Firewalls 101
A Introduction to Ascend Secure AccessThere are four schemes that are referred to as "Firewalls": 1. Application Level Gateways 2. Proxy Servers (Circuit Level Gateways) 3. Packet Filters 4. Stateful Packet Inspection (Dynamic Firewall Technology) Each of these perform different functions and operate at different levels in the OSI 7 layer model. Application Level Gateways: As packets move up the stack, the various layers operate on data towards the inside of the packet. When the packet has reached the application layer, operations are performed on the data payload of the packet. This is the really useful information that the application program processes. At this layer, some very interesting things can be done from a security protection standpoint,. For example:
Proxy Servers Most of the "Firewall" products rely on Proxy Services to perform their function. They provide a means to keep someone from directly connecting from the outside to a service on the inside. For example, most of the firewalls provide a Telnet proxy which would operate as follows: When the user outside tries to connect via Telnet to IP address 137.175.2.19 inside the 137.175 net the IP packet would get routed to the proxy server. The proxy server would go into Telnet session with the outside requester and immediately establish a Telnet session with the real 137.175.2.19 inside. It would then take the contents of the Telnet packet sent from the outside and wrap it in new headers and send it to the 137.175.2.19 Telnet session that it had established on behalf of the outside server. It is a proxy for the outside service. This technique has a very beneficial side effect in that it provides a means to do Network Address Translation. The firewall could be set up to take one class C address and map it to another class C address. Sophisticated products can use this to map one address from the Internet Provider into multiple unregistered addresses on the LAN. Thus companies who have used unregistered addresses can connect to a registered address without requiring any changes to the unregistered addresses on the workstations on their LAN. This feature is used in the PICS firewall product when a CISCO user outside tries to connect via Telnet to IP address 137.175.2.19 inside the 137.175 net, the IP packet would get routed to the proxy server. Packet Filters Routers have historically operated using packet filters at the Network layer. They provide control over who session partners are allowed to be (i.e. IP address X can connect to IP address Y. Better versions have provided additional control such as IP address X , Port 23 can connect to IP address Y, port 23). The fundamental focus is to keep out traffic that you don't want on your LAN. Stateful Packet Inspection (Dynamic Firewall Technology) Ascend's Secure Access product is a new class of technology that provides all of the capabilities of the best packet filters along with a wide set of new capabilities. Because Secure Access adds capabilities far beyond anything in the market place today and starts to blur the lines between the traditional types of firewall products by using information further into the packet (further up the stack), the industry has started using the name Perimeter Firewall. Other products in the market are mostly combinations of proxies and application level gateways, these include Raptor Eagle, TIS Gauntlet, Harris Nighthawk, Milkyway. Ascend is the first company to actually ship this technology in a router product. We have priced it very aggressively, and have made it available on all of our product line from P50 through the MAX. TNT will also be supported. Secure Access vs other Firewall Products The industry is changing to the Secure Access approach. The Proxy Server function will migrate to the router. Thus, all that will be left in other products will be Application-level gateway functionality. A great example of this (and a function that we would never attempt in a router) are Virus scans on email. McAfee has just such a product. It gets installed as a front-end to the corporate email server. Proxy servers and most application level gateways (the McAfee example being an exception) exist because of insecurities in Operating Systems and in Public Server Applications such as Email Servers, FTP Servers, and Web Servers. Another industry trend is toward creating secure server applications. OS vendors are constantly providing new releases which deal with any security holes discovered in their OS's. If you have a Proxy server that is performing address translation, you may want to keep it in service until we get that feature implemented in our product line. (Remember that Ascend does support RFC 1631 address translation, so you can map addresses, you just can't take one outside address and map it to a large number of inside addresses and services) If you are setting up a telecommuter installation, the telecommuter's PC is just as vulnerable while connected as any branch office. At your corporate headquarters, you may want to consider augmenting the capability you have (assuming you have a firewall installed) to offload work from the firewall, and to provide an additional level of protection. Firewalls are priced from $3500 - $40000 for software only (Hardware is extra). Firewalls are all different and span different portions of the spectrum described above. Secure Access Capabilities: Secure Access uses Dynamic Firewall Technology. At a high level, it adapts itself to events it observes happening at the firewall to provide a much tighter level of control than was heretofore possible. It uses session state information combined with other information to open holes only when necessary and to close them back down as soon as the useful work is completed. (Checkpoint has spent a lot of time getting the industry to use the term Stateful Inspection to describe this technique - using the term may leverage off of customers knowledge of the Firewall-1 product.) Secure Access Provides Brick Wall Protection With Secure Access, you can configure your firewall to allow NO packets in from the outside except those which are in response to legitimate requests sent from inside the perimeter. This uses Secure Access' Stateful Packet Inspection technology to open a temporary hole in the firewall when a legitimate packet goes out. This temporary hole is expecting the reply and it closes itself down as soon as the session completes. This provides a Brick Wall to the untrusted network with temporary holes only opened for the briefest period possible. Secure OS One of the ways that Firewalls differ from traditional firewalls is by running on a secure OS or taking steps to make the OS that they are running on is secure. Harris Nighthawk, and Sidewinder from Secure Computing were developed for the government on special operating systems and thus can claim to be more secure than say Raptor on NT, since NT was not developed as a Secure OS (as NSA defines Secure OS). We have the advantage of not running on a general purpose operating system (UNIX or NT), but rather running on the router OS which will not run applications developed and deposited there by hackers. Protects the Router Because the Firewall is built into the router, Secure Access provides an added benefit over traditional firewalls of adding a level of protection to the router itself. The firewall is right on the edge of the WAN. We can allow Telnet to the router from, say inside the LAN, but not outside, or we could block SNMP probes to the router from all addresses except the address of our HP Openview workstation, for example. Stops SATAN Probes System Administrator's Tool for Analyzing Networks (SATAN) is a probing tool that automatically scans networks to look for security holes. It was made freely available on the Internet in April of 1995. Commercial versions of this type of tool exist - the most popular one is ISS (Internet Security Scanner). While these tools help the System Administrator to detect security exposures, they are also used as a part of the arsenal of hackers to find weaknesses in networks. A hacker could just set his SATAN up to scan all of a particular class B network, for example, and use the results to select the easy targets for further maliciousness. The Secure Access product detects probing attacks and actually shuts down traffic from the offending user. While these tools are good for the System Administrator. to detect security exposures, they are also used as a part of the arsenal of hackers to find weaknesses in networks. A hacker could just set his SATAN up to scan all of a particular class B network for example use the results to select the easy targets for further maliciousness. The Secure Access product detects probing attacks and actually shuts down traffic from the offending user. Easy to Manage - Secure Access Manager, which ships for free with the product, provides an easy to use mechanism for configuring the firewall. PC week Labs reviewed the product, and said: From a central location the administrator can set up the firewalls for all of the Ascend routers in his network (i.e. branch office, corporate perimeter firewall, and telecommuters P75). Security of this remote management is currently handled by a private encoding scheme. In a later release we will use IPSEC (an Internet standard encryption methodology) to secure this. Allows Users to Define their own Applications Secure access supports a variety of IP services, (telnet, ftp, www, email, dns, time protocols, multimedia protocols like real audio, etc.). However, customers may create new applications and new services based on IP. Secure Access Manager allows them to define their own new application and then use it in firewall definitions. Supports NON IP Protocols - Our product filters only on IP. However, we do support the block or pass of non IP protocols under the control of the security administrator who sets up the firewall.. This is an important distinction. All Proxy Firewalls are limited. They can handle only the protocols for which they have written and shipped proxies. Secure Access will allow IPX, AppleTalk, DECNet, LLC2, etc. to pass (limited, of course by the routers ability to handle them - thus most would have to be bridged). The default is to block them all. Firewall Certification Secure Access has passed Certification testing by the National Security Computer Association (NCSA). First Release of a Comprehensive Security Architecture from Ascend Secure Access in the first release has the capabilities listed above. Other elements of the Ascend Security Architecture planned for release this year include: Commercial Radius - Access Control This product supports Radius Proxy services, ODBC data base interface for connection to commercial data bases, integrated support of many Security Tokens and a Graphical User interface. Firewall Support in Radius Will allow Secure Access Firewalls to be stored in the Radius data base and downloaded when needed by the MAX Secure Access from the Internet Today, token authentication is supported for only dial up interfaces. This feature will allow users to authenticate from any interface. Thus our customers who are connected to the Internet can provide tokens to their business partners or employees and have them use these tokens to open a hole in the firewall from the outside. Intranet Support IETF standard encryption support (called IPSec) which will provide a vendor-neutral method for establishing encrypted sessions. In addition to providing encryption, this methodology includes authentication of each and every packet adding a significant new level of security. This type of encryption will provide security from router to router. In addition, we will provide a client-based product for the dial-up user and to secure traffic back on the LAN. Secure Router Management IPSec will be used to make management of the Ascend routers extremely secure. All transactions used to manage the routers will be authenticated and encrypted. TACACS + Support direct from MAX The Max can now speak directly to TACACS+ instead of Radius for customers who have TACACS+ data bases. Security Dynamics Direct from MAX The MAX can now go directly to the Security Dynamics ACE server without going through Radius. Digital Pathways Direct from MAX The MAX can now go directly to the Digital Pathways Defender server without going through Radius. |
|
Home | Log In | Find | Contact Us | Website Feedback |
|
Trademarks & Disclaimers |