1. DESIGN CONCEPTS 
1. DESIGN CONCEPTS
Does BorderWare run on a stock OS?
No. BorderWare's kernel does contain Berkeley Software
Development Inc. (BSDI) code for non-security related functions.
However, the kernel has been modified or "hardened" so that its
fundamental design and structure is unique and is no longer
useful in a dynamic user environment . The hardening process
includes modifying, removing and adding functionality so the
kernel provides a solid base for a secure firewall architecture.
Does the BorderWare Firewall Server require any other software to
run?
No. Everything you need to run BorderWare is included.
Does BorderWare work with Windows NT or Novell?
BorderWare works with any TCP/IP capable network which includes
Windows NT or Novell as its clients. BorderWare is placed on a
"black box" machine where no other software is installed and
operates with TCP/IP capable networks.
Is BorderWare a dual-homed firewall?
Yes. BorderWare is designed as a dual-homed system - this is not
optional. This enforces the requirement that all traffic between
the internal and external networks must pass through the
firewall.
Does BorderWare do packet filtering, and circuit level and
application level filtering?
Yes. BorderWare provides the combined security of packet
filters, circuit-level and application-level gateways.
BorderWare's packet filters work at the TCP/IP level. The
circuit-level gateways intercept the sessions and pass them
through the firewall. The application-level gateways operate at
a higher level - actually understanding the application that
generated the packets. BorderWare is designed to offer the best
protection to users.
Packet filters, by themselves, do not provide total security.
Application-level and circuit-level gateways provide effective
security. However, when all three approaches work together the
end result is the most effective and secure firewall.
How does BorderWare perform packet filtering?
The BorderWare Firewall Server incorporates separate kernel-level
packet-filters on each interface. These filters are
automatically configured as features are enabled or disabled.
Can BorderWare detect IP address spoofing?
Yes. Source routed packets are considered to be insecure packets
by the kernel, source routed packets are one of the major
spoofing mechanisms. No additional detection of MAC level to IP
address mappings is done beyond the standard ARP cache checking.
Such checking would only be relevant for the directly connected
LAN and would not be useful for an organization with multiple
subnets. There are further mechanisms embedded in the networking
code that make it impossible for an external host to impersonate
an internal host.
Is IP forwarding disabled / turned off?
Yes. IP forwarding is disabled in the OS. Packets can only be
exchanged between the networks using a proxy agent.
Are multiple machines required to implement BorderWare?
No. BorderWare is implemented on a single IBM-compatible
machine. The
firewall is intended to be used as a stand-alone system.
BorderWare incorporates separate kernel-level packet-filters on
each interface which means it does not need external
packet-filtering capabilities to be implemented by wrapping
packet-filtering routers around it. The common firewall network
setup, with an internal and external router and application
servers running on a bastion host in the middle, can be replaced
with a single BorderWare machine.
Is integrity checking built into BorderWare?
Yes. The BorderWare Firewall Server does integrity checking on
all binaries.
Is the source code available to customers?
No. The BorderWare Firewall Server is intended to be an easy to
configure, turn key black-box solution. Access to the source
code is not necessary as BorderWare does not require significant
levels of firewall expertise to enable you to secure your
network.
Does BorderWare use static routing ?
Yes. The firewall automatically adds static routes for the local
LAN, and a static default to the external interface. Additional
static routes can be easily added through the administrator
interface. For security reasons dynamic routing is not
supported, since attempting to manipulate the routing tables is a
method often used to attack a firewall.
Are source routing and ICMP redirects disabled in the kernel ?
Yes. Both ICMP redirects and source-routing are disabled in the
kernel to prevent IP spoofing attacks that use these mechanisms.
Will internal users be impacted by having the firewall in place?
No. The BorderWare Firewall Server is completely transparent to
your internal users. All TCP/IP networking applications,
including DOS, Mac or Windows driven software, will continue to
function normally without modification. Users do not need special
passwords and no one logs onto the firewall directly. BorderWare
can have access rules which create limitations for particular
hosts to specified destination hosts during certain times of the
day or days of the week. This is the only occasion where internal
users would be aware that a firewall is in place.
Can users have accounts on the firewall ?
There are no logins allowed on the firewall. This includes the
network administrator. Installation and configuration is done
via a menu driven UI. Since the software stands alone and all
aspects are configurable through the administrator UI, there is
no need for the administrator to manipulate the internals of the
firewall directly. Any logins to the box would create a
potential avenue for penetration and therefore are not allowed.
What is the BorderWare philosophy towards access to services?
BorderWare follows the strict security policy that all services
are disabled by default and must be enabled to allow users
access. This enabling process is simple and straight forward.
The administrator can enable all services via the UI.
Can access to services be controlled for users and groups ?
Inbound Telnet and FTP access is controlled per-user with
one-time challenge-response tokens. All other services and
proxies can have access rules which create limitations for
particular hosts to use a specific service to a specified
destination host during certain times of the day. Any or all of
the restrictions can be relaxed to allow generic internal use of
the administrator-enabled services on the firewall. For example,
a rule might limit Fred's PC to only be able to use FTP from 5pm
to 9am Monday to Friday, and only allow access to certain
specified FTP servers.
What happens if the firewall is breached ?
All of the services provided by the firewall run in a highly
secure, decoupled environment. Even if a service is penetrated,
no other functionality of the firewall can be affected and the
internal network cannot be reached. Significant modifications
have been made to the kernel of the firewall to remove mechanisms
that can be used to get out of this isolated, cocooned
environment. There is no way any code an intruder managed to
download could run on the firewall. A file must have certain
attributes in order to be executed; the kernel is incapable of
generating these.
2. FEATURES AND SERVICES
MAIL
How does one read mail with BorderWare ?
The mail system can be configured to forward to single or
multiple internal SMTP capable hosts. It can also be configured
so that users have their mailboxes on the firewall and read them
using POP clients (the use of POP provides mailboxes on
BorderWare without requiring logins on the firewall). It can be
configured to use any one of the above mechanisms or all of them
simultaneously. For example, BorderWare can be configured to
have certain mailboxes held locally for POP users and forward
some user's mail directly to their own machines while forwarding
other mail to an internal corporate mail gateway.
How does BorderWare integrate with other mail systems such as
Microsoft Mail?
BorderWare can route mail to any SMTP compatible mail system.
SMTP gateways exists for Microsoft Mail, cc:Mail, Lotus Notes
Mail, Banyan Mail, and other popular mail packages.
Can a bastion host be used with BorderWare to receive mail?
BorderWare is a fully functional firewall which includes complete
bastion host functionality including a secure mail server. An
additional bastion host server is not required, however, if you
wish to implement a mail server that you are more familiar with,
you may place a mail server on the SSN (Secure Server Network).
The BorderWare mail server can receive mail and either forward it
to single or multiple internal hosts. BorderWare also allows
remote reading of mailboxes on the firewall via POP clients.
BorderWare can forward mail directly to the users' workstations,
to the internal mail gateway, or act as the corporate mail
gateway itself. The Mail Server is capable of delivering mail any
one of these ways, or any combination of the aforementioned.
Does BorderWare's mail server have any relation to Sendmail?
The mailer has no code relation to Sendmail. It was designed
from the start with a security policy in mind. Border's mail
system is based on ZMailer. The author made further specific
enhancements for the BorderWare product which allow it to run
without any special privileges. ZMailer is a mature mail system
with a solid track record that has been running on many major
Internet gateways. It has not been susceptible to any of the
security problems that Sendmail has.
Is BorderWare's SMTP gateway secure?
