 |
 |
 |
 |
 |
 |
 |
|
     |
 |
Firewall and Internet Server Q & A
6. Why do I need proxies? 7. What are the types of proxies? 8. Do you need to purchase a separate operating system (OS) with BorderWare? 9. Does the BorderWare Firewall Server require any other software to run? 10. Does BorderWare run on a stock OS? 11. Why was the BSD/OS chosen for a firewall operating system? 12. I understand that Windows NT has a C2 security rating. Wouldn't NT make a better firewall operating system?
H3>FIREWALL BASICS
13. What is BorderWare?
17. How does BorderWare integrate with other mail systems such as Microsoft Mail or Lotus Notes? 18. Can a bastion host be used with BorderWare to receive mail? 19. Does BorderWare's mail server have any relation to Sendmail? 20. Is BorderWare's SMTP gateway secure?
22. Can you have inbound FTP an dTelnet access to internal machines? 23. How is the return data flow from FTP handled?
25. How does the name server handle services which reqauire all machines to be DNS registered?
27. How does BorderWare handle "illegal" Internet addresses?
29. Can users read enws from the firewall? 30. Does the NNTP servfer provide any control over News?
32. Why do you need SSN? 33. How does SSN increase my security? 34. How is the SSN configured? 35. What servers should (or should not) be placed on the SSN? 36. How many servers can run on it? 37. How is SSN administered? 38. What if a server on SSN is breached? 39. Does BorderWare log traffic to/from SSN based servers? 40. Dop I have to do anything special in configuring the servers I wish to put on SSN? 41. Is SSN transparent to internal & external users? 42. How does SSN compare to other vendor's DMZ (Demilitarized Zone)? 43. What access rules can be used wiht SSN? 44. Will off-loading the servers to SSN increase the performance of the firewall? 45. Can we have our own Web, NNTP News, FTP, etc? Where?
47. Does Borders' web server support JavaScript?
49. Can log audit reports be generated (just for SSN)? 50. Does BorderWare have the ability to send lgos to remote hosts? 51. Are logs generated for each application? 52. Can alerts be generated?
54. Does BorderWare use hand held authenticators? 55. Are UNIX passwords supported? 56. Can outgoing applications be configured to use authentication? 57. Where does the authentication server reside? 58. How is the authentication server administered?
60. How does the BorderWare firewall allow me to control access to network services for indivual client users? 61. Can the BorderWare Firewall Server be connected to any network? 62. Can the BorderWare Firewall Server work with my Token Ring network? 63. Does BorderWare work with Windows NT or Novell? 64. Is BorderWare a dual-homed firewall? 65. Can BorderWare detect IP address spoffing? 66. Is IP forwarding disabled/turned off? 67. Are multiple machines required to implement BorderWare? 68. Is integrity checking built into BorderWare? 69. Is the source code available to customers? 70. Does BorderWare use static routing? 71. Are source routing and ICMP redirects disabled in the kernel? 72. Will internal users be implacted by having the firewall in place? 73. Can users have accounts on the firewall? 74. What is the BorderWare philosophy towards access to services? 75. Can access to services be controlled for users and groups? 76. What happens if the firewall is breached? 77. What software makes up the BorderWare Firewall Server? 78. Has BorderWare been tested?
79. How is BorderWare installed? 80. What hardware does BorderWare run on?
82. Is there a UI to simplify administration? 83. Is there a command-line interface for administraton? 84. Are the administrative responsibilities separated into least privilege? 85. Can BorderWaer be configured by editing files manually? 86. Can the firewall be administered remotely? 87. Can software be updated via the network?
89. How long does it take to install BorderWare? 90. Can a router be placed between the firewall and the secured network? 91. Should I place a router on the unsecured side of the firewall? 92. Do I have to change my current Internet addresses on my LAN? 93. Can BorderWare handle a T1 connection?
95. Is support included in the product price? 96. What methods of support are available? 97. What are your support hours? 98. How are updates & upgrades handled? 99. How are updates provided? 100. Is there an FTP site for support and downloading updates and information?
