Q & A - A Firewall Primer

By Charles B. Kaplan

TABLE OF CONTENTS

FIREWALL BASICS

PROXIES AND OPERATING SYSTEMS

THE BORDERWARE FIREWALL SERVER

BORDERWARE APPLICATIONS

MAIL

FTP

DNS

NAT

NEWS

SSN

WWW

AUDITING AND LOGGING

AUTHENTICATION

OTHER INFORMATION

SERVER CONFIGURATION

ADMINISTRATION

101. Does BorderWare check for viruses?
102. What is the BorderWare security rating?
103. Do we offer an evaluation package?

Q1. What is a firewall?

A. A firewall is a collection of devices (hardware and software) placed between two networks that collectively have the following properties:

• All traffic from inside to outside, and vice-versa, must pass through the firewall.
• Only authorized traffic, as defined by the local security policy, will be allowed to pass.
• The firewall itself is immune to penetration.

Cheswick & Bellovin

A. In building construction, a firewall is a physical wall designed to keep fire from spreading from one section of a building to another. An Inter/inter net firewall is abstractly the same. It is designed to keep the dangers of a public network from spreading to your internal net.

In implementation a firewall operates much the way a moat and drawbridge do at a castle. A firewall surrounds your entire network (the moat), and creates a single narrow security choke point (the drawbridge) through which all traffic must pass both to and from your network. Firewalls enforce a site's security access policies for its network based on access rules or access control list. There are a number of ways to control access, but in general the firewall can be thought of as a mechanism to filter and control traffic (raising and lowering the bridge).

Traditional firewalls are implemented through a combination of hosts and routers. A router can control (or filter) network traffic at the packet level. Packets are allowed or denied based on the source/destination address and the port number. This is called packet filtering.

Application layer firewalls which should always be used in conjunction with packet filters act as intermediaries between the two networks. A user must first connect to the firewall, and then to the desired external network. Due to the critical location of this machine (bridging the two networks) it must be carefully and skillfully constructed. This machine will become the strong point, or bastian, to the external network. For a user to gain outward access, the bastian host must have the desired application to execute. If the bastian machine lacks an application (perhaps a web browser, or FTP client) than the user is denied use of that application. This is called application layer firewalling.

State-of-the-art firewalls are more than just generalized packet filters and often perform their functions across multiple Open System Interconnect (OSI) layers, spanning the internet layer up through the application layer. (based upon a 4 layer TCP/IP model versus a 7 layer OSI model) These third generation firewalls do not allow a direct connection between hosts and clients on separate networks (such as your network and the Internet). Instead they use a mechanism called a "proxy" process to prevent traffic from passing directly between networks. These modern firewalls also log all access for better auditing.

Up to Contents

Q2. Why does my company need a firewall?

A. Having a firewall can greatly reduce the risk of a network break-in and the destruction or theft of data by creating a security choke point. A firewall allows you to easily manage and control access entering and leaving your network.

The Internet connects hundreds of thousands of computers around the world. It can provide your staff with access to unlimited resources. It can also give intruders ample opportunity to penetrate your corporate networks. Those with malicious intent (a.k.a. "hackers") seek out opportunities to browse private databases and steal, alter or corrupt confidential information. Consequently, security is a major consideration when planning your Internet connection. A firewall can greatly reduce the risk.

Up to Contents

Q3. What things can a firewall do?

• Firewalls can protect a network for both incoming and outgoing network traffic.
• Firewalls creates a centralized point from which to focus security decisions.
• Firewalls can enforce your security policy.
• Firewalls can log all network activity in or out of itself.
• Firewalls can hide your internal network address structure.
• Firewalls can limit your exposure.

Up to Contents

Q4. What things can't a firewall do?

• Firewalls can't protect you against connections that don't go through it.
• Firewalls can't protect you from malicious internal employees.
• Firewalls can't protect you from an employee who subverts the firewall with a modem on there desk.
• Firewalls can't protect you from completely new threats.
• Firewalls can't protect you from viruses

Up to Contents

PROXIES AND OPERATING SYSTEMS

Q5. What is a proxy?

A. A proxy is a software mechanism that eliminates direct communication between client applications and their servers across separate networks or subnets. A proxy takes a users' requests for access and forwards them, as appropriate to the actual servers. Typically, proxies:

• Are small in size and constructed of well understood source code;
• Hide the internal address structure of the network(s) they protect;
• Provide logs of the traffic crossing the firewall;
• Limit the services offered to end-users based on policy;
• Provide secure authentication methods for end-user access.

Up to Contents

Q6. Why do I need proxies?

A. You need proxies to:

• Guard your network against unauthorized access;
• Limit the network services provided for end-users to those who are authorized;
• Provide a secure authentication scheme independent of applications;
• Provide detailed security logging based on the application data stream, not just the packet headers.

Up to Contents

Q7. What are the types of Proxies?

1. Circuit-Level Proxy -- Provides a medium level of security and is both flexible and adaptable to the access requirements of an organization. A circuit-level proxy implements a generalized proxy mechanism that relays IP connections from the originating application through the firewall to its destination. The proxy uses an authorization file to verify that a connection is permitted before completing the connection. A circuit level proxy has no intelligence regarding the protocol that it is transporting. It does however operate in a proxy fashion of accepting packets, and then replaying them out its other interface.
2. Application-Level Proxy -- Provides a high level of security by implementing a specific proxy mechanism for each application service. Application-level proxies "speak" the application protocol for each specific application (e.g. Telnet, FTP, SMTP, etc.). Application-level proxies screen the network traffic passing through the firewall and have an "understanding" of context of the data within the packets. This is not present in either circuit-level proxies or packet filtering mechanisms.
   The advantages of an application-level proxy over a circuit-level proxy are its ability to understand the flow of information and make intelligent decisions about the various kinds of requests within the packets. As an example, an application-level proxy can eliminate the possibility of using SMTP commands to extract information about the local user population on a network. Commands like EXPN (expanding a mail alias) or VRFY (verify the presence of a user) can be disabled.
3. SOCKS -- SOCKS was an early attempt to solve some of the deficiencies of proxies. When firewalls first started to appear, those known as proxy servers were not transparent in operation, and required that users follow a procedure to connect there internal machines to the outside network. SOCKS solved this problem by making a small change to the client applications, and thus enabling transparency. The down side of this however was that source cod was required, and this tended to mean that PC's and Macintoshes, along with any commercial application couldn't operate through a SOCKS firewall. The next generation of application proxies that appeared however was transparent, and thus eliminated the need and complexity of SOCKS.

Up to Contents

Q8. Do you need to purchase a separate operating system (OS) with BorderWare?

A. No. BorderWare has its own fully functional operating system.

Up to Contents

Q9. Does the BorderWare Firewall Server require any other software to run?

A. No. Everything you need to run BorderWare is included.

Up to Contents

Q10. Does BorderWare run on a stock OS?

A. No. BorderWare's kernel does contain Berkeley Software Development Inc. (BSDI) code for non-security related functions. However, the kernel has been modified or "hardened" so that its fundamental design and structure is unique and is no longer useful in a dynamic user environment . The hardening process includes modifying, removing and adding functionality so the kernel provides a solid base for a secure firewall architecture.

*see What makes BorderWare so secure for more detail

Up to Contents

Q11. Why was the BSD/OS chosen for a firewall operating system?

A. The BSD operating system developed by Berkeley Software Design Inc. is based on the original system developed at the University of California at Berkeley. It has been carefully scrutinized for security holes by many people from various organizations. This is not true of proprietary operating systems. The base code for BSD has been running on thousands of computer systems for many years, proving the code is stable, reliable, and effective for network access. This may not be the case for more recently-developed operating systems. Due to BSDs' years of field deployment, and its proven robustness Border choose BSD as its platform to start with.

Up to Contents

Q12. I understand that Windows/NT has a C2 security rating. Wouldn't NT make a better firewall operating system?

A. A "C2" rating only refers to the system's security when not connected to a network or a floppy drive. This rating says nothing about how secure the system is on a network, or how securely it operates in a networked environment. Additionally, C2 is a low security rating level.

Up to Contents

THE BORDERWARE FIREWALL SERVER

Q13. What is BorderWare?

A. The BorderWare Firewall Server defines a new product category of firewalls by combining packet filters and application-level gateways with Internet application servers into a single, highly secure, self-contained, transparent system. It is a powerful, advanced security product that protects TCP/IP networks from unwanted external access as well as provides control of internal access to external services.

The BorderWare Firewall server solves several crucial problems for corporate and departmental TCP/IP networks:

• It allows transparent user access to Internet services such as the World Wide Web (WWW), FTP, Telnet, Gopher, Real Audio, and other applications as they are developed;
• It provides leading protection of corporate networks against external intrusion;
• It allows efficient and easily administered partitioning of internal networks into secure subnets;
• It includes all standard application servers including Mail, News, FTP, WWW and DNS in one package.

Up to Contents

Q14. Could you explain BorderWare's architecture?

A. The BorderWare Firewall Server is a unique hybrid of multiple firewall technologies. BorderWare can effectively be broken down into five components.

1. Hardened kernel. This is the heart of BorderWare, and what truly differentiates it from other firewalls. Borders unique approach to the kernel has resulted in the only firewall SEVER in the marketplace today. Hardening in this case means eliminating system features that reduce the security in a standard operating system but which are not necessary in a firewall. Even if an attacker breaks through a server, s/he is isolated in a controlled environment, unable to affect other services or penetrate beyond the firewall. This exclusive feature of BorderWare is what allows us to securely run application servers on the firewall.
2. Transparent proxies. Border recognized the need for the higher security offered by an application proxy (see question ____), but found the obtrusiveness they were associated with to be unacceptable. As such they created the first transparent proxies. These proxies permit any off the shelf software to operate transparently through the firewall.
3. Packet filters. Border placed packet filters on the "fringes" of each interface. These filters handled rudimentary security, plus allowed for tight user authentication by controlling acceptable destinations and times of access.
4. Application servers. Because of BordersWares' uniqu kernel hardening Border was able to securely deploy all standard application servers, including Mail, News, FTP, Name Service, finger, POP and WWW right on the firewall.
5. User Interface. Inorder to create ease of use, and maintain a consistent enforced security level all BorderWare configuration is done through its straightforward user interface. No UNIX prompts are ever available. BorderWare maintains a very high degree of system integrity due to this powerful feature.

Up to Contents

Q15. Do my client applications have to be changed if I decide to use BorderWare?

A. NO. Unlike older SOCKS based firewalls BorderWare is 100% client and platform independent. BorderWare is transparent to DOS, Windows, Macintosh, VMS, UNIX, Commodore, and any other operating system or application.

Up to Contents

BORDERWARE APPLICATIONS

MAIL

Q16. How does one read mail with BorderWare?

A. The mail system can be configured to forward to single or multiple internal SMTP capable hosts. It can also be configured so that users have their mailboxes on the firewall and read them using POP clients (the use of POP provides mailboxes on BorderWare without requiring logins on the firewall). It can be configured to use any one of the above mechanisms or all of them simultaneously. For example, BorderWare can be configured to have certain mailboxes held locally for POP users and forward some user's mail directly to their own machines while forwarding other mail to an internal corporate mail gateway.

Q17. How does BorderWare integrate with other mail systems such as Microsoft Mail or Lotus Notes?

A. BorderWare can route mail to any SMTP compatible mail system. SMTP gateways exists for Microsoft Mail, cc:Mail, Lotus Notes Mail, Banyan Mail, and other popular mail packages.

Q18. Can a bastion host be used with BorderWare to receive mail?

A. BorderWare is a fully functional firewall which includes complete bastion host functionality including a secure mail server. An additional bastion host server is not required, however, if you wish to implement a mail server that you are more familiar with, you may place a mail server on the SSN (Secure Server Network).

The BorderWare mail server can receive mail and either forward it to single or multiple internal hosts. BorderWare also allows remote reading of mailboxes on the firewall via POP clients. BorderWare can forward mail directly to the users' workstations, to the internal mail gateway, or act as the corporate mail gateway itself. The Mail Server is capable of delivering mail any one of these ways, or any combination of the aforementioned.

Q19. Does BorderWare's mail server have any relation to Sendmail?

A. The mailer has no code relation to Sendmail. It was designed from the start with a security policy in mind. Border's mail system is based on ZMailer. The author made further specific enhancements for the BorderWare product which allow it to run without any special privileges. ZMailer is a mature mail system with a solid track record that has been running on many major Internet gateways. It has not been susceptible to any of the security problems that Sendmail has.

Q20. Is BorderWare's SMTP gateway secure?

A. BorderWare's mail system was originally designed from the start with a security model in mind. In addition, the system consists of independent programs to do SMTP reception, routing decisions, SMTP delivery, and delivery scheduling among others. It is based on ZMailer, a mature mail system in use on major Internet gateways. The author of ZMailer made further specific enhancements for the BorderWare product. ZMailer has no code relation to Sendmail and has not been susceptible to any of the security problems associated with Sendmail. ZMailer runs without special privileges in an isolated environment (as do all the servers that run on BorderWare).

FTP

Q21. Can I place a public FTP server outside the firewall?

A. Yes. However, you should place a public access FTP server on the SSN (Secure Server Network) so that it is protected by the firewall and only allows FTP traffic to be passed to it. The internal network is also protected from the SSN (Secure Server Network) by the firewall, so if your public access FTP server is breached your internal network is not threatened. The BorderWare firewall also includes a secure anonymous FTP server as part of its system so a public server is not required to offer these services.

Q22. Can you have inbound FTP and Telnet access to internal machines?

A. Yes. Inbound FTP and Telnet are supported by the firewall. After being authenticated using a one-time password the user is tunneled into an internal machine. A user specific destination can be set up for each user. (BorderWare supports CryptoCard and SecurID authentication tokens).

Q23. How is the return data flow from FTP handled?

A. The FTP proxy intercepts the outgoing PORT command and sets up a temporary proxy for the data channel to connect it back to the internal client. PASV is also supported by BorderWare.

DNS

Q24. How does the dual name server function?

A. The BorderWare Firewall Server runs two separate DNS servers on the firewall itself.

The External DNS server provides a limited external view of the organizational domain and initially configures itself with a number of standard names that all point to the firewall itself (such as Mail, News, FTP, NS and WWW). It also has specific entries for the domain so that connections can be conveniently made using only the organizational domain name and whatever additional hostname is specified for the firewall. The External DNS automatically installs NS and wildcard MX records that point to the firewall. Additional backup MX and secondary NS records can be configured by the administrator. No internal information is available to the External DNS, and only the External DNS can communicate with the outside. This means no internal naming information can be obtained by anyone on the outside. The External DNS cannot query the Internal DNS or any other DNS inside the firewall.

The Internal DNS is automatically configured with some initial information, and can have additional hosts added via the administrator interface. Other internal domains or subdomains can be primaried, secondaried or delegated to other internal nameservers. The information managed by the Internal DNS is only available to internal machines, and the firewall itself. The Internal nameserver cannot receive queries from external hosts, because it cannot communicate directly with the external network. Resolution of external DNS information both for the firewall itself and for internal queries for external information, is handled by the internal nameserver. Although it is unable to communicate directly with the external network, it is able to send queries and receive the responses via the External DNS.

Q25. How does the name server handle services which require all machines to be DNS registered?

A. There is a common problem with firewalls that implement dual name servers. Some Internet services require every machine that contacts them be registered in the domain name system. For example, if you FTP to ftp.uu.net, you will not be granted access unless the machine you are FTP'ing from has an entry in the DNS. Many firewalls that implement dual name servers do not handle this situation well. BorderWare handles the situation easily. BorderWare is a true application-level proxy; all IP packets leaving your organization have the source address of the BorderWare firewall itself even if the packets originated deep within your internal network. The BorderWare server is registered with the DNS so all Internet services will properly validate it.

NAT

Q26. How does the network address translation feature function?

A. BorderWare transparently remaps all outbound connections so that the connection appears to originate from the external address. The firewall's external address is the only address that is externally visible and this allows the use of internal unregistered IP addresses or private networks as defined in RFC1597. All internal addresses will be mapped to a single address on the external network. BorderWare is capable of driving the serial connection directly using PPP. In this situation the internal network can be entirely hidden behind a single address assigned by the provider with no registered addresses required.

Q27. How does BorderWare handle "illegal" Internet addresses?

A. BorderWare implements NAT (network address translation) technology so that your internal address structure is not seen by the Internet. Therefore, your internal network can use non-registered IP addresses.

NEWS

Q28. Can the NNTP server feed other news servers?

A. Yes. The BorderWare Firewall Server runs a News server on the firewall itself, allowing the configuring of news feeds to internal or external sites. You can also place a News server on the SSN to free up disk space and processing power on the firewall.

Q29. Can users read news from the firewall?

A. Yes. The BorderWare Firewall Server can act as a news server supporting NNTP base clients reading and posting News directly off the firewall. This will eliminate the need for an internal News machine to provide access to News.

Q30. Does the NNTP server provide any control over News?

A. Yes. You can prevent any posted articles from reaching the outside.

SSN (Secure Server Network)

Q31. What is SSN?

A. SSN (the Secure Server Network) is an independent network, which runs off the firewall, that allows the secure deployment of functional and custom networking servers.

Traditionally, organizations place additional servers on the external network (in front of the firewall), or on the internal network (behind the firewall). Both of these methods created security problems when allowing open access from the Internet.

SSN provides a secure network for you to place your fully functional and custom networking servers.

Q32. Why do you need SSN?

A. SSN was developed by Border to solve the problem of security versus functionality and convenience. The SSN provides a flexible environment combining all of these features without lowering security standards.

Q33. How does SSN increase my security?

A. The SSN allows you to place your public servers on a network that is fully protected from the external network. The internal network is fully protected from the SSN network so if a flaw is found in one of your public servers on the SSN, your internal network is not threatened.

Q34. How is the SSN configured?

A. The SSN is configured through the SSN menu accessed from the main configuration screen of the firewall.

Q35. What servers should (or should not) be placed on the SSN?

A. The only server that cannot be placed on the SSN is the DNS server. However, the SSN is the best place to store all of your other servers. For example, NNTP news does not coexist well with other servers due to its immense resource requirements. It takes up a tremendous amount of disk space, CPU time and disk I/O to perform its daily tasks. Placing your NNTP server on the SSN frees up the firewall for other tasks, and gives your internal network full access to the news server.

Q36. How many servers can run on it?

A. In general, the SSN supports one server of each type of service. However, you can have multiple servers for each type of service running on non standard ports (i.e., three WWW servers running on port 80, 8000, and 8001).

Q37. How is SSN administered?

A. The firewall part of the SSN is administered from the UI. The hosts on the SSN are administered from their own location. For example, if your FTP server is running on Windows NT, it is administered from there. The SSN can be set up to be administered from the internal network using FTP and/or Telnet or other.

Q38. What if a server on SSN is breached?

A. If a server on the SSN is breached, there is the possibility that other servers on the SSN could be attacked as well. However, the firewall treats the SSN as though it was and external network. Thus your internal network is completely protected.

Q39. Does BorderWare log traffic to/from SSN based servers?

A. Yes. All traffic through the firewall is logged.

Q40. Do I have to do anything special in configuring the servers I wish to put on SSN?

A. The servers need to have their default route pointing to the SSN interface address on the firewall. The servers should use the firewall as the primary DNS server.

Q41. Is SSN transparent to internal & external users?

A. The internal network transparently accesses the SSN network. However, from the external network, the SSN addresses are completely hidden as if they were on the internal network. All connections from the external network are directed to the external address of the firewall and then, based on the type of traffic, proxied to a server on the SSN without the external user's knowledge.

Q42. How does SSN compare to other vendor's DMZ (Demilitarized Zone)?

A. SSN provides more security than a DMZ. The SSN is protected from the external network by a complete firewall. The internal network is protected from the SSN by a complete firewall. With a DMZ, one or the other is only protected by a screening router.

Q43. What access rules can be used with SSN?

A. All of the access control functionality of the firewall also applies to the SSN network.

Q44. Will off-loading the servers to SSN increase the performance of the firewall?

A. Yes. Moving resource intensive services (i.e., NNTP News) to the SSN allows the firewall to spend more CPU and resource time on handling connections and packet transmissions.

Q45. Can we have our own Web, NNTP News, FTP, etc? Where?

A. Any server can be placed on the SSN except DNS. This includes special and home made servers and services (i.e., database applications).

WWW

Q46. What is the limitation of Web server on BorderWare?

A. For security reasons, the WWW server in BorderWare only supports static Web pages (HTML pages and pictures). The server restricts the use of forms or CGI scripts and image maps due to the insecurity of running these scripts within your firewall. If you would like to take advantage of all the features of a Web server, place it on the SSN for full functionality.

Q47. Does Borders' web server support JavaScript?

A. Yes. Java Script works fine with BorderWare.

AUDITING AND LOGGING

Q48. Are local logs kept?

A. Yes. Logs are kept on BorderWare.

Q49. Can log audit reports be generated (just for SSN)?

A. Yes, using the local log files, audit reports can be generated for access to servers on the firewall and servers on the SSN.

Q50. Does BorderWare have the ability to send logs to remote hosts?

A. Yes. BorderWare includes a comprehensive audit capability and allows the security administrator to direct log files to remote hosts.

Q51. Are logs generated for each application?

A. The various servers and specific proxies have individual logs, although the generic proxies share a single log. Each log file is automatically maintained and bounded.

Q52. Can alerts be generated?

A. Yes. Alerts can be generated for network probes and failed inbound-Telnet attempts. The alerts can trigger an email message or pop-up warning, and be configured to contact a pager.

AUTHENTICATION

Q53. What kind of user authentication is provided?

A. The BorderWare Firewall Server provides user authentication for remote users who need incoming access to your internal network. Authentication is accomplished by a method known as One Time Pad (OTP). In OTP the login password is different with each network login. Passwords are generated using a credit card size calculator/device issued to each remote user.

Up to Contents

Q54. Does BorderWare use hand held authenticators?

A. BorderWare supports the CryptoCard challenge/response authentication token and the SecurID time based authentication token. BorderWare will issue a CryptoCard password "challenge" and the user must enter this challenge into the calculator. The calculator then issues a one-time-only password "response" and the user must type the response back to the BorderWare server. Assuming the one-time response is correct, the user gains access to your internal network. The CryptoCard server is include in the BorderWare software. If available on your internal network BorderWare will interact with a SecurID server, and authenticate users based on SecurID's time synchronous algorithm.

Up to Contents

Q55. Are UNIX passwords supported?

A. No. No logins are supported on the BorderWare Firewall Server.

Up to Contents

Q56. Can outgoing applications be configured to use authentication?

A. No. The organizations' client networking application would need to be modified to work in such an environment since there are no users on the firewall. This is relatively easy to perform when you have UNIX workstations and source code. PC and MAC networking applications generally do not provide source and do not understand such authentication procedures. Requiring this authentication would eliminate the transparency provided by the BorderWare Firewall Server.

Up to Contents

Q57. Where does the authentication server reside?

A. The CryptoCard authentication server resides on the firewall, and is included with BorderWare. The SecurID authentication server will reside on a separate internal host which the firewall will query using an encrypted channel.

Up to Contents

Q58. How is the authentication server administered?

A. Users are added/deleted/updated via the UI administrator interface.

Up to Contents

OTHER INFORMATION

Q59. How does BorderWare protect my internal subnet? Is the protection equal to what is provided for external network access?

A. The BorderWare Firewall Server performs the exact same way for a subnet as it does for an exterior gateway. The firewall proxies hide subnet IP addresses from other subnets like they hide addresses from the Internet. They also provide the same high degree of security between division as they do between you and the outside world. Additionally Borders unique server applications provide all the functionality that a small workgroup through large division will need to get running.

Up to Contents

Q60. How does the BorderWare firewall allow me to control access to network services for individual client users?

A. The BorderWare server can be configured to allow or disallow network services for specific client users on your network. This is accomplished via user interface. BorderWare can be configured allow or disallow services for single or multiple client IP addresses, making decisions based upon user, destination, time of day, day of week, and system load.

Up to Contents

Q61. Can the BorderWare Firewall Server be connected to any network?

A. Yes. The BorderWare Firewall Server can be configured to work with any TCP/IP network. However, BorderWare currently only supports Ethernet (10Base-T, 10Base-5, & AUI) and synchronous serial (V.35) physical connections. Border is in discussion with several vendors to provide support for Token Ring, FDDI, and Fast Ethernet as well as other major network communications technologies.

Q62. Can the BorderWare Firewall Server work with my Token Ring network?

A. Yes. BorderWare can operate in a Token Ring environment, however the use of an external router is necessary due to no token ring interface support at present.

Q63. Does BorderWare work with Windows NT or Novell?

A. BorderWare works with any TCP/IP capable network which includes Windows NT or Novell as its clients. BorderWare is placed on a "black box" machine where no other software is installed and operates with TCP/IP capable networks.

Q64. Is BorderWare a dual-homed firewall?

A. Yes. BorderWare is designed as a dual-homed system - this is not optional. This enforces the requirement that all traffic between the internal and external networks must pass through the firewall.

Q65. Can BorderWare detect IP address spoofing?

A. Yes. Source routed packets are considered to be insecure packets by the kernel, source routed packets are one of the major spoofing mechanisms. No additional detection of MAC level to IP address mappings is done beyond the standard ARP cache checking. Such checking would only be relevant for the directly connected LAN and would not be useful for an organization with multiple subnets. There are further mechanisms embedded in the networking code that make it impossible for an external host to impersonate an internal host.

Q66. Is IP forwarding disabled/turned off?

A. Yes. The kernel code which performs IP forwarding has been removed as part of Border's hardening process. Packets can only be exchanged between the networks using a proxy agent.

Q67. Are multiple machines required to implement BorderWare?

A. No. BorderWare is implemented on a single IBM-compatible machine. The firewall is intended to be used as a stand-alone system. BorderWare incorporates separate kernel-level packet-filters on each interface which means it does not need external packet-filtering capabilities to be implemented by wrapping packet-filtering routers around it. The common firewall network setup, with an internal and external router and application servers running on a bastion host in the middle, can be replaced with a single BorderWare machine.

Q68. Is integrity checking built into BorderWare?

A. Yes. The BorderWare Firewall Server does integrity checking on all binaries.

Q69. Is the source code available to customers?

A. No. The BorderWare Firewall Server is intended to be an easy to configure, turn key black-box solution. Access to the source code is not necessary as BorderWare does not require significant levels of firewall expertise to enable you to secure your network.

Q70. Does BorderWare use static routing ?

A. Yes. The firewall automatically adds static routes for the local LAN, and a static default to the external interface. Additional static routes can be easily added through the administrator interface. For security reasons dynamic routing is not supported, since attempting to manipulate the routing tables is a method often used to attack a firewall.

Q71. Are source routing and ICMP redirects disabled in the kernel ?

A. Yes. Both ICMP redirects and source-routing are disabled in the kernel to prevent IP spoofing attacks that use these mechanisms.

Q72. Will internal users be impacted by having the firewall in place?

A. No. The BorderWare Firewall Server is completely transparent to your internal users. All TCP/IP networking applications, including DOS, Mac or Windows driven software, will continue to function normally without modification. Users do not need special passwords and no one logs onto the firewall directly. BorderWare can have access rules which create limitations for particular hosts to specified destination hosts during certain times of the day or days of the week. This is the only occasion where internal users would be aware that a firewall is in place.

Q73. Can users have accounts on the firewall ?

A. There are no logins allowed on the firewall. This includes the network administrator. Installation and configuration is done via a menu driven UI. Since the software stands alone and all aspects are configurable through the administrator UI, there is no need for the administrator to manipulate the internals of the firewall directly. Any logins to the box would create a potential avenue for penetration and therefore are not allowed.

Q74. What is the BorderWare philosophy towards access to services?

A. BorderWare follows the strict security policy that all services are disabled by default and must be enabled to allow users access. This enabling process is simple and straight forward. The administrator can enable all services via the UI.

Q75. Can access to services be controlled for users and groups?

A. Inbound Telnet and FTP access is controlled per-user with one-time challenge-response tokens. All other services and proxies can have access rules which create limitations for particular hosts to use a specific service to a specified destination host during certain times of the day. Any or all of the restrictions can be relaxed to allow generic internal use of the administrator-enabled services on the firewall. For example, a rule might limit Fred's PC to only be able to use FTP from 5pm to 9am Monday to Friday, and only allow access to certain specified FTP servers.

Q76. What happens if the firewall is breached?

A. All of the services provided by the firewall run in a highly secure, decoupled environment. Even if a service is penetrated, no other functionality of the firewall can be affected and the internal network cannot be reached. Significant modifications have been made to the kernel of the firewall to remove mechanisms that can be used to get out of this isolated, cocooned environment. There is no way any code an intruder managed to download could run on the firewall. A file must have certain attributes in order to be executed; the kernel is incapable of generating these. ..........link to why so secure paper........

Up to Contents

Q77. What software makes up the BorderWare Firewall Server?

A. The BorderWare firewall is delivered shrink wrapped on CD-ROM, and includes the following software:

• Custom hardened BorderWare firewall operating system
• BorderWare Firewall server
• All application servers, including: NNTP, dual DNS, POP3, anonymous FTP, WWW and SMTP
• A bootable floppy

Up to Contents

Q78. Has BorderWare been tested?

A. Yes. In addition to normal development testing, Border has participated in many penetration evaluations and has never been compromised. BorderWare has also undergone independent evaluation from ENGARDE SYSTEMS!!add link to engarde paper, again without compromise.

Up to Contents

SERVER CONFIGURATION

Q79. How is BorderWare installed?

A. Border manufactures a software-only solution which is installed onto a standard Intel 486/Pentium platform. Installation and configuration can be done by the customer with a straight forward graphical menu-driven administrator interface, or BorderWare can be purchased installed and pre-configured through resellers.

Up to Contents

Q80. What hardware does BorderWare run on?

A. The BorderWare firewall server requires the following configuration for operation. Your reseller can best assess your needs and recommend a system accordingly:

• Pentium processor
• 16 MB memory, 32 MB recommended
• 500-Mbyte SCSI hard disk

2 GByte is recommended to support NNTP news

• one 1.44-Mbyte floppy disk
• one 4X SCSI CD ROM drive
• two Ethernet interface cards

an additional ethernet card is required for SSN

• color monitor, keyboard, SCSI controller

Up to Contents

ADMINISTRATION

Q81. Is there a diagnostic menu for the system administrator?

A. Yes. BorderWare has a diagnostic menu for network troubleshooting. This menu is part of the administrator interface and can be accessed from the console or remotely.

Q82. Is there a UI to simplify administration?

A. Yes, the underlying system is hidden behind a simple UI. It is our intent to remove the complications of systems administration from the security administrator.

Q83. Is there a command-line interface for administration?

A. No. All required administration can be done via the administrator interface and can be accessed from the console or remotely as described above.

Q84. Are the administrative responsibilities separated into least privilege?

A. The only interface on the system is the UI administrator interface and it performs privileged operations (i.e. updates). However, the various services run in tightly controlled environments with minimal privileges.

Q85. Can BorderWare be configured by editing files manually?

A. Yes. You can FTP files to the firewall for certain configuration options and then upload them into the system through the UI. The data files for anonymous FTP, WWW and the Finger Information server are generated or edited remotely and installed onto the BorderWare Firewall Server via a special FTP administration account.