The mail system was originally designed from the start with a
security model in mind. In addition, the system consists of
independent programs to do SMTP reception, routing decisions,
SMTP delivery, and delivery scheduling among others. It is based
on ZMailer, a mature mail system in use on major Internet
gateways. The author of ZMailer made further specific
enhancements for the BorderWare product. ZMailer has no code
relation to Sendmail and has not been susceptible to any of the
security problems associated with Sendmail. ZMailer runs without
special privileges in an isolated environment (as do all the
servers that run on BorderWare).
F T P
Can I place a public FTP server outside the firewall ?
Yes. However, you should place a public access FTP server on the
SSN (Secure Server Network) so that it is protected by the
firewall and only allows FTP traffic to be passed to it. The
internal network is also protected from the SSN (Secure Server
Network) by the firewall, so if your public access FTP server is
breached your internal network is not threatened. The BorderWare
firewall also includes a secure anonymous FTP server as part of
its system so a public server is not required to offer these
services.
Can you have inbound FTP and Telnet access to internal machines?
Yes. Inbound FTP and Telnet are supported by the firewall.
After being authenticated using a one-time password the user is
tunneled into an internal machine. A user specific destination
can be set up for each user. (BorderWare supports CryptoCard and
SecurID authentication tokens).
How is the return data flow from FTP handled ?
The FTP proxy intercepts the outgoing PORT command and sets up a
temporary proxy for the data channel to connect it back to the
internal client.
D N S
How does the dual name server function ?
The BorderWare Firewall Server runs two separate DNS servers on
the firewall itself.
The External DNS server provides a limited external view of the
organizational domain and initially configures itself with a
number of standard names that all point to the firewall itself
(such as Mail, News, FTP, NS and WWW). It also has specific
entries for the domain so that connections can be conveniently
made using only the organizational domain name and whatever
additional hostname is specified for the firewall. The External
DNS automatically installs NS and wildcard MX records that point
to the firewall. Additional backup MX and secondary NS records
can be configured by the administrator. No internal information
is available to the External DNS, and only the External DNS can
communicate with the outside. This means no internal naming
information can be obtained by anyone on the outside. The
External DNS cannot query the Internal DNS or any other DNS
inside the firewall.
The Internal DNS is automatically configured with some initial
information, and can have additional hosts added via the
administrator interface. Other internal domains or subdomains
can be primaried, secondaried or delegated to other internal
nameservers. The information managed by the Internal DNS is only
available to internal machines, and the firewall itself. The
Internal nameserver cannot receive queries from external hosts,
because it cannot communicate directly with the external network.
Resolution of external DNS information, both for the firewall
itself and for internal queries for external information, is
handled by the internal nameserver. Although it is unable to
communicate directly with the external network, it is able to
send queries and receive the responses via the External DNS.
How does the name server handle services which require all
machines to be DNS registered?
There is a common problem with firewalls that implement dual name
servers. Some Internet services require every machine that
contacts them be registered in the domain name system. For
example, if you FTP to ftp.uunet, you will not be granted access
unless the machine you are FTP'ing from has an entry in the DNS.
Many firewalls that implement dual name servers do not handle
this situation well. BorderWare handles the situation easily.
BorderWare is a true application-level proxy; all IP packets
leaving your organization have the source address of the
BorderWare firewall itself even if the packets originated deep
within your internal network. The BorderWare server is
registered with the DNS so all Internet services will properly
validate it.
N A T
How does the network address translation feature function ?
BorderWare transparently remaps all outbound connections so that
the connection appears to originate from the external address.
The firewall's external address is the only address that is
externally visible and this allows the use of internal
unregistered IP addresses or private networks as defined in
RFC1597. All internal addresses will be mapped to a single
address on the external network. BorderWare is capable of driving
the serial connection directly using PPP. In this situation the
internal network can be entirely hidden behind a single address
assigned by the provider with no registered addresses required.
How does BorderWare handle "illegal" Internet addresses?
