Click on our Sponsors to help Support SunWorld
Security: Pete's Wicked World by Peter Galvin

Extinguishing firewall hyperbole

Are new firewall technologies improvements or complications? Evaluate the pros and cons. Part 2

SunWorld
January  1997
[Next story]
[Table of Contents]
[Search]
Subscribe to SunWorld, it's free!

Abstract
The firewall industry continues to gain momentum, with new players, generations, and attention from large and small institutions alike. Are the added features useful or are firewalls turning into the next Microsoft Word -- bloated with features that add complication but are little used? This month concludes an evaluation of new firewall technologies: stateful inspection, filtering proxy gateways, and new add-on packages.

Also in Pete's Wicked World this month: The bookstore, has some interesting reading from the Princeton group on WWW security vulnerabilities. Also, a pointer to some interesting reading from the U.S. Army. And, if you have Solaris security questions, visit Pete's Security FAQ. (2,200 words)



Mail this
article to
a friend
Last month's column reviewed firewall technologies and described the advances being made in virtual private networks (VPNs). With a thorough understanding of where firewalls are coming from, it's time to consider where they are going. What are the features of the new generation, and do you need them? What technologies are useful? Efficient? Easy to manage? Easy to secure? Let's consider the major new technologies:


Advertisements

Major firewall products are adding new management, and monitoring, and extended control facilities as well. Most of these are actually third-party packages that are being melded with the firewall programs. New (usually optional) features include:

These new features may make it worth your while to explore the variety and features now available. If firewalls weren't of interest to you before, they may well be now. Choosing a firewall can be a complicated task. Start by evaluating the traffic that would pass through the firewall, and the direction in which it would pass. Also, determine whether implementing a firewall would increase your overall security. In some cases it may not. All of these aspects need to be thoroughly considered. For instance, when I'm working with a customer to decide which type of firewall would be best for their purposes, I ask about all possible protocols they need to pass. Occasionally, after the solution is implement, the customer will ask about a protocol that hadn't been mentioned previously. ping is a good example. ping is a protocol like all others, and the need for its use should be considered in selecting and implementing a firewall. Finally, remember that the installation of a firewall is not the last step in securing your networks. You need to be sure the security policy (you have one, don't you?) is being enforced via testing. And you must occasionally retest. Companies such as Science Applications International Corporation (SAIC) will perform full intrusion tests against your site. There are also commercial tools such as ISS. Those willing to put up with a less functionality can still be well served by free tools such as NetCat. There is a nice checklist available that can help you compare firewalls. It's not perfect, but it's a good start. Consider adding a column labeled "don't care" to the spreadsheet, or you may be comparing features that have no importance in the security solution that you are implementing.

Bug of the Month Club
For those keeping score (or trying to keep their sendmail server secure), BSD sendmail is now up to release 8.8.4. Get it before the next version is released.

The Bookstore
The group at Princeton is again raising alarms about the (in)security of the WWW. This time they've demonstrated a man-in-the-middle attack and produced a paper that describes the problem, its effects, and the implementation. Simply put, a man-in-the-middle attack consists of an entity interposing itself between the two parties that are trying to negotiate. The middle-man can then intercept communications, attempt to pretend it is one or the other end (or both), and so on. By pretending to be one side to the other, the middle-man is spoofing the other side. Putting this attack into work, the Princeton group set up a Web server that pretended to be another site. When pages were requested of it, it simply retrieved them from the legitimate site and displayed them to the requestor. The potential damage is huge. The server could have given out misinformation, captured credit card or other financial information as if it were requested from the legitimate site, and so on. For more information on this attack and how it could make your life miserable, check out the paper. Thanks to Joel McNamara for the following posting on best-of-security. The Army site is worth a look:

From: Joel McNamara <joelm@eskimo.com>
To: best-of-security@suburbia.net
Subject: BoS:  Army Cryptanalysis manual online
The US Army's Field Manual on Basic Cryptanalysis (FM 34-40-2), dated
September 1990 is available for downloading as an Acrobat PDF file from:

http://www.atsc-army.org/cgi-win/$atdl.exe/fm/34-40-2/default.htm
Fairly classic in nature (substitution, transposition, and code systems).
Huge files (so far, at 28.8, after about an hour and a half, I've only been
able to grab the table of contents and a couple of appendices - some
kind-hearted person with a T1 or greater may want to get everything, then
zip and mirror to save us bandwidth challenged folks the pain).
Also, for the complete listings of almost 300 downloadable FMs through the
Army's Digital Training Library (ATDL), check out:
http://www.atsc-army.org/cgi-win/$atdl.exe?type=fm&header=%2F
atdl%2Fbrowse%2Ffm.htm
Have fun!
Joel
Note: This site isn't wholly reliable.  It seems to regularly go up and
down, and sometimes the bandwidth is terrible.  Probably worth your
patience though.

There's also a mirror site O'Reilly and Associates has done a statistical study of Web sites to determine the state of WWW commerce. It makes for interesting reading. To summarize, they found that although there are quite a few Web sites running SSL servers, most of these sites don't have digital certificates available to allow their authentication by clients. For more information visit http://www.ora.com/research/. Next month we'll look at the world of penetration testing.


Click on our Sponsors to help Support SunWorld


Resources


About the author
Peter Galvin is chief technologist for Corporate Technologies, Inc., a systems integrator and VAR. He is also adjunct system planner for the Computer Science Department at Brown University, a member of the board of directors of the Sun User Group, and has been program chair for the past four SUG/SunWorld conferences. As a consultant and trainer, he has given talks and tutorials world-wide on the topics of system administration and security. He has written articles for Byte and Advanced Systems (SunWorld) magazines, and the Superuser newsletter. Peter is coauthor of the best-selling Operating Systems Concepts textbook. Reach Peter at peter.galvin@sunworld.com.

What did you think of this article?
-Very worth reading
-Worth reading
-Not worth reading
-Too long
-Just right
-Too short
-Too technical
-Just right
-Not technical enough
 
 
 
    

SunWorld
[Table of Contents]
Subscribe to SunWorld, it's free!
[Search]
Feedback
[Next story]
Sun's Site

[(c) Copyright  Web Publishing Inc., and IDG Communication company]

If you have technical problems with this magazine, contact webmaster@sunworld.com

URL: http://www.sunworld.com/swol-01-1997/swol-01-security.html
Last modified: