[an error occurred while processing this directive]

 


Test Drive -
CyberGuard Firewall for NT 4.2 (October 1999)
Bob Walder reviews CyberGuard Firewall for NT 4.2 from CyberGuard
.

Details:

Contact: CyberGuard Europe Ltd, Riverside Way, Watchmoor Park, Camberley, Surrey GU15 3YD, UK

Tel: +44 (0) 1276 683713
Fax: +44 (0) 1276 678733
E-mail: info@cyberguard.co.uk
www.cyberguard.com
explorermag.com star rating

CyberGuard Corporation’s Unix-based CyberGuard firewall is one of the few firewalls to achieve an ITSEC E3 classification.
With the increasing popularity of the NT Server platform, however, the company has launched CyberGuard Firewall for NT (also now with E3 certification). The pricing – starting at less than 1000 for 25 users – appears to position this firmly at the entry-level/workgroup end of the market. However, with an unlimited user version coupled with SmartProxies for either Internet or intranet applications, CyberGuard for NT provides all the security and features of its Unix-based big brother at a very reasonable price point.

Security conscious


One of the criticisms often levelled at NT-based firewalls is the possible inherent insecurity of the underlying operating system. CyberGuard has attempted to despatch this objection by including something called SecureGuard with the NT firewall.

Acting like a ‘wrapper’ around the NT operating system, SecureGuard provides environment hardening, a watchdog service, a packet filtering interceptor and full auditing. The packet filtering engine is actually inserted in the network stack between the MAC and Network Layers, thus preventing suspect packets from ever getting near the NT OS itself. In this way, SecureGuard protects against all known, and even hitherto unknown, Windows security issues. CyberGuard supports up to eight host interfaces, providing tremendous flexibility in defining internal, external, and DMZ networks. The management interface is a typical Windows GUI and very intuitive to use. Documentation is excellent too, with an extremely detailed manual taking you through the basic firewall concepts, as well as hand-holding you through the configuration process.

All configuration is performed directly at the server console, though there is a remote management option that utilises a secure encryption mechanism to control the firewall from a remote location. It is also possible to centrally manage a number of remote firewalls, defining and enforcing security policies from a central location. This makes it possible to administer every CyberGuard firewall in an organisation (whether Unix or NT-based) from any single console.

Defining rules and configurations


The Central Commander, as it is known, allows you to define rules and configurations and export these to individual firewalls or groups over an encrypted link. Using the remote management option, it is also possible to take over a remote console and configure it on the fly. All alerts and alarms generated by the remote firewalls can also be sent back to the Central Commander console. At present, however, this requires at least one Unix-based firewall in your organisation from which to run the Central Commander. If you are an all-NT shop, you’re out of luck when it comes to centralised remote management for multiple firewall devices. The base product provides packet filtering capabilities only, supporting over 100 TCP/IP network services, including TCP, UDP and ICMP protocol-based applications.

As with any good firewall, CyberGuard is set to deny everything by default, but defining new rules is extremely straightforward. Everything is administered via the intuitive graphical user interface (GUI), where an icon and menu-driven utility allows you to specify whether individual services should be permitted, denied or proxied (more on proxy services later), and on which network interfaces, based on the source or destination host addresses, network service and protocol.  In addition to the usual static packet filtering techniques, CyberGuard also provides dynamic packet filtering, sometimes called ‘Stateful Inspection’ by other firewall vendors. This provides the speed of packet filtering, but allows the actions of the firewall to vary based on a number of rules and the state of previous conversations.

In effect, the firewall is capable of remembering the state of each ongoing conversation across it, thus allowing it to effectively screen all packets for unauthorised access whilst maintaining high security, even with connectionless protocols such as UDP. It is thus possible to enforce connection time-out periods, maintain an audit trail of connections, force port matching, and validate source addresses (to protect against IP spoofing). It is also possible to implement TCP SYN flood protection with different timeout periods for every packet filter rule.

Proxies


Whereas application proxies are included as standard in the Unix-based offering, they are provided as an extra-cost option in the NT version. This allows the introduction of an extremely effective (and fast) packet filter firewall initially, with the ability to add SmartProxies for enhanced security at a later date if required.

