TheBlackHatBriefings

July 7-8, 1999

Las Vegas

Appliance Firewalls

A Technology Review
By: Brent Huston
bhuston@microsolved.com
 Disclaimer

Product names contained within are

the copyright and trademark of
their respective companies. For
company names, please see the last
slide of this presentation.
 Agenda
• What is an appliance firewall?
• What technologies do they employ?
• What were we looking for?
• The successes we had
• The problems we discovered
• The future of network appliances
• Summary of information
 What is an appliance firewall?
• Integrated hardware
solution
• All software,
including OS comes
pre-loaded on the
platform
• Network “black box”
approach to security
Evolution
• Originated as firewall
features added to
routers
• Basic packet filtering
– Source, Dest., Protocol
• Application specific
proxies
• “Stateful Inspection”
• Appliance firewalls
 What technologies do they
employ?
• Network Address Translation (NAT)
• Most use packet filtering rules to determine
packet access
• Some use “stateful inspection” to manage
connections
• Some application proxy support
– A few allow custom proxy creation *BONUS*
 Some Have Other Helpful
Features
• Built in application servers - mail, web, ftp
• DHCP support
• Built-in VPN capability - p2p and client based
• Strong authentication support
• URL/content blocking
• DMZ configuration
• Email alerting
• SNMP support
Management Functions
• Web based was easiest to
use and allowed greatest
flexibility
• Custom applications
provided some ease, but
lacked true remote
management ability
• Direct cable solutions
were poor and inflexible
• Worst case was a direct
custom cable via SLIP
 Our Mock Deployment
Goal: Locate an appliance firewall that could
protect our medium size business (500
users) from the Internet
– Ease of deployment and management
– Provide adequate security for internal systems
– Allow external access to our mail and web
servers
– Alert us in the event of an attack
 “Bonus” Features
• Good documentation
• Ease of maintenance
• Real time reports
• Content blocking
• SNMP alerting
• VPN between
branches
• Failure recovery
 Our Security Desires
• Extensive logging of successful
connections, rejected packets and suspected
attacks
• Immunity to Denial of Service attacks
• Protection against information gathering
probes
• Initial deny all ruleset for access
The Starting Field
Located 23 vendors
whose products
were appliances as
defined by our
process
 Our Successes
In no particular order...
• Phoenix Adaptive
Firewall
• SonicWALL/DMZ
• PIX Firewall
• Firebox II
• Interceptor
 Phoenix Adaptive Firewall
Pros: Cons:
– Excellent setup process – Crashed twice during
using front panel rule application and
– Management via web changes
based JAVA applet – Access control ruleset
– Many logging options management is a bit
– Alternate command confusing
interface allows access
to underlying Linux
OS
 SonicWALL/DMZ
Pros: Cons:
– Excellent management – Cheap, lightweight feel
interface and package design,
– Integrated DHCP afraid we were going
server to break it
– Predefined ruleset for – Logging could be more
most common robust, and sometimes
applications misses events
– Good documentation – Upgrade process is
firewall replacement
 Interceptor
Pros: Cons:
– Easy setup and – Nmap determined
management underlying OS
– Includes security – Logging failed to
auditing software notice port scans
– Excellent reliability – No ability to build
and resistance to custom application
Denial of Service proxies
attacks
 PIX Firewall
Pros: Cons:
– Configurable and – Setup and
useable logs configuration is very
– Great documentation complex
– Amazing failover – Initial setup is serial
capability cable only
– Stable and resistant to – Requires Windows NT
Denial of Service to administer via GUI
attacks – No application proxies
 Firebox II
Pros: Cons:
– Configuration and – Management is via a
management is easy dedicated application
– Robust security and – Documentation was a
Denial of Service bit unclear
attack resistance
– Adequate logging
– Visual status
determination is
excellent
 Some Discoveries
• Several products were significantly less
than what we considered a firewall
– Some performed only NAT with no logging or
access controls
– Some were only point to point encryptors
• Logging, in general, was poor compared to
other firewall platforms
 Other Issues
• Most of the devices featured management
that was difficult to use or “kludgy” at best
• Most of the devices had no automated
system to manage failure
• Most of the devices did not notice or log
attempted attacks in any format other than
rejected packet information
 Long Term Issues
• Upgrade process
for most products is
replacement
• Most appliances do
not offer high speed
connectivity
options
The Future of Network
Appliances
• Better management
and configuration
processes
• More configurable
logging
• Integrated intrusion
detection software
• Improvements in
alerting methods
 Summary of Findings
• Appliance firewalls can serve as a good
resource for small and medium size
businesses
• They can provide adequate security with
ease of deployment and management
• They possess excellent width of product
options but may lack in product depth
 Companies and Products
• Phoenix Firewall by • PIX Firewall by Cisco
Progressive Systems Systems
• SonicWALL/DMZ by • Firebox II by
Sonic Systems WatchGuard
• Interceptor by Technologies
Technologic, Inc.

Please Contact Vendors Directly for Product

Information
 Thank You!
• Thank you for attending today, please
contact me if you have any questions or
comments at bhuston@microsolved.com
• This presentation is copyright MicroSolved,
Inc., 1999. All rights reserved.
• Complete results whitepaper will be
available at www.microsolved.com