BorderWare implements NAT (network address translation)
technology so that your internal address structure is not seen by
the Internet. Therefore, your internal network can use
non-registered IP addresses.
NEWS
Can the NNTP server feed other news servers?
Yes. The BorderWare Firewall Server runs a News server on the
firewall itself, allowing the configuring of news feeds to
internal or external sites. You can also place a News server on
the SSN to free up disk space and processing power on the
firewall.
Can users read news from the firewall?
Yes. The BorderWare Firewall Server can act as a news server
supporting NNTP
base clients reading and posting News directly off the firewall.
This will eliminate the need for an internal News machine to
provide access to News.
Does the NNTP server provide any control over News ?
Yes. You can prevent any posted articles from reaching the
outside.
S S N (Secure Server Network)
What is SSN?
SSN (the Secure Server Network) is an independent network, which
runs off the firewall, that allows the secure deployment of
functional and custom networking servers.
Traditionally, organizations place additional servers on the
external network (in front of the firewall), or on the internal
network (behind the firewall). Both of these methods created
security problems when allowing open access from the Internet.
SSN provides a secure network for you to place your fully
functional and custom networking servers.
Why do you need SSN?
SSN was developed by Border to solve the problem of security
versus functionality and convenience. The SSN provides a
flexible environment combining all of these features without
lowering security standards.
How does SSN increase my security?
The SSN allows you to place your public servers on a network that
is fully protected from the external network. The internal
network is fully protected from the SSN network so if a flaw is
found in one of your public servers on the SSN, your internal
network is not threatened.
How is the SSN configured?
The SSN is configured through the SSN menu accessed from the main
configuration screen of the firewall.
What servers should (or should not) be placed on the SSN?
The only server that cannot be placed on the SSN is the DNS
server. However, the SSN is the best place to store all of your
other servers. For example, NNTP news does not coexist well with
other servers due to its immense resource requirements. It takes
up a tremendous amount of disk space, CPU time and disk I/O to
perform its daily tasks. Placing your NNTP server on the SSN
frees up the firewall for other tasks, and gives your internal
network full access to the news server.
How many servers can run on it?
In general, the SSN supports one server of each type of service.
However, you can have multiple servers for each type of service
running on non standard ports (i.e., three WWW servers running on
port 80, 8000, and 8001).
How is SSN administered?
The firewall part of the SSN is administered from the UI. The
hosts on the SSN are administered from their own location. For
example, if your FTP server is running on Windows NT, it is
administered from there. The SSN can be set up to be
administered from the internal network using FTP and/or Telnet or
other.
What if a server on SSN is breached?
If a server on the SSN is breached, there is the possibility that
other servers on the SSN could be attacked as well. However, the
firewall treats the SSN as though it was and external network.
Thus your internal network is completely protected.
Does BorderWare log traffic to/from SSN based servers?
Yes. All traffic through the firewall is logged.
Do I have to do anything special in configuring the servers I
wish to put on SSN?
The servers need to have their default route pointing to the SSN
interface address on the firewall. The servers should use the
firewall as the primary DNS server.
Is SSN transparent to internal & external users?
The internal network transparently accesses the SSN network.
However, from the external network, the SSN addresses are
completely hidden as if they were on the internal network. All
connections from the external network are directed to the
external address of the firewall and then, based on the type of
traffic, proxied to a server on the SSN without the external
user's knowledge.
How does SSN compare to other vendor's DMZ (Demilitarized Zone)?
SSN provides more security than a DMZ. The SSN is protected from
the external network by a complete firewall. The internal
network is protected from the SSN by a complete firewall. With a
DMZ, one or the other is only protected by a screening router.
What access rules can be used with SSN?
All of the access control functionality of the firewall also
applies to the SSN network.
Will off-loading the servers to SSN increase the performance of
the firewall?
Yes. Moving resource intensive services (i.e., NNTP News) to
the SSN allows the firewall to spend more CPU and resource time
on handling connections and packet transmissions.
Can we have our own Web, NNTP News, FTP, etc? Where?
Any server can be placed on the SSN except DNS. This includes
special and home made servers and services (i.e., database
applications).
W W W
What is limitation of Web server on BorderWare?
For security reasons, the WWW server in BorderWare only supports
static Web pages (html pages and pictures). The server restricts
the use of forms or cgi scripts and image maps due to the
insecurity of running these scripts within your firewall. If you
would like to take advantage of all the features of a Web server,
place it on the SSN for full functionality.
3. INSTALLATON
How is BorderWare installed ?
Border manufactures a software-only solution which is installed
onto a standard Intel 486/Pentium platform. Installation and
configuration can be done by the customer with a straight forward
graphical menu-driven administrator interface, or BorderWare can
be purchased installed and pre-configured through resellers.
What hardware is required ?
What amount of memory is required?
Minimum of 16 MB of memory is required. The maximum is unlimited.
What is the minimum CPU type and speed required? Intel 486/33 is the minimum, an Intel Pentium is recommended. The maximum is unlimited, but capacity is not limited by the chip, but rather by the ISA bus.
Can a router be placed between the firewall and the secured
network?
Yes, but this is not necessary if the purpose of the router is
just packet filtering. BorderWare has per-interface packet
filters that are automatically configured as services are enabled
or disabled via the administrator UI.
Should I place a router on the unsecured side of the firewall?
Some customers have machines that they want to be visible
externally, and which they are not concerned about exposing on
the unsecured network. These customers use BorderWare with an
external ethernet. A router connects them to the Internet. If a
customer wants all machines behind the firewall, BorderWare is
used with an external high-speed serial card directly speaking
PPP to their Internet service provider. In this situation an
extra router, just to drive the serial line, would be an
expensive waste.
Do I have to change my current Internet addresses on my LAN?
No it is not necessary. However, make sure that the outside
address of the firewall is on a different subnet than the
internal address.
Can BorderWare handle a T1 connection ?
Yes, an Intel Pentium (any speed), ISA based platform can handle the full T1
bandwidth or up to 400 kBytes per second.
4. ADMINISTRATON
Is there a diagnostic menu for the system administrator?
Yes. BorderWare has a diagnostic menu for network
troubleshooting. This menu is part of the administrator
interface and can be accessed from the console or remotely.
Is there a UI to simplify administration ?
Yes, the underlying system is hidden behind a simple UI. It is
our intent to remove the complications of systems administration
from the security administrator.
Is there a command-line interface for administration ?
No. All required administration can be done via the
administrator interface and can be accessed from the console or
remotely as described above.
Are the administrative responsibilities separated into least
privilege?
The only interface on the system is the UI administrator
interface and it performs privileged operations (i.e. updates).
However, the various services run in tightly controlled
environments with minimal privileges.
Can BorderWare be configured by editing files manually ?
Yes. You can FTP files to the firewall for certain configuration
options and then upload them into the system through the UI. The
data files for anonymous FTP, WWW and the Finger Information
server are generated or edited remotely and installed onto the
BorderWare Firewall Server via a special FTP administration
account.
Can the firewall be administered remotely?
Yes, the serial port can be used for remote administration using
a modem attached to one of the serial ports. Access to this
capability requires the use of a one-time password token.
Can software be updated via the network ?
Yes. Software updates can be retrieved from your support
provider via FTP and applied to your firewall through the UI.
5. AUDITING AND LOGGING
Are local logs kept?
Yes. Logs are kept on BorderWare.
Can log audit reports be generated (just for SSN)?
Yes, using the local log files, audit reports can be generated
for access to servers on the firewall and servers on the SSN.
Does BorderWare have the ability to send logs to remote hosts?
Yes. BorderWare includes a comprehensive audit capability and
allows the security administrator to direct log files to remote
hosts.
Are logs generated for each application ?