Authenticating proxies require users to authenticate or log on to the firewall before allowing connections to traverse it, thus ensuring that a valid user is identified before allowing, say, an FTP connection. It is then possible to determine the individual activities permitted or denied - FTP Get or Put, for example - on a per user basis. If a proxy is not defined as requiring authentication, then it is completely transparent to the end user, and no client configuration is necessary.

Content enforcement proxies examine the content of network connections and control the actions or information travelling through the firewall. The HTTP proxy, for example, is capable of scanning inbound connections for ActiveX, Java, JavaScript or VBScript content and quarantining that content if required. Applications proxies are available in two flavours - Internet and intranet - depending on whereabouts on your network you wish to place the firewall. The Internet proxies include Network Address Translation (NAT), Split DNS, FTP, Telnet, HTTP, NNTP and SMTP. NAT (both static and dynamic is catered for) allows addresses for internal nodes to be hidden from the outside world behind a single, legal IP address, whilst the Split DNS feature hides critical information when the firewall is configured as the network DNS server.

A separate DNS server can be configured for each network interface, responding to DNS queries only for its own interface and hiding all others. Although internal host requests can be configured to resolve external host names, DNS requests from external hosts cannot resolve internal names. In conjunction with NAT, this permits the utilisation of unregistered IP addresses within the customer’s private network.The intranet package includes all the Internet proxies, together with POP3, Oracle SQL*Net, Lotus Notes and SMB. The last one is extremely important in an internal - or intranet - firewall, since Windows users behind that firewall may still want to access shared disks and printers located on machines outside the protection of their firewall.

In addition to these standard services, there is also the SOCKS circuit level gateway, a load balancing proxy and a generic proxy. The last one allows administrators to define source port, destination port and destination server to allow traffic through the firewall where it is necessary to provide more protection than is available through packet filtering, but where there is not a specific proxy available.

Rules and regulations


Creating the rules for the firewall is very straightforward. The ability to duplicate existing rules in order to make minor modifications, and to re-order rules quickly and easily using up and down arrow buttons makes rules configuration as quick and painless as possible. One of the nicest features is that configuring a proxy server automatically creates the appropriate packet filter rules which are then available for examination or further manual modification in the packet filter rules window.

CyberGuard also includes a unique user-based authentication feature called Passport One. Whereas most firewalls base filtering decisions on IP addresses, Passport One allows the administrator to define rules on a per-user basis, thus eliminating the risk of users gaining access to unauthorised services by logging on at another machine. Users can be defined at the CyberGuard console to authenticate with a simple password, RADIUS, SecurID or SecureNetKey technologies. Each user can be restricted to a single source address, have their connection time limited, and have their FTP operations restricted to certain commands.

Auditing and reporting capabilities of CyberGuard are amongst the best we have seen. It is possible to specify in fine detail which activities should be logged by the firewall, including all packets processed, only denied packets, only permitted packets, login attempts, session completion, system updates and proxy activity.

Alerts can also be set on suspicious or abnormal activity such as failed logon attempts, disk full, packet forwarding attacks, LAND attacks, Ping of Death attacks, SYN Flood attacks, spoofing attempts and port scanning attempts. Alerts can be shown in real time in an alert summary window as well as being logged to disk. The extensive activity reports can filter on any of these alert events, or a more specific user-defined filter can be applied. Virus scanning is fully integrated and carried out via CVP, allowing CyberGuard to interoperate with any CVP-compliant virus scanner on the network. There is also a content filtering option, designed to examine the content of network connections and control the actions or information travelling through the firewall – no more surfing PLAYBOY.COM on company time!

Verdict

CyberGuard offers a combination of all three types of firewall architecture, full NT environment hardening, a wide range of proxies and intuitive, centralised management capabilities. In our opinion, this makes it one of the best NT-based firewalls we have seen, and at this price point it will certainly take some beating.It offers just about every feature you are ever likely to want in a firewall, and one of the things we particularly liked about CyberGuard is that there are usually multiple ways of achieving the same ends.

Whereas many firewalls will force you down a particular path or impose a particular way of working to suit their architecture, CyberGuard will usually incorporate all the options and offer the administrator the choice. This makes it one of the easiest firewalls we have come across to configure for an existing environment.