Q86. Can the firewall be administered remotely?

A. Yes, the serial port can be used for remote administration using a modem attached to one of the serial ports. Access to this capability requires the use of a one-time password token.

Q87. Can software be updated via the network?

A. Yes. Software updates can be retrieved from Ingress via FTP and applied to your firewall through the UI.

Up to Contents

BORDERWARE SERVER INSTALLATION

Q88. Who installs BorderWare?

A. Typically, STN, Inc, an authorized VAR, will install the server, thus assuring a customer of a turnkey installation. Customers with some understanding of networking and security however may choose to install the server themselves. Border has trained STN in advanced installation and in various networking configurations with the BorderWare firewall. STN, its distributor and Border all make help only a phone call away.

Up to Contents

Q89. How long does it take to install BorderWare?

A. It takes 45 minutes to a few hours, depending on network hardware and software configuration and availability of the network for reconfiguration and physical cabling.

Up to Contents

Q90. Can a router be placed between the firewall and the secured network?

A. Yes, but this is not necessary if the purpose of the router is just packet filtering. BorderWare has per-interface packet filters that are automatically configured as services are enabled or disabled via the administrator UI.

Q91. Should I place a router on the unsecured side of the firewall?

A. Some customers have machines that they want to be visible externally, and which they are not concerned about exposing on the unsecured network. These customers use BorderWare with an external ethernet. A router connects them to the Internet. If a customer wants all machines behind the firewall, BorderWare is used with an external high-speed serial card directly speaking PPP to their Internet service provider. In this situation an extra router, just to drive the serial line, would be an expensive waste.

Q92. Do I have to change my current Internet addresses on my LAN?

A. No it is not necessary. However, make sure that the outside address of the firewall is on a different subnet than the internal address.

Q93. Can BorderWare handle a T1 connection ?

A. Yes, any Pentium, ISA-based platform can flood the full T1 bandwidth.

BORDERWARE FIREWALL SERVER PURCHASE AND SUPPORT

Q94. How do I buy BorderWare?

A. You can purchase the BorderWare firewall Server from STN.
Just call 1 (800) 321-1969, or E-mail "ask@stn.com".

Up to Contents

Q95. Is support included in the product price?

A. No. Technical support and update contracts can be purchased from STN. North America support is about 15% of list price yearly for updates and support.

Q96. What methods of support are available?

A. Support is through STN. Border assists STN in difficult problems. Support is available via pager (24 * 7), email, fax, phone or surface mail.

Q97. What are your support hours?

Telephone: 9AM-5PM minimum coverage, Eastern Standard Time. Dial 1 (800) 321-1969 or, locally, (703) 379-9700.

Full 7 day, 24 hour support is via pager call back.

Q98. How are updates & upgrades handled?

A. Any improvements made to the security of the system are provided free of charge to all BorderWare users. Feature updates are provided to users with valid update contracts. New functionality upgrades may be provided to users with valid update contracts or may be chargeable enhancements.

Q99. How are updates provided?

A. Updates are provided on 3.5" disk or downloadable from STN's FTP server.

The update must be triggered from the administrator UI. The updates are cryptographically signed to ensure that it is a valid vendor-supplied update. Since the normal kernel reduced functionality cannot perform an update on the system software, the firewall is rebooted on a special update kernel that has increased functionality but no networking code. The lack of networking code ensures that the firewall is not vulnerable to attack while it is running with this enhanced functionality.

Q100. Is there an FTP site for support and downloading updates and information?

Yes. Technical support information and software updates are available via FTP from ftp.stn.com. The updates are hidden from view so that only users with valid update contracts can retrieve them.

Up to Contents

OTHER QUESTIONS

Q101. Does BorderWare check for viruses?

A. BorderWare software itself cannot be affected by viruses as it has its own operating system and does not read any other file forms such as DOS, Windows or Macintosh where most viruses originate. BorderWare does not check for viruses being transmitted to each individual host nor could it do this effectively. Firewall's protect a network from outside intrusion. Virus software checks each individual file on a workstation. Since firewalls are installed between the internet and an internal network the firewall could not effectively scan all files on or at a workstation.

Q102. What is the BorderWare security rating?

A. BorderWare has participated in many penetration evaluations and has never been compromised. It has not yet been evaluated according to Orange Book standards.

Q103. Do we offer an evaluation package?

A. We offer a 45 day evaluation package that can be updated quickly to a licensed version through the US. Contact STN at (800) 321-1969, or locally at (703) 379-9700.

Up to Contents