itself) and detection and prevention of attacks embedded in the application data streams such as buffer overrun, backdoor commands, illegal protocol syntax and other such sophisticated threats to security.

Basic Network Protection

Protecting internal networks against basic and well-known network level attacks is fundamental to any firewall system. The Raptor Firewall provides both IP level and application level logic to ensure such protections. These include protections against attacks like IP fragmentation, source routing, IP Address spoofing, TCP SYN Flood, TCP FIN Scan, Teardrop and other such attacks. Many of these are thwarted by an application-level security architecture - the architecture recommended by security experts such as Cheswick and Bellovin ("Firewalls and Internet Security").

Application Control

Basic network protection is not enough. Many of the most damaging and sophisticated attacks occur through application data streams, not at the IP level itself. Controlling commands and data passed by applications is also important. The use of intelligent security proxies allows the Raptor Firewall to control individual IP applications such as FTP, SMTP, SQL*NET and so forth to ensure that only legitimate application commands and data are passed from one network to another. An example is the ability of the Raptor Firewall to protect against backdoor SMTP commands and buffer overrun attacks found in FTP, SMTP and HTTP data streams. The Raptor Firewall also validates all HTTP 1.1 commands to ensure that illegal or backdoor attacks are filtered out.

Access Control

Protection against well-known network attacks lays the foundation to provide controls over who has access to specific resources within a range of parameters. The Raptor Firewall allows a company to control and monitor users and computer systems using the Internet based on the following parameters defined within individual rules:

  • Source and Destination IP address and/or hostnames
  • TCP and UDP Applications (HTTP, FTP, SMTP, Telnet, etc)
  • Time of Day/Date Ranges
Username and password (strong and weak authentication methods)

The controls can be broadened or fine-tuned as needed. Individual users and systems or whole groups of entities can be controlled, depending on the security policy being implemented. Unique to the Raptor Firewall is the use of a consolidated, "best-fit" rule system. The firewall administrator creates the access rules in any order (non-order-dependent) and the Raptor firewall will automatically sort them and interpret their use in the most secure fashion. All rules are located in a single graphical window for all proxies and services supported by the firewall. These two features are in contrast to other firewalls that either do not have the rules consolidated into one management interface and/or require the rules to be created in a specific "order-dependent" sequence. The Raptor Firewall "best-fit" access rule method allows the firewall administrator to concentrate on the security policy and not the management of the firewall itself.

Virtual Private Networking

No firewall, by itself, is able to protect against the most damaging and most difficult to detect attacks - snooping of IP packets and modification of such data. Attackers that are in the right place at the right time can hijack fully authenticated sessions "protected" by a firewall. The only known protection against such attacks is by encrypting the sessions at the packet layer.

The Raptor Firewall provides integrated capability to encrypt IP packets flowing between specific computer systems. VPN features integrated with the Raptor Firewall allow a firewall administrator to manage and enforce their security policy for encrypted and non-encrypted network traffic with a single product.

Key Features

International Computer Security Association Certifications

The Raptor Firewall has achieved certifications for the implementation of its security mechanisms, including:

  • ICSA Firewall Certification
  • ICSA IPSEC VPN Certification
  • ICSA VPN Cryptography Certification
The firewall certification includes hundreds of automated network attacks that were successfully repelled by the Raptor Firewall. The VPN certifications include a rigorous review of how the cryptographic functions were implemented and manual verification that the VPN functions work as advertised. The IPSEC certification verifies that the Raptor Firewall VPN server is completely compliant with all mandatory aspects of the IPSEC and IKE (Internet Key Exchange) VPN standards as well as proven to be interoperable with other ICSA certified IPSEC compliant VPN servers.