101. Does BorderWare check for viruses? 
| FIREWALL BASICSQ1. What is a firewall? A. A firewall is a collection of devices (hardware and software) placed between two networks that collectively have the following properties:
Cheswick & Bellovin A. In building construction, a firewall is a physical wall designed to keep fire from spreading from one section of a building to another. An Inter/inter net firewall is abstractly the same. It is designed to keep the dangers of a public network from spreading to your internal net. In implementation a firewall operates much the way a moat and drawbridge do at a castle. A firewall surrounds your entire network (the moat), and creates a single narrow security choke point (the drawbridge) through which all traffic must pass both to and from your network. Firewalls enforce a site's security access policies for its network based on access rules or access control list. There are a number of ways to control access, but in general the firewall can be thought of as a mechanism to filter and control traffic (raising and lowering the bridge). Traditional firewalls are implemented through a combination of hosts and routers. A router can control (or filter) network traffic at the packet level. Packets are allowed or denied based on the source/destination address and the port number. This is called packet filtering. Application layer firewalls which should always be used in conjunction with packet filters act as intermediaries between the two networks. A user must first connect to the firewall, and then to the desired external network. Due to the critical location of this machine (bridging the two networks) it must be carefully and skillfully constructed. This machine will become the strong point, or bastian, to the external network. For a user to gain outward access, the bastian host must have the desired application to execute. If the bastian machine lacks an application (perhaps a web browser, or FTP client) than the user is denied use of that application. This is called application layer firewalling. State-of-the-art firewalls are more than just generalized packet filters and often perform their functions across multiple Open System Interconnect (OSI) layers, spanning the internet layer up through the application layer. (based upon a 4 layer TCP/IP model versus a 7 layer OSI model) These third generation firewalls do not allow a direct connection between hosts and clients on separate networks (such as your network and the Internet). Instead they use a mechanism called a "proxy" process to prevent traffic from passing directly between networks. These modern firewalls also log all access for better auditing. Q2. Why does my company need a firewall? A. Having a firewall can greatly reduce the risk of a network break-in and the destruction or theft of data by creating a security choke point. A firewall allows you to easily manage and control access entering and leaving your network. The Internet connects hundreds of thousands of computers around the world. It can provide your staff with access to unlimited resources. It can also give intruders ample opportunity to penetrate your corporate networks. Those with malicious intent (a.k.a. "hackers") seek out opportunities to browse private databases and steal, alter or corrupt confidential information. Consequently, security is a major consideration when planning your Internet connection. A firewall can greatly reduce the risk. Q3. What things can a firewall do?
Q4. What things can't a firewall do?
PROXIES AND OPERATING SYSTEMSQ5. What is a proxy? A. A proxy is a software mechanism that eliminates direct communication between client applications and their servers across separate networks or subnets. A proxy takes a users' requests for access and forwards them, as appropriate to the actual servers. Typically, proxies:
Q6. Why do I need proxies? A. You need proxies to:
Q7. What are the types of Proxies?
Q8. Do you need to purchase a separate operating system (OS) with BorderWare? A. No. BorderWare has its own fully functional operating system. Q9. Does the BorderWare Firewall Server require any other software to run? A. No. Everything you need to run BorderWare is included. Q10. Does BorderWare run on a stock OS? A. No. BorderWare's kernel does contain Berkeley Software Development Inc. (BSDI) code for non-security related functions. However, the kernel has been modified or "hardened" so that its fundamental design and structure is unique and is no longer useful in a dynamic user environment . The hardening process includes modifying, removing and adding functionality so the kernel provides a solid base for a secure firewall architecture.
Q11. Why was the BSD/OS chosen for a firewall operating system? A. The BSD operating system developed by Berkeley Software Design Inc. is based on the original system developed at the University of California at Berkeley. It has been carefully scrutinized for security holes by many people from various organizations. This is not true of proprietary operating systems. The base code for BSD has been running on thousands of computer systems for many years, proving the code is stable, reliable, and effective for network access. This may not be the case for more recently-developed operating systems. Due to BSDs' years of field deployment, and its proven robustness Border choose BSD as its platform to start with. Q12. I understand that Windows/NT has a C2 security rating. Wouldn't NT make a better firewall operating system? A. A "C2" rating only refers to the system's security when not connected to a network or a floppy drive. This rating says nothing about how secure the system is on a network, or how securely it operates in a networked environment. Additionally, C2 is a low security rating level.
