|explorermag.com star rating
CyberGuard Corporations Unix-based
CyberGuard firewall is one of the few firewalls to achieve an ITSEC E3 classification.
With the increasing popularity of the NT Server platform, however, the company has
launched CyberGuard Firewall for NT (also now with E3 certification). The pricing
starting at less than £1000 for 25 users appears to position this firmly at the
entry-level/workgroup end of the market. However, with an unlimited user version coupled
with SmartProxies for either Internet or intranet applications, CyberGuard for NT provides
all the security and features of its Unix-based big brother at a very reasonable price
One of the criticisms often levelled at NT-based firewalls is the possible inherent
insecurity of the underlying operating system. CyberGuard has attempted to despatch this
objection by including something called SecureGuard with the NT firewall.
Acting like a wrapper around the NT operating system, SecureGuard provides environment
hardening, a watchdog service, a packet filtering interceptor and full auditing.
The packet filtering engine is actually inserted in the network stack between the MAC and
Network Layers, thus preventing suspect packets from ever getting near the NT OS itself.
In this way, SecureGuard protects against all known, and even hitherto unknown, Windows
security issues. CyberGuard supports up to eight host interfaces, providing tremendous
flexibility in defining internal, external, and DMZ networks. The management interface is
a typical Windows GUI and very intuitive to use. Documentation is excellent too, with an
extremely detailed manual taking you through the basic firewall concepts, as well as
hand-holding you through the configuration process.
All configuration is performed directly at the server console, though there is a remote
management option that utilises a secure encryption mechanism to control the firewall from
a remote location. It is also possible to centrally manage a number of remote firewalls,
defining and enforcing security policies from a central location. This makes it possible
to administer every CyberGuard firewall in an organisation (whether Unix or NT-based) from
any single console.
Defining rules and configurations
The Central Commander, as it is known, allows you to define rules and configurations and
export these to individual firewalls or groups over an encrypted link. Using the remote
management option, it is also possible to take over a remote console and configure it on
the fly. All alerts and alarms generated by the remote firewalls can also be sent back to
the Central Commander console. At present, however, this requires at least one Unix-based
firewall in your organisation from which to run the Central Commander. If you are an
all-NT shop, youre out of luck when it comes to centralised remote management for
multiple firewall devices. The base product provides packet filtering capabilities only,
supporting over 100 TCP/IP network services, including TCP, UDP and ICMP protocol-based
As with any good firewall, CyberGuard is set to deny everything by default, but defining
new rules is extremely straightforward. Everything is administered via the intuitive
graphical user interface (GUI), where an icon and menu-driven utility allows you to
specify whether individual services should be permitted, denied or proxied (more on proxy
services later), and on which network interfaces, based on the source or destination host
addresses, network service and protocol. In addition to the usual static packet
filtering techniques, CyberGuard also provides dynamic packet filtering, sometimes called
Stateful Inspection by other firewall vendors. This provides the speed of
packet filtering, but allows the actions of the firewall to vary based on a number of
rules and the state of previous conversations.
In effect, the firewall is capable of remembering the state of each ongoing conversation
across it, thus allowing it to effectively screen all packets for unauthorised access
whilst maintaining high security, even with connectionless protocols such as UDP. It is
thus possible to enforce connection time-out periods, maintain an audit trail of
connections, force port matching, and validate source addresses (to protect against IP
spoofing). It is also possible to implement TCP SYN flood protection with different
timeout periods for every packet filter rule.
Whereas application proxies are included as standard in the Unix-based offering, they are
provided as an extra-cost option in the NT version. This allows the introduction of an
extremely effective (and fast) packet filter firewall initially, with the ability to add
SmartProxies for enhanced security at a later date if required.
Authenticating proxies require users to authenticate or log on to the firewall before
allowing connections to traverse it, thus ensuring that a valid user is identified before
allowing, say, an FTP connection. It is then possible to determine the individual
activities permitted or denied - FTP Get or Put, for example - on a per user basis. If a
proxy is not defined as requiring authentication, then it is completely transparent to the
end user, and no client configuration is necessary.