The various servers and specific proxies have individual logs,
although the generic proxies share a single log. Each log file
is automatically maintained and bounded.
Can alerts be generated ?
Yes. Alerts can be generated for network probes and failed
inbound-Telnet attempts. The alerts can trigger an email message,
pop-up warning, local printer, and/or halt the system.
6. AUTHENTICATION
What authentication is supported for remote access ?
The BorderWare Firewall Server supports CryptoCard and SecurID
challenge/response tokens. Support for the other major
authentication mechanisms will be added in future releases as
they are implemented.
Does BorderWare use the CryptoCard or SecurID or other?
BorderWare supports the CryptoCard challenge/response
authentication token and the SecurID time based authentication
token. The CryptoCard server is included in the BorderWare
software. BorderWare interacts with the SecurID server on your
internal network.
Are UNIX passwords supported ?
No. No logins are supported on the BorderWare Firewall Server.
Can outgoing applications be configured to use authentication?
No. The organizations' client networking application would need
to be modified to work in such an environment since there are no
users on the firewall. This is relatively easy to perform when
you have UNIX workstations and source code. PC and MAC
networking applications generally do not provide source and do
not understand such authentication procedures. Requiring this
authentication would eliminate the transparency provided by the
BorderWare Firewall Server.
Where does the authentication server reside ?
The CryptoCard authentication server resides on the firewall, and
is included with BorderWare. The SecurID authentication server
will reside on a separate internal host which the firewall will
query using an encrypted channel.
How is the authentication server administered ?
Users are added/deleted/updated via the UI administrator
interface.
7. SUPPORT
Is support included in the product price ?
No. Technical support and update contracts can be purchased
either from your reseller or Border. Support direct from Border
is available in North America at 15% of list for updates and
support (email support and 5 day telephone support from 9 AM to 5
PM EST).
What methods of support are available?
You can contact Border via email, fax, phone or surface mail.
What are your support hours?
Telephone support
Direct : 9AM-5PM Eastern Standard Time.
Full 7 day, 24 hour support will be implemented at a later date.
How are updates & upgrades handled?
Any improvements made to the security of the system are provided
free of charge to all BorderWare users. Feature updates are
provided to users with valid update contracts. New functionality
upgrades may be provided to users with valid update contracts or
may be chargeable enhancements.
How are updates provided?
Updates are provided on floppy or DAT tapes or can be uploaded to
the
BorderWare Firewall Server via FTP. The update must be trigged
from the administrator UI. The updates are cryptographically
signed to ensure that it is a valid vendor-supplied update.
Since the normal kernel reduced functionality cannot perform an
update on the system software, the firewall is rebooted on a
special update kernel that has increased functionality but no
networking code. The lack of networking code ensures that the
firewall is not vulnerable to attack while it is running with
this enhanced functionality.
Is there an FTP site for support and downloading updates and
information?
Yes. Technical support information and software updates are
available via FTP from ftp.border.com. The updates are hidden
from view so that only users with valid update contracts can
retrieve them.
8. GENERAL
Does BorderWare check for viruses?
BorderWare software itself cannot be affected by viruses as it
has its own operating system and does not read any other file
forms such as DOS, Windows or Macintosh where most viruses
originate. BoderWare does not check for viruses being
transmitted to each individual host nor could it do this
effectively. Firewall's protect a network from outside intrusion.
Virus software checks each individual file on a workstation.
Since firewalls are installed between the internet and an
internal network the firewall could not effectively scan all
files on or at a workstation.
What is the BorderWare security rating?
BorderWare has participated in many penetration evaluations and
has never been compromised. It has not yet been evaluated
according to Orange Book standards.
Do we offer an evaluation package - does it cost money?
We offer a 30 day evaluation package that can be updated quickly
to a licensed version through the UI. The evaluation copy costs
approximately $100 ($US).
FAQ Version 3.1 © 1996 STN, Inc