THE BORDERWARE FIREWALL SERVERQ13. What is BorderWare? A. The BorderWare Firewall Server defines a new product category of firewalls by combining packet filters and application-level gateways with Internet application servers into a single, highly secure, self-contained, transparent system. It is a powerful, advanced security product that protects TCP/IP networks from unwanted external access as well as provides control of internal access to external services. The BorderWare Firewall server solves several crucial problems for corporate and departmental TCP/IP networks:
Q14. Could you explain BorderWare's architecture? A. The BorderWare Firewall Server is a unique hybrid of multiple firewall technologies. BorderWare can effectively be broken down into five components.
Q15. Do my client applications have to be changed if I decide to use BorderWare? A. NO. Unlike older SOCKS based firewalls BorderWare is 100% client and platform independent. BorderWare is transparent to DOS, Windows, Macintosh, VMS, UNIX, Commodore, and any other operating system or application.
BORDERWARE APPLICATIONSQ16. How does one read mail with BorderWare? A. The mail system can be configured to forward to single or multiple internal SMTP capable hosts. It can also be configured so that users have their mailboxes on the firewall and read them using POP clients (the use of POP provides mailboxes on BorderWare without requiring logins on the firewall). It can be configured to use any one of the above mechanisms or all of them simultaneously. For example, BorderWare can be configured to have certain mailboxes held locally for POP users and forward some user's mail directly to their own machines while forwarding other mail to an internal corporate mail gateway. Q17. How does BorderWare integrate with other mail systems such as Microsoft Mail or Lotus Notes? A. BorderWare can route mail to any SMTP compatible mail system. SMTP gateways exists for Microsoft Mail, cc:Mail, Lotus Notes Mail, Banyan Mail, and other popular mail packages. Q18. Can a bastion host be used with BorderWare to receive mail? A. BorderWare is a fully functional firewall which includes complete bastion host functionality including a secure mail server. An additional bastion host server is not required, however, if you wish to implement a mail server that you are more familiar with, you may place a mail server on the SSN (Secure Server Network). The BorderWare mail server can receive mail and either forward it to single or multiple internal hosts. BorderWare also allows remote reading of mailboxes on the firewall via POP clients. BorderWare can forward mail directly to the users' workstations, to the internal mail gateway, or act as the corporate mail gateway itself. The Mail Server is capable of delivering mail any one of these ways, or any combination of the aforementioned. Q19. Does BorderWare's mail server have any relation to Sendmail? A. The mailer has no code relation to Sendmail. It was designed from the start with a security policy in mind. Border's mail system is based on ZMailer. The author made further specific enhancements for the BorderWare product which allow it to run without any special privileges. ZMailer is a mature mail system with a solid track record that has been running on many major Internet gateways. It has not been susceptible to any of the security problems that Sendmail has. Q20. Is BorderWare's SMTP gateway secure? A. BorderWare's mail system was originally designed from the start with a security model in mind. In addition, the system consists of independent programs to do SMTP reception, routing decisions, SMTP delivery, and delivery scheduling among others. It is based on ZMailer, a mature mail system in use on major Internet gateways. The author of ZMailer made further specific enhancements for the BorderWare product. ZMailer has no code relation to Sendmail and has not been susceptible to any of the security problems associated with Sendmail. ZMailer runs without special privileges in an isolated environment (as do all the servers that run on BorderWare).
Q21. Can I place a public FTP server outside the firewall? A. Yes. However, you should place a public access FTP server on the SSN (Secure Server Network) so that it is protected by the firewall and only allows FTP traffic to be passed to it. The internal network is also protected from the SSN (Secure Server Network) by the firewall, so if your public access FTP server is breached your internal network is not threatened. The BorderWare firewall also includes a secure anonymous FTP server as part of its system so a public server is not required to offer these services. Q22. Can you have inbound FTP and Telnet access to internal machines? A. Yes. Inbound FTP and Telnet are supported by the firewall. After being authenticated using a one-time password the user is tunneled into an internal machine. A user specific destination can be set up for each user. (BorderWare supports CryptoCard and SecurID authentication tokens). Q23. How is the return data flow from FTP handled? A. The FTP proxy intercepts the outgoing PORT command and sets up a temporary proxy for the data channel to connect it back to the internal client. PASV is also supported by BorderWare.
Q24. How does the dual name server function? A. The BorderWare Firewall Server runs two separate DNS servers on the firewall itself. The External DNS server provides a limited external view of the organizational domain and initially configures itself with a number of standard names that all point to the firewall itself (such as Mail, News, FTP, NS and WWW). It also has specific entries for the domain so that connections can be conveniently made using only the organizational domain name and whatever additional hostname is specified for the firewall. The External DNS automatically installs NS and wildcard MX records that point to the firewall. Additional backup MX and secondary NS records can be configured by the administrator. No internal information is available to the External DNS, and only the External DNS can communicate with the outside. This means no internal naming information can be obtained by anyone on the outside. The External DNS cannot query the Internal DNS or any other DNS inside the firewall. The Internal DNS is automatically configured with some initial information, and can have additional hosts added via the administrator interface. Other internal domains or subdomains can be primaried, secondaried or delegated to other internal nameservers. The information managed by the Internal DNS is only available to internal machines, and the firewall itself. The Internal nameserver cannot receive queries from external hosts, because it cannot communicate directly with the external network. Resolution of external DNS information both for the firewall itself and for internal queries for external information, is handled by the internal nameserver. Although it is unable to communicate directly with the external network, it is able to send queries and receive the responses via the External DNS. Q25. How does the name server handle services which require all machines to be DNS registered? A. There is a common problem with firewalls that implement dual name servers. Some Internet services require every machine that contacts them be registered in the domain name system. For example, if you FTP to ftp.uu.net, you will not be granted access unless the machine you are FTP'ing from has an entry in the DNS. Many firewalls that implement dual name servers do not handle this situation well. BorderWare handles the situation easily. BorderWare is a true application-level proxy; all IP packets leaving your organization have the source address of the BorderWare firewall itself even if the packets originated deep within your internal network. The BorderWare server is registered with the DNS so all Internet services will properly validate it.
Q26. How does the network address translation feature function? A. BorderWare transparently remaps all outbound connections so that the connection appears to originate from the external address. The firewall's external address is the only address that is externally visible and this allows the use of internal unregistered IP addresses or private networks as defined in RFC1597. All internal addresses will be mapped to a single address on the external network. BorderWare is capable of driving the serial connection directly using PPP. In this situation the internal network can be entirely hidden behind a single address assigned by the provider with no registered addresses required. Q27. How does BorderWare handle "illegal" Internet addresses? A. BorderWare implements NAT (network address translation) technology so that your internal address structure is not seen by the Internet. Therefore, your internal network can use non-registered IP addresses.
Q28. Can the NNTP server feed other news servers? A. Yes. The BorderWare Firewall Server runs a News server on the firewall itself, allowing the configuring of news feeds to internal or external sites. You can also place a News server on the SSN to free up disk space and processing power on the firewall. Q29. Can users read news from the firewall? A. Yes. The BorderWare Firewall Server can act as a news server supporting NNTP base clients reading and posting News directly off the firewall. This will eliminate the need for an internal News machine to provide access to News. Q30. Does the NNTP server provide any control over News? A. Yes. You can prevent any posted articles from reaching the outside.