Content enforcement proxies examine the content of network connections and control the
actions or information travelling through the firewall. The HTTP proxy, for example, is
and quarantining that content if required. Applications proxies are available in two
flavours - Internet and intranet - depending on whereabouts on your network you wish to
place the firewall. The Internet proxies include Network Address Translation (NAT), Split
DNS, FTP, Telnet, HTTP, NNTP and SMTP. NAT (both static and dynamic is catered for) allows
addresses for internal nodes to be hidden from the outside world behind a single, legal IP
address, whilst the Split DNS feature hides critical information when the firewall is
configured as the network DNS server.
A separate DNS server can be configured for each network interface, responding to DNS
queries only for its own interface and hiding all others. Although internal host requests
can be configured to resolve external host names, DNS requests from external hosts cannot
resolve internal names. In conjunction with NAT, this permits the utilisation of
unregistered IP addresses within the customers private network.The intranet package
includes all the Internet proxies, together with POP3, Oracle SQL*Net, Lotus Notes and
SMB. The last one is extremely important in an internal - or intranet - firewall, since
Windows users behind that firewall may still want to access shared disks and printers
located on machines outside the protection of their firewall.
In addition to these standard services, there is also the SOCKS circuit level gateway, a
load balancing proxy and a generic proxy. The last one allows administrators to define
source port, destination port and destination server to allow traffic through the firewall
where it is necessary to provide more protection than is available through packet
filtering, but where there is not a specific proxy available.
Rules and regulations
Creating the rules for the firewall is very straightforward. The ability to duplicate
existing rules in order to make minor modifications, and to re-order rules quickly and
easily using up and down arrow buttons makes rules configuration as quick and painless as
possible. One of the nicest features is that configuring a proxy server automatically
creates the appropriate packet filter rules which are then available for examination or
further manual modification in the packet filter rules window.
CyberGuard also includes a unique user-based authentication feature called Passport One.
Whereas most firewalls base filtering decisions on IP addresses, Passport One allows the
administrator to define rules on a per-user basis, thus eliminating the risk of users
gaining access to unauthorised services by logging on at another machine. Users can be
defined at the CyberGuard console to authenticate with a simple password, RADIUS, SecurID
or SecureNetKey technologies. Each user can be restricted to a single source address, have
their connection time limited, and have their FTP operations restricted to certain
Auditing and reporting capabilities of CyberGuard are amongst the best we have seen. It is
possible to specify in fine detail which activities should be logged by the firewall,
including all packets processed, only denied packets, only permitted packets, login
attempts, session completion, system updates and proxy activity.
Alerts can also be set on suspicious or abnormal activity such as failed logon attempts,
disk full, packet forwarding attacks, LAND attacks, Ping of Death attacks, SYN Flood
attacks, spoofing attempts and port scanning attempts. Alerts can be shown in real time in
an alert summary window as well as being logged to disk. The extensive activity reports
can filter on any of these alert events, or a more specific user-defined filter can be
applied. Virus scanning is fully integrated and carried out via CVP, allowing CyberGuard
to interoperate with any CVP-compliant virus scanner on the network. There is also a
content filtering option, designed to examine the content of network connections and
control the actions or information travelling through the firewall no more surfing
PLAYBOY.COM on company time!
CyberGuard offers a combination of all three types of firewall architecture, full NT
environment hardening, a wide range of proxies and intuitive, centralised management
capabilities. In our opinion, this makes it one of the best NT-based firewalls we have
seen, and at this price point it will certainly take some beating.It offers just about
every feature you are ever likely to want in a firewall, and one of the things we
particularly liked about CyberGuard is that there are usually multiple ways of achieving
the same ends.
Whereas many firewalls will force you down a particular path or impose a particular way of
working to suit their architecture, CyberGuard will usually incorporate all the options
and offer the administrator the choice. This makes it one of the easiest firewalls we have
come across to configure for an existing environment.