Third-Generation Application Level Security Proxies

Intelligent proxies that control and protect all sessions going through the firewall include support for: HTTP, FTP, SMTP, CIFS (NT File and print sharing), SQL*Net, Telnet, Gopher, NNTP, NTP, DNS and generic pass-through proxies for UDP and TCP-based services. Third-Generation refers to the feature set found in the Raptor Firewall proxies that are beyond those found in most other firewalls that have implemented simple proxies. The key features include protections against well-known application-based attacks, content filtering and blocking, bi-directional user transparency, "best-fit" rule ordering, optional logging, optional fast-mode, various strong and weak user authentication methods, multi-threaded proxies and SMP support.

Automatic System Hardening

The Raptor Firewall automatically secures the supporting operating system and environment during its installation and continuously thereafter. This is extremely important for a firewall that is hosted on a standard platform. Many other firewalls do not provide this important feature.

After installation, the Raptor Firewall continuously hardens the operating system by monitoring that security mechanisms are always enforced. For example, if the administrator installs or enables a back-up service, the Raptor Firewall will automatically disable the service. If file sharing is enabled, it will be disabled.

Performance

Traditionally, proxy firewalls have been known to be slower than less-secure, packet filtering firewalls. With the third-generation proxy architecture of the Raptor Firewall, customers can now have the airtight security of a proxy firewall with the required performance to handle 100 Mbit/sec connections to the Internet. The Raptor Firewall on NT has been independently tested along with other proxy and packet filtering firewalls and has proven to be as fast as any others providing the same level of security. The latest numbers from the Datacomm/NSTL benchmark showed a performance rating of 45 Mbit/sec for Raptor Firewall on NT. The high performance is based on using multi-threaded, SMP capable proxies that intelligently cache access rules and automatically perform Network Address Translation (NAT). Similar testing of the Solaris Raptor Firewall produced rates as high as 62.2 Mbit/sec.

Objectionable Content Filtering

The Raptor Firewall's third-generation security proxies for HTTP, Gopher and NNTP (News) have integrated capabilities to filter the content of the data received by such services. These can be based on a weekly updated subscription list and/or customer-specific access lists. The Raptor Firewall, if licensed, will automatically download weekly updates of CyberPatrol's rating database for Web and News sites that are considered objectionable.

It is also possible for a customer to be very restrictive by creating an "allow" list of sites/URLs, excluding all others. This is sometimes desirable for school systems or companies that require the Internet to be used for work-related activities and/or need confidence that only desirable sites are accessed on the Internet.

Strong and Weak Authentication Methods

Authentication of users is very common, both to track internal use of the Internet and to allow only certain people access to internal resources from the Internet. The Raptor Firewall supports the following methods:

  • NT Domain Authentication
  • (firewall sends username/password to PDC for verification)
  • Gateway (on the firewall) authentication
  • Radius and TACACS+
  • Bellcore S/Key
  • AXENT Defender Two-Factor Authentication Token
  • Security Dynamics SecureID
  • CryptoCard.

For interactive services such as FTP, Telnet and HTTP, the third-generation security proxies transparently prompt for authentication, even when users are not aware of the firewall. NT Domain Authentication is very important and not supported by most other firewall products. This allows a company to use existing user databases, maintained on NT Primary Domain Controllers, to control user access through the Raptor Firewall without the need to replicate user databases on the firewall.

Intuitive Management Interface

The Raptor Firewall can be completely managed, either locally or remotely, through the Raptor Management Console (RMC) under Windows NT and the Raptor Console for Unix (RCU) under Unix. The GUI has the following key features:

  • Remote sessions secured via user authentication and encryption of data
  • Management of multiple Raptor Firewalls from a single GUI
  • Security Proxies and VPN connections managed under one GUI
  • Ability to "import" user databases for Gateway Authentication and VPN accounts
  • Real-time Monitoring of active sessions
  • Automatic alerting via e-mail, SNMP, multimedia and custom program for specific log events
  • Integrated Virtual Private Networking
The Raptor Firewall was the first firewall product to integrate VPN over three years ago. The VPN server is a fundamental part of the firewall that is optionally enabled based on a valid license key. The VPN server is used in one of any three modes:

Raptor Firewall to Raptor Firewall encryption of IP packets Raptor Firewall to any IPSEC compliant VPN server product Client PC (using RaptorMobile) VPN to Raptor Firewall Raptor Firewall VPN Server is currently one of only a few VPN servers that have achieved the rigorous ICSA IPSEC and VPN Cryptography certifications. The RaptorMobile Client VPN product is currently the only product in the market that is ICSA VPN Cryptography certified, providing the only completely certified VPN solution for secure client-to-server VPN. The Raptor Firewall VPN Server implements all mandatory aspects of the IETF IPSEC standard for encryption of IP packets and the IKE Key management protocol. With this, the VPN server supports both single DES and 3-key triple DES encryption and MD-5 and SHA-1 message digests. Dynamic key management is supported along with the ability to provide Perfect Forward Secrecy (PFS) using a mechanism to change keys within a session on a periodic basis. A particularly useful feature of the VPN server is the optional capability to force any or all VPN traffic to flow through the intelligent security proxies. This allows a customer to get detailed logging of VPN connections, application level controls and security protections and additional user authentication methods.

Customer Requirements

The customer has stated some very important points that they require, as follows:
  • The solution must be highly available.
  • The solution must be able to support a single T3 connection to the Internet at any give time.
  • The internal connection to the firewall systems will be 100Mbit fast Ethernet.
  • The external connection to the firewall systems will be (T3) 45Mbit.
  • The solution should be able to handle more than 3000 possible concurrent sessions, mainly being FTP and HTTP traffic. This should also provide room for growth.
  • The solution should be implemented with NAT (Network Address Translation).
  • All firewall systems should be managed centrally.
  • Logging and reporting of each system should be easily possible.
  • The firewalls should be pro-active in their alerting schemes, so that an administrator is paged when tampering occurs.
The customer has provided a simple network diagram detailing their current network, as seen in figure 1.

Step 1

Initially Axent recommends installing two firewalls at locations Firewall 1 and Firewall 2. These maybe either Unix based firewalls, or NT. As the maximum speed will need to be no more than 45Mbit, both versions of the firewall will handle this capacity. As the Raptor Firewall supports Ethernet, FDDI, Token Ring and ATM, it is an ideal candidate for homogenous environments. These two firewalls will protect the central site from the public. They will be highly available by either:
  1. Veritas FirstWatch for Sun Solaris, or
  2. Microsoft Wolfpack (Clustering Service) for NT, or
  3. MC Service Guard for HP/UX.
These choices depend on what the customer chooses for a platform on which to run their firewalls. Typically this decision is made on the amount of operating system experience that the customer has in-house. The customer can then build rule sets that allow their users to gain access to the Internet for certain services, like HTTP, SQL*Net, FTP, etc. The customer can be assured that all IP traffic is being scanned at the application level, ensuring that only valid, recognized and secure protocol command sets, are being allowed to pass over it. It may also be the case that the company decides in the future that only certain services are available to certain groups or individuals inside the company. The administrator can set up authentication for specific services, forcing certain users to enter a username/password combination before a service becomes available to them. If the first firewall is to go down for any reason, the second firewall, due to the fact that High Availability software is installed and running, will automatically take the traffic over and the users will not notice that something has gone wrong. More information on how the Highly Available solutions can be found on Axent's web site.

Step 2

The next phase will be to install Raptor Firewalls at locations Firewall 3 and 4 respectively. Even though theses two remote sites are connect to the central site via Frame Relay link, they can also be configured with VPN's to the firewalls 1 & 2 in case these Frame Relay links are down internally, then they can still communicate with the central site. The users in these remote locations can connect to the Internet via their respective firewalls, with rules sets that have been created by the administrator at his central location.

Step 3

The administration of these 4 Raptor firewalls will be done from a location in the central site. The administrator will have either a Unix or an NT based Console whereby he can manage all of the firewalls (again either NT or Unix based). All communication between the GUI and each firewall is encrypted and authenticated. He can create rule sets, add users, monitor activity, re-configure, etc. If the internal Frame Relay links go down, he can also manage the firewalls via the encrypted channel over the Internet, to each respective firewall.