Q31. What is SSN? A. SSN (the Secure Server Network) is an independent network, which runs off the firewall, that allows the secure deployment of functional and custom networking servers. Traditionally, organizations place additional servers on the external network (in front of the firewall), or on the internal network (behind the firewall). Both of these methods created security problems when allowing open access from the Internet. SSN provides a secure network for you to place your fully functional and custom networking servers. Q32. Why do you need SSN? A. SSN was developed by Border to solve the problem of security versus functionality and convenience. The SSN provides a flexible environment combining all of these features without lowering security standards. Q33. How does SSN increase my security? A. The SSN allows you to place your public servers on a network that is fully protected from the external network. The internal network is fully protected from the SSN network so if a flaw is found in one of your public servers on the SSN, your internal network is not threatened. Q34. How is the SSN configured? A. The SSN is configured through the SSN menu accessed from the main configuration screen of the firewall. Q35. What servers should (or should not) be placed on the SSN? A. The only server that cannot be placed on the SSN is the DNS server. However, the SSN is the best place to store all of your other servers. For example, NNTP news does not coexist well with other servers due to its immense resource requirements. It takes up a tremendous amount of disk space, CPU time and disk I/O to perform its daily tasks. Placing your NNTP server on the SSN frees up the firewall for other tasks, and gives your internal network full access to the news server. Q36. How many servers can run on it? A. In general, the SSN supports one server of each type of service. However, you can have multiple servers for each type of service running on non standard ports (i.e., three WWW servers running on port 80, 8000, and 8001). Q37. How is SSN administered? A. The firewall part of the SSN is administered from the UI. The hosts on the SSN are administered from their own location. For example, if your FTP server is running on Windows NT, it is administered from there. The SSN can be set up to be administered from the internal network using FTP and/or Telnet or other. Q38. What if a server on SSN is breached? A. If a server on the SSN is breached, there is the possibility that other servers on the SSN could be attacked as well. However, the firewall treats the SSN as though it was and external network. Thus your internal network is completely protected. Q39. Does BorderWare log traffic to/from SSN based servers? A. Yes. All traffic through the firewall is logged. Q40. Do I have to do anything special in configuring the servers I wish to put on SSN? A. The servers need to have their default route pointing to the SSN interface address on the firewall. The servers should use the firewall as the primary DNS server. Q41. Is SSN transparent to internal & external users? A. The internal network transparently accesses the SSN network. However, from the external network, the SSN addresses are completely hidden as if they were on the internal network. All connections from the external network are directed to the external address of the firewall and then, based on the type of traffic, proxied to a server on the SSN without the external user's knowledge. Q42. How does SSN compare to other vendor's DMZ (Demilitarized Zone)? A. SSN provides more security than a DMZ. The SSN is protected from the external network by a complete firewall. The internal network is protected from the SSN by a complete firewall. With a DMZ, one or the other is only protected by a screening router. Q43. What access rules can be used with SSN? A. All of the access control functionality of the firewall also applies to the SSN network. Q44. Will off-loading the servers to SSN increase the performance of the firewall? A. Yes. Moving resource intensive services (i.e., NNTP News) to the SSN allows the firewall to spend more CPU and resource time on handling connections and packet transmissions. Q45. Can we have our own Web, NNTP News, FTP, etc? Where? A. Any server can be placed on the SSN except DNS. This includes special and home made servers and services (i.e., database applications).
Q46. What is the limitation of Web server on BorderWare? A. For security reasons, the WWW server in BorderWare only supports static Web pages (HTML pages and pictures). The server restricts the use of forms or CGI scripts and image maps due to the insecurity of running these scripts within your firewall. If you would like to take advantage of all the features of a Web server, place it on the SSN for full functionality. Q47. Does Borders' web server support JavaScript? A. Yes. Java Script works fine with BorderWare.
|
DNS
AUDITING AND LOGGING |
AUTHENTICATION |
Q53. What kind of user authentication is provided?
A. The BorderWare Firewall Server provides user authentication for remote users who need incoming access to your internal network. Authentication is accomplished by a method known as One Time Pad (OTP). In OTP the login password is different with each network login. Passwords are generated using a credit card size calculator/device issued to each remote user.
Q54. Does BorderWare use hand held authenticators?
A. BorderWare supports the CryptoCard challenge/response authentication token and the SecurID time based authentication token. BorderWare will issue a CryptoCard password "challenge" and the user must enter this challenge into the calculator. The calculator then issues a one-time-only password "response" and the user must type the response back to the BorderWare server. Assuming the one-time response is correct, the user gains access to your internal network. The CryptoCard server is include in the BorderWare software. If available on your internal network BorderWare will interact with a SecurID server, and authenticate users based on SecurID's time synchronous algorithm.
Q55. Are UNIX passwords supported?
A. No. No logins are supported on the BorderWare Firewall Server.
Q56. Can outgoing applications be configured to use authentication?
A. No. The organizations' client networking application would need to be modified to work in such an environment since there are no users on the firewall. This is relatively easy to perform when you have UNIX workstations and source code. PC and MAC networking applications generally do not provide source and do not understand such authentication procedures. Requiring this authentication would eliminate the transparency provided by the BorderWare Firewall Server.
Q57. Where does the authentication server reside?
A. The CryptoCard authentication server resides on the firewall, and is included with BorderWare. The SecurID authentication server will reside on a separate internal host which the firewall will query using an encrypted channel.
Q58. How is the authentication server administered?
A. Users are added/deleted/updated via the UI administrator interface.
Up to Contents
|
OTHER INFORMATION |
Q59. How does BorderWare protect my internal subnet? Is the protection equal to what is provided for external network access?
A. The BorderWare Firewall Server performs the exact same way for a subnet as it does for an exterior gateway. The firewall proxies hide subnet IP addresses from other subnets like they hide addresses from the Internet. They also provide the same high degree of security between division as they do between you and the outside world. Additionally Borders unique server applications provide all the functionality that a small workgroup through large division will need to get running.
Q60. How does the BorderWare firewall allow me to control access to network services for individual client users?
A. The BorderWare server can be configured to allow or disallow network services for specific client users on your network. This is accomplished via user interface. BorderWare can be configured allow or disallow services for single or multiple client IP addresses, making decisions based upon user, destination, time of day, day of week, and system load.
Q61. Can the BorderWare Firewall Server be connected to any network?
A. Yes. The BorderWare Firewall Server can be configured to work with any TCP/IP network. However, BorderWare currently only supports Ethernet (10Base-T, 10Base-5, & AUI) and synchronous serial (V.35) physical connections. Border is in discussion with several vendors to provide support for Token Ring, FDDI, and Fast Ethernet as well as other major network communications technologies.
Q62. Can the BorderWare Firewall Server work with my Token Ring network?
A. Yes. BorderWare can operate in a Token Ring environment, however the use of an external router is necessary due to no token ring interface support at present.
Q63. Does BorderWare work with Windows NT or Novell?
A. BorderWare works with any TCP/IP capable network which includes Windows NT or Novell as its clients. BorderWare is placed on a "black box" machine where no other software is installed and operates with TCP/IP capable networks.
Q64. Is BorderWare a dual-homed firewall?
A. Yes. BorderWare is designed as a dual-homed system - this is not optional. This enforces the requirement that all traffic between the internal and external networks must pass through the firewall.
Q65. Can BorderWare detect IP address spoofing?
A. Yes. Source routed packets are considered to be insecure packets by the kernel, source routed packets are one of the major spoofing mechanisms. No additional detection of MAC level to IP address mappings is done beyond the standard ARP cache checking. Such checking would only be relevant for the directly connected LAN and would not be useful for an organization with multiple subnets. There are further mechanisms embedded in the networking code that make it impossible for an external host to impersonate an internal host.
Q66. Is IP forwarding disabled/turned off?
A. Yes. The kernel code which performs IP forwarding has been removed as part of Border's hardening process. Packets can only be exchanged between the networks using a proxy agent.
Q67. Are multiple machines required to implement BorderWare?
A. No. BorderWare is implemented on a single IBM-compatible machine. The firewall is intended to be used as a stand-alone system. BorderWare incorporates separate kernel-level packet-filters on each interface which means it does not need external packet-filtering capabilities to be implemented by wrapping packet-filtering routers around it. The common firewall network setup, with an internal and external router and application servers running on a bastion host in the middle, can be replaced with a single BorderWare machine.
Q68. Is integrity checking built into BorderWare?
A. Yes. The BorderWare Firewall Server does integrity checking on all binaries.
Q69. Is the source code available to customers?
A. No. The BorderWare Firewall Server is intended to be an easy to configure, turn key black-box solution. Access to the source code is not necessary as BorderWare does not require significant levels of firewall expertise to enable you to secure your network.
Q70. Does BorderWare use static routing ?
A. Yes. The firewall automatically adds static routes for the local LAN, and a static default to the external interface. Additional static routes can be easily added through the administrator interface. For security reasons dynamic routing is not supported, since attempting to manipulate the routing tables is a method often used to attack a firewall.
Q71. Are source routing and ICMP redirects disabled in the kernel ?
A. Yes. Both ICMP redirects and source-routing are disabled in the kernel to prevent IP spoofing attacks that use these mechanisms.
Q72. Will internal users be impacted by having the firewall in place?
A. No. The BorderWare Firewall Server is completely transparent to your internal users. All TCP/IP networking applications, including DOS, Mac or Windows driven software, will continue to function normally without modification. Users do not need special passwords and no one logs onto the firewall directly. BorderWare can have access rules which create limitations for particular hosts to specified destination hosts during certain times of the day or days of the week. This is the only occasion where internal users would be aware that a firewall is in place.
Q73. Can users have accounts on the firewall ?
A. There are no logins allowed on the firewall. This includes the network administrator. Installation and configuration is done via a menu driven UI. Since the software stands alone and all aspects are configurable through the administrator UI, there is no need for the administrator to manipulate the internals of the firewall directly. Any logins to the box would create a potential avenue for penetration and therefore are not allowed.
Q74. What is the BorderWare philosophy towards access to services?
A. BorderWare follows the strict security policy that all services are disabled by default and must be enabled to allow users access. This enabling process is simple and straight forward. The administrator can enable all services via the UI.
Q75. Can access to services be controlled for users and groups?
A. Inbound Telnet and FTP access is controlled per-user with one-time challenge-response tokens. All other services and proxies can have access rules which create limitations for particular hosts to use a specific service to a specified destination host during certain times of the day. Any or all of the restrictions can be relaxed to allow generic internal use of the administrator-enabled services on the firewall. For example, a rule might limit Fred's PC to only be able to use FTP from 5pm to 9am Monday to Friday, and only allow access to certain specified FTP servers.
Q76. What happens if the firewall is breached?
A. All of the services provided by the firewall run in a highly secure, decoupled environment. Even if a service is penetrated, no other functionality of the firewall can be affected and the internal network cannot be reached. Significant modifications have been made to the kernel of the firewall to remove mechanisms that can be used to get out of this isolated, cocooned environment. There is no way any code an intruder managed to download could run on the firewall. A file must have certain attributes in order to be executed; the kernel is incapable of generating these. ..........link to why so secure paper........
Q77. What software makes up the BorderWare Firewall Server?
A. The BorderWare firewall is delivered shrink wrapped on CD-ROM, and includes the following software:
| Custom hardened BorderWare firewall operating system
| BorderWare Firewall server
| All application servers, including: NNTP, dual DNS, POP3,
anonymous FTP, WWW and SMTP
| A bootable floppy
| |
Q78. Has BorderWare been tested?
A. Yes. In addition to normal development testing, Border has participated in many penetration evaluations and has never been compromised. BorderWare has also undergone independent evaluation from ENGARDE SYSTEMS!!add link to engarde paper, again without compromise.
| SERVER CONFIGURATION |
Q79. How is BorderWare installed?
A. Border manufactures a software-only solution which is installed onto a standard Intel 486/Pentium platform. Installation and configuration can be done by the customer with a straight forward graphical menu-driven administrator interface, or BorderWare can be purchased installed and pre-configured through resellers.
Q80. What hardware does BorderWare run on?
A. The BorderWare firewall server requires the following configuration for operation. Your reseller can best assess your needs and recommend a system accordingly:
| Pentium processor
| 16 MB memory, 32 MB recommended
| 500-Mbyte SCSI hard disk
| |
2 GByte is recommended to support NNTP news
| one 1.44-Mbyte floppy disk
| one 4X SCSI CD ROM drive
| two Ethernet interface cards
| |
an additional ethernet card is required for SSN
| color monitor, keyboard, SCSI controller |
|
ADMINISTRATION |
Q81. Is there a diagnostic menu for the system administrator?
A. Yes. BorderWare has a diagnostic menu for network troubleshooting. This menu is part of the administrator interface and can be accessed from the console or remotely.
Q82. Is there a UI to simplify administration?
A. Yes, the underlying system is hidden behind a simple UI. It is our intent to remove the complications of systems administration from the security administrator.
Q83. Is there a command-line interface for administration?
A. No. All required administration can be done via the administrator interface and can be accessed from the console or remotely as described above.
Q84. Are the administrative responsibilities separated into least privilege?
A. The only interface on the system is the UI administrator interface and it performs privileged operations (i.e. updates). However, the various services run in tightly controlled environments with minimal privileges.
Q85. Can BorderWare be configured by editing files manually?
A. Yes. You can FTP files to the firewall for certain configuration options and then upload them into the system through the UI. The data files for anonymous FTP, WWW and the Finger Information server are generated or edited remotely and installed onto the BorderWare Firewall Server via a special FTP administration account.
Q86. Can the firewall be administered remotely?
A. Yes, the serial port can be used for remote administration using a modem attached to one of the serial ports. Access to this capability requires the use of a one-time password token.
Q87. Can software be updated via the network?
A. Yes. Software updates can be retrieved from Ingress via FTP and applied to your firewall through the UI.
|
BORDERWARE SERVER INSTALLATION |
Q88. Who installs BorderWare?
A. Typically, STN, Inc, an authorized VAR, will install the server, thus assuring a customer of a turnkey installation. Customers with some understanding of networking and security however may choose to install the server themselves. Border has trained STN in advanced installation and in various networking configurations with the BorderWare firewall. STN, its distributor and Border all make help only a phone call away.
Q89. How long does it take to install BorderWare?
A. It takes 45 minutes to a few hours, depending on network hardware and software configuration and availability of the network for reconfiguration and physical cabling.
Q90. Can a router be placed between the firewall and the secured network?
A. Yes, but this is not necessary if the purpose of the router is just packet filtering. BorderWare has per-interface packet filters that are automatically configured as services are enabled or disabled via the administrator UI.
Q91. Should I place a router on the unsecured side of the firewall?
A. Some customers have machines that they want to be visible externally, and which they are not concerned about exposing on the unsecured network. These customers use BorderWare with an external ethernet. A router connects them to the Internet. If a customer wants all machines behind the firewall, BorderWare is used with an external high-speed serial card directly speaking PPP to their Internet service provider. In this situation an extra router, just to drive the serial line, would be an expensive waste.
Q92. Do I have to change my current Internet addresses on my LAN?
A. No it is not necessary. However, make sure that the outside address of the firewall is on a different subnet than the internal address.
Q93. Can BorderWare handle a T1 connection ?
A. Yes, any Pentium, ISA-based platform can flood the full T1 bandwidth.
|
BORDERWARE FIREWALL SERVER PURCHASE AND SUPPORT |
Q94. How do I buy BorderWare?
A. You can purchase the BorderWare firewall Server
from STN.
Just call 1 (800) 321-1969, or E-mail "ask@stn.com".
Q95. Is support included in the product price?
A. No. Technical support and update contracts can be purchased from STN. North America support is about 15% of list price yearly for updates and support.
Q96. What methods of support are available?
A. Support is through STN. Border assists STN in difficult problems. Support is available via pager (24 * 7), email, fax, phone or surface mail.
Q97. What are your support hours?
Telephone: 9AM-5PM minimum coverage, Eastern Standard Time. Dial 1 (800) 321-1969 or, locally, (703) 379-9700.
Full 7 day, 24 hour support is via pager call back.
Q98. How are updates & upgrades handled?
A. Any improvements made to the security of the system are provided free of charge to all BorderWare users. Feature updates are provided to users with valid update contracts. New functionality upgrades may be provided to users with valid update contracts or may be chargeable enhancements.
Q99. How are updates provided?
A. Updates are provided on 3.5" disk or downloadable from STN's FTP server.
The update must be triggered from the administrator UI. The updates are cryptographically signed to ensure that it is a valid vendor-supplied update. Since the normal kernel reduced functionality cannot perform an update on the system software, the firewall is rebooted on a special update kernel that has increased functionality but no networking code. The lack of networking code ensures that the firewall is not vulnerable to attack while it is running with this enhanced functionality.
Q100. Is there an FTP site for support and downloading updates and information?
Yes. Technical support information and software updates are available via FTP from ftp.stn.com. The updates are hidden from view so that only users with valid update contracts can retrieve them.
|
OTHER QUESTIONS |
Q101. Does BorderWare check for viruses?
A. BorderWare software itself cannot be affected by viruses as it has its own operating system and does not read any other file forms such as DOS, Windows or Macintosh where most viruses originate. BorderWare does not check for viruses being transmitted to each individual host nor could it do this effectively. Firewall's protect a network from outside intrusion. Virus software checks each individual file on a workstation. Since firewalls are installed between the internet and an internal network the firewall could not effectively scan all files on or at a workstation.
Q102. What is the BorderWare security rating?
A. BorderWare has participated in many penetration evaluations and has never been compromised. It has not yet been evaluated according to Orange Book standards.
Q103. Do we offer an evaluation package?
A. We offer a 45 day evaluation package that can be updated quickly to a licensed version through the US. Contact STN at (800) 321-1969, or locally at (703) 379-9700.
