Originally published in the May 1995 issue of Advanced Systems.

first impression

Packet filtering without fluff

By Peter Galvin

If you're worried about hackers or other breaches of security, you're not alone. But the prices of some full-blown security packages may make you worry more about your company's purse strings than its computer enterprise. For the price-sensitive who need an effective security firewall but don't demand a highly polished interface or lots of frills, NetGate 1.2 may fit the bill. This packet-filter software from Smallworks of Travis Co. is similar to products such as FireWall-1 from CheckPoint Software Technologies (see "Gold-plated security," December 1994).

It's a matter of trust
NetGate sits on a gateway system that has two interfaces -- one to the untrusted world and one to the protected systems inside your organization. Effectively, NetGate gives a computer gateway the same functionality as a dedicated router, allowing it to examine, reject, filter, and/or log every packet that tries to pass through. Such processing gives the firewall (and its maintainer) great control of exactly what is allowed to pass between the systems inside and outside of the firewall.

NetGate runs on Sun equipment under the SunOS 4.1.3 operating system. A Solaris 2 version should be out by July of this year. NetGate has no user interface to speak of and no GUI. The distribution floppy (or QIC tape) contains two kernel modules, a loadable kernel module, a command-line interface to this module, and some sample rules that tell NetGate how to handle network packets.

To install NetGate, the 4.1.3 system's kernel must be rebuilt with inclusion of support functions. These functions provide an interface between the loadable module and the calling program. After a reboot, the loadable module is read into the kernel (via the modload command). The netgate command then executes, reading a set of filter rules into the loadable module.

The rules determine how the filter deals with any given packet. A rule can pass the packet, reject the packet, continue processing at another rule, or simply log the occurrence of the packet. Rules can be applied to packets based on four criteria: packet source or destination host, packet source or destination network, packet source or destination port, or protocol name or number.

Host information can be in the form of names or Internet numbers. Port information is checked for UDP and TCP packets only, because only those protocols use port numbers. These criteria are turned into expressions by a wide array of bitwise, logical, and comparison operators.

A typical expression may read:

0: ((protocol == udp) && ((srcport == 53) || (dstport=53))) then forward else 1;

This expression checks to see if the current packet is of UDP protocol, and that it is either from or to port 53 (domain name service, in this case). If it is, then the packet is forwarded. If not, processing is continued at rule 1.

Tracking packets
NetGate collects statistics while it operates, including packets passed, forwarded, dropped, total rules executed, and total packets processed. Information can also be sent via syslog.

NetGate's facilities can be used to protect your systems from undesirable packets. For instance, all NFS, RSH, Telnet, and FTP packets can be disallowed, or allowed only from a few, external, trusted hosts. Similarly, Telnet and FTP packets may be allowed to pass only to a designated "bastion host" for special processing. All occurrences of bad packets can be logged and examined for patterns or break-in attempts.

Unfortunately, there are a few limitations in the current version of NetGate. The primary problem is it does not reject source-routed packets. These packets -- the culprit in the latest series of Internet break-ins -- can be made to look like they came from a trusted host, even when sent from an untrusted host, so NetGate 1.2 is not yet a completely effective security device. Another problem: Rejected packets currently are simply dropped, so remote, denied hosts see only a connection time-out rather than an appropriate error message. Smallworks of Travis Co. says these two shortfalls will be addressed in version 2.

Coinciding with its basic design and functionality is NetGate's basic pricing model, which does not depend on the number of systems behind the firewall. Rather, the cost is per system that runs the filter. NetGate costs $1,500 for one system. If your company expects to employ lots of firewalls (for multiple locations, for instance), you can purchase a corporate license for $10,000.

Assuming the next version of NetGate (in beta now) closes the latest Internet security hole, we think NetGate is a great bargain in the firewall world.

Smallworks of Travis Co., 4410 Stony Meadow, Austin, TX 78731, 512-338-0619, info@small works.com.

[Copyright 1995 Web 
Publishing Inc.]

If you have problems with this magazine, contact webmaster@sunworld.com
URL: http://www.sunworld.com/asm-05-1995/asm-05-fi.netgate.html.
Last updated: 1 May 1995.