Step 4

Each of the firewalls (1 to 4) will not log their data locally. They will all be configured to pass their logging information to a central server via an encrypted channel. This server will be running Telemate.Net. This is a logging reporting tool, by the company with the same name. It is configured to read in Raptor Firewall log files, and generate Crystal reports based on many different criteria. Each firewall will be configured to become a pro-active part of the network, meaning that if anything goes wrong, like someone is trying to break into the company network, the firewalls will alert the administrator (group). The alerting mechanisms can be via pager, SMNP trap, client Program, email, etc. If an alert is deemed to be very serious in nature, the firewalls can actually shut themselves down, waiting for an administrator to come and verify what happened.

Step 5

For the connection of mobile users Axent recommends the Raptor Mobile VPN Client. These clients run under Windows 95 & 98 and NT. They allow the user to create a VPN tunnel between themselves a respective firewall. All data that flows between the clients and the internal network is then encrypted using encryption as specified by the administrator, eg: DES, 3DES, RC2. They may also need to authenticate strongly on the firewalls, using two factor authentication, eg: Axent Defender Token Cards. All communication should be transparent to the user.

Pricing

Three Unlimited NT Axent Raptor Firewalls with VPN @$15 000.00 each. One Unlimited NT Axent Raptor Firewalls with VPN - Stand By @7 500.00 One copy of Telemate.Net reporting Tool @$4 995.00 Total Cost of Software: $57,495.00 Axent is unable to give prices for both hardware and operating system software.

For more information

More information can be found at the following locations: www.axent.com/product/rsbu/firewall/default.htm
This links is the specific page of the Raptor Firewall. It contains a white paper, details the specifics of the firewall, along with certification awards, etc.

www.telemate.net
This link is to the home site of Telemate.Net, the reporting tool - software company.

www.veritas.com
This link is to the pages of the highly available software company.

www.microsoft.com
You can search here for both Enterprise Edition and for WLBS, Windows NT Load Balancing Service.

About Axent Technologies

AXENT Technologies, Inc., is a leading provider of enterprise-wide information security solutions for distributed computing environments. The OmniGuard(r) suite of products enables organizations to centrally manage information security. In addition, OmniGuard provides enhanced data confidentiality, access control, user administration, remote access authentication and intrusion detection across the Internet and intranets for UNIX, Windows(r) 3.x, Windows NT(r), Windows 95, NetWare(r) and mid-range systems. AXENT simplifies the security equation by helping companies address more aspects of enterprise-wide security than any other vendor. Only AXENT turns corporate security policy into reality, making the enterprise network truly secure. Headquartered in Rockville, MD, AXENT offers a broad line of security products used by Fortune 1000 companies and governments worldwide to protect information systems in heterogeneous computing environments. Contact AXENT via e-mail at info@axent.com, or visit AXENT's World Wide Web site at http://www.axent.com

The RFP
Vendor responses:
  • Axent
  • BorderWare
  • Check Point
  • Cisco
    		•
  • CyberGuard
  • Elron
  • LanOptics
  • Livermore
    		•
  • Lucent
  • NetScreen
  • Radguard
  • Sun

    • RELATED LINKS

    Firewall RFP
    See what the vendors are responding to. Includes links to all the RFP responses.

    Review: Firewalls
    Raptor Firewall 6.0 takes top honors in our testing. Network World, 7/19/99.

    Issues and trends
    Where the firewall market is headed and what to look for. Network World, 7/19/99.

    Interactive buyer's guide
    Detailed specs on 52 models. Find the one that meets your criteria or compare two or more models on different specs.

    Forum: Firewalls
    Post your firewalls questions and discuss their use in this forum.

    Firewalls to the rescue
    Interviews with firewall users. Network World Fusion, 7/19/99.


    NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
    Click here to sign up!
    New Event - WANs: Optimizing Your Network Now.
    Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
    Attend FREE
    Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
    Axent Technologies - RFP for Network World RFP NWW 070799.doc Page 7