:


Original is at
http://www.tis.com/docs/products/gauntlet/gauntletfaq.html




Table of Contents

  1. Purpose of this document
  2. What is an Internet firewall?
  3. What will a firewall do for me?
  4. What will a firewall not do for me?
  5. What is a "network security perimeter?"
  6. What is "defense in depth?"
  7. What is a "perimeter defense?"
  8. What are the different types of firewalls?
  9. What are stateful multilevel inspection firewalls?
  10. Which is the most secure type of firewall?
  11. What are application gateways (proxies
  12. Aren't application gateways and proxies different things?
  13. Aren't application gateways, or proxies, outmoded, old technology?
  14. What is the Gauntlet Internet Firewall?
  15. What services are supported by the Gauntlet Firewall?
  16. Are Gauntlet proxies easy to use?
  17. If I use the Gauntlet Firewall, do I have to modify software on inside machines?
  18. What are the customer needs addressed in version 4.0 of the Gauntlet firewall?
  19. What new features will I find in version 4.0 of the Gauntlet firewall?
  20. What are some of the services supported for secure multimedia communications?
  21. Can I use multiple Gauntlet Firewalls at an Internet gateway?
  22. Do I need special software or a certain operating system to use the Gauntlet Management GUI?
  23. What is a Virtual Private Network?
  24. What's a Virtual Network Perimeter?
  25. What are the benefits of VPNs and VNPs?
  26. Are Gauntlet Firewalls with encryption available outside the USA?
  27. Doesn't the strong encryption require government escrowing of keys?
  28. Why do you say you are the only firewall vendor to export strong cryptography? Vendor XYZ is doing it.
  29. Can a Gauntlet Internet Firewall be used in a VPN with a different firewall?
  30. What is network address translation (NAT)?
  31. Does the Gauntlet Internet Firewall support NAT?
  32. Does the Gauntlet Internet Firewall support E-mail and DNS?
  33. What is meant by the term "strong user authentication?"
  34. Do Gauntlet products support strong user authentication?
  35. Can I use reusable passwords for outbound connections?
  36. What are the qualifications of a firewall administrator?
  37. Can you guarantee that my Gauntlet Firewall will never crash?
  38. What kind of logging does the Gauntlet firewall do?
  39. What firewall activity reports come with Gauntlet firewalls?
  40. If I have a Gauntlet box, do I still need a router?
  41. On what operating systems do Gauntlet products run?
  42. Why is it important to "harden" an operating system for a firewall?
  43. Does the Gauntlet Internet Firewall support FDDI, Token Ring, or ATM?
  44. Should user accounts be permitted on a firewall?
  45. Should general servers, such as WWW servers, be permitted on a firewall?
  46. Does the Gauntlet Internet Firewall allow UDP or ICMP through?
  47. Does the Gauntlet Internet Firewall check for viruses?
  48. Is the Gauntlet Internet Firewall available in my country?
  49. Isn't the Gauntlet Internet Firewall based on freeware?
  50. What are the differences between the Gauntlet Internet Firewall and the TIS Internet Firewall Toolkit (FWTK)?
  51. Does TIS support the FWTK?
  52. Doesn't the availability of source code make a firewall more vulnerable to attacks?
  53. Isn't making source code available contrary to good security practices?
  54. What is an "intranet?"
  55. What is the Gauntlet Intranet Firewall?
  56. Isn't the Gauntlet Intranet Firewall just a Gauntlet Internet Firewall with a different name?
  57. What's the Gauntlet Net Extender?
  58. What is the Gauntlet PC Extender?
  59. Does Gauntlet PC Extender run on Windows 95 or Windows NT?
  60. With what PC network products does the PC Extender work?
  61. What do we have to do before we install our Gauntlet firewall?
  62. What is the price of the Gauntlet Internet Firewall?
  63. How can TIS claim that it has "The Most Secure FirewallsSM"?
  64. What is your design approach?
  65. What can you recommend for further reading?
  66. How is TIS different from other firewall vendors?
  67. How do I contact TIS for more information?

Purpose of this document

The purpose of this document is to answer questions about the Gauntlet Internet Firewall and internetwork firewalls.

What is an Internet firewall?

A firewall is "a system or combination of systems that enforces a boundary between two or more networks." (All definitions in quotes are from the National Computer Security Association's standard Firewall Functional Summary template.) It is a controlled gateway between one network and another. Typically, people discuss putting a firewall between a private, trusted network and the public Internet. It is analogous to a guard post in the lobby of a building, or at the gatehouse of an enclosed installation. For more detail, see what we recommend for further reading near the end of this document.

What will a firewall do for me?

Connecting your private, internal network to an outside, untrusted network can be both a blessing and a curse. A blessing in that the exchange of computerized information (the lifeblood of modern commerce) is greatly facilitated. A curse in that you may be exposing your valuable network resources and the reputation of your organization to the whims of Internet hackers or industrial spies. These problems have been extensively documented in the technical media (see TIS's web page at www.tis.com). To minimize the risk while maximizing the benefit requires that an organization develop a comprehensive Network Security Plan. This should include user security awareness training, qualified network security system administrators, and a network architecture that promotes structured security and the use of appropriate network security components. The Gauntlet Internet Firewall is one of the important components of a well-designed network security architecture.

The Gauntlet Internet Firewall is designed to be the single point in your network through which all communications between your internal network and all outside, untrusted networks must pass. This is also the point at which the Network Security Administrator may monitor and control the flow of information between the networks. The Gauntlet Internet Firewall supports strong authentication mechanisms to insure that only authorized users can enter your protected network. The Gauntlet Internet Firewall is capable of preventing unauthorized communications in either direction, and provides a log of all connections across the firewall in either direction. Properly configured, the Gauntlet firewall presents an impenetrable barrier to even the most persistent hackers seeking to access your network.

See our further reading list for more detailed information.

What will a firewall not do for me?

An Internet firewall is a controlled gateway. It cannot stop attacks from malicious insiders, nor can it take the place of education and security policies and procedures. It is part of an overall security plan.

What is a "network security perimeter?"

A network security perimeter is established by the methods and mechanisms used to secure the network against outside intrusion.

What is "defense in depth?"

Defense in depth, also called host-based security, is "the security approach whereby each system on the network is secured to the greatest possible degree. [It] may