Firewalls with VPN

Assets and threats to assets on the Internet are increasing at a staggering rate, so we must protect our networks from dangers both known and unknown. One popular tool for accomplishing this task is firewalls. These networking products have evolved a lot over the past several years. Simply blocking unwanted traffic and passing authorized traffic between networks isn't enough for today's firewalls. We expect more than just packet filtering. We want important security functions, such as Denial of Service (DoS) attack prevention and intrusion-detection systems.

Modern firewalls fall into one of two categories. Hardware-based firewalls (sometimes called appliances) use a particular hardware platform and a dedicated, proprietary OS. Software-based firewalls use standard hardware and a standard OS, such as Windows NT Server 4.0, that's been hardened (i.e., stripped of everything but the bare essentials in an effort to minimize security exposures). On top of the hardware and OS platform, both hardware-based and software-based firewalls run similar network-protecting firewall software.

Firewalls that offer a VPN component or option deserve special attention. Many companies deploy VPNs to secure communications between the corporate network and far-flung end users. Combining a VPN with a firewall in one solution makes administering the two functions easier.

I recently tested four popular software-based network firewalls that protect a network (not just a single workstation or server) and whose vendors also offer a VPN that integrates with the firewall. The products are Symantec's Raptor Firewall 6.5 with PowerVPN, NetGuard's GuardianPro 5.0 and Guardian IPSec VPN, Check Point Software Technologies' VPN-1 Gateway 4.1, and Computer Associates (CA's) eTrust Firewall 3.0 and eTrust VPN. Other software-based firewalls can work with third-party VPNs, but for this review, I selected single-vendor solutions. I invited Network Associates to submit for testing its Gauntlet Firewall and Gauntlet VPN, but the vendor declined to participate, saying it was gearing up for some changes to its product line.

Put to the Test
For the firewall server, I used a Compaq Professional Workstation with a 650MHz Pentium III processor, 192MB of RAM, a 6GB disk, and dual Intel Wake-On-LAN Ethernet adapters. I used several machines on the internal network to represent clients, ranging from a relatively powerful 650MHz Pentium III desktop to a 120MHz Pentium system. I used 300MHz Pentium II systems to simulate the VPN clients.

For each product I tested, I first installed NT 4.0 with the vendor's recommended service pack, then installed the firewall software. Some firewall products run on Windows 2000, but most don't because vendors know that many security administrators have a "wait-and-see" attitude about running a new OS or OS version on a perimeter server. Thus, I used NT 4.0 for an equal comparison of all the firewalls.

After I installed the software, I created a simple firewall policy that allowed full access for all inbound and outbound traffic and ran a few applications so that the firewall would generate log entries. I then constructed more elaborate security policies based on typical business scenarios, such as one that allowed HTTP traffic out while blocking all inbound traffic and another that allowed outbound traffic for the HTTP, SMTP, and DNS protocols. After building the policies, I used an application associated with each protocol for which I had defined rules to retest accessibility through the firewall. I then examined the firewall logs again to see how much help they would be in troubleshooting any potential problem. I also looked at the firewalls' realtime monitoring capabilities and VPN features.

Raptor Firewall 6.5 with PowerVPN
Some of the products I tested have been around a long time and show their maturity. The Raptor is one such product. Of all the firewalls I tested, this is the only one that uses Microsoft Management Console (MMC) as its front end. Raptor runs on NT Workstation, NT Server 4.0, and NT Server, Enterprise Edition (NTS/E). The Symantec Web site says a Win2K version is forthcoming. I didn't test the high-availability version that runs on Microsoft Cluster Services (MSCS).

Installing Raptor is easy. The total time from opening the software packaging to having an operative firewall was a little more than an hour, with one reboot. MMC wasn't installed on my system, so the installation process offered to perform this task for me, saving me from reaching for my NT installation CD-ROMs.

To work with Raptor, you open MMC and expand the Symantec and Raptor Management Console items, as Figure 1 shows. You can also install the Raptor Management Console elsewhere on your internal network and remotely manage one or more Raptor firewalls.

Raptor performs robust OS hardening, inserting a shim into the TCP/IP stack and disabling unnecessary services. When the firewall is running, it checks the system services every 60 seconds. If the firewall finds that an unwanted service has started, it shuts down that service. After I installed Raptor, I checked the listening ports and found Raptor's administrative port open on the external interface, but a quick call to technical support resolved the problem.

Raptor's approach to logging and monitoring firewall activity is superior to that of some other firewall products I tested. The software starts a new log each day and archives old logs to monthly folders that you can access from the management console. Monitoring current firewall connections was easy: I could double-click any connection in the log to get details about that connection. Suggestions for possible solutions accompany warning and error messages. One small annoyance is that a logged connection's source and destination information is buried within the rest of the text in the log entry. These important pieces of information should be in their own fields and sortable for easy troubleshooting. Raptor does, however, let you set log filters that you could use, for example, to find all the traffic coming from a given IP address.

Raptor's documentation can be frustrating. Features and commands are well indexed and well represented in the Table of Contents, but discussions of major concepts appear to be missing altogether. For example, the documentation doesn't explain Raptor's rule-processing order or provide any troubleshooting information. One documentation bright spot is site guides that help a new site's administrator document and plan the Raptor installation before getting started.

Raptor has built-in support for "black-hole" lists, which independent organizations maintain and make available on the Internet in an effort to thwart unsolicited commercial email (UCE). Black-hole lists name open relays (email servers that let anyone send mail). Raptor users can download these lists and configure them into the firewall, which will then prevent mail flow from any system on the lists.

The Raptor VPN product consists of two pieces. You can install the first piece, PowerVPN, along with the firewall product or on a separate server. You can set up site-to-site or user-to-site VPN tunnels. User-to-site connections use a second tunneling program, Raptor Mobile, which I found easy to use and connect.

Raptor Firewall 6.5 supports flexible service redirection. You can supply one IT address for multiple machines on the internal network. For example, you could define one address for inbound Web and FTP access and have Raptor redirect requests to two different internal machines. You could also use redirection to load-balance inbound traffic across several internal machines. And you could probably do away with your demilitarized zone (DMZ) configuration because Raptor's new redirection functionality performs the same task as most DMZ servers. (A DMZ is a small network that sits between the firewall and the Internet. A typical DMZ consists of unprotected DNS, Web, and email servers that relay traffic to the protected network.)

Raptor is easy to install and use. Firewall administrators will appreciate Raptor's MMC interface and its logging functions, especially when tracking down a specific connection or when taking action on a problem. Raptor's scalability sets it apart from many firewall products. Its clustering solution for high availability and its ability to offload VPN processing to a separate dedicated server firmly place this enterprise firewall product above the bar. Despite the minor difficulties with the documentation, Raptor is worthy of consideration by anyone shopping for an enterprise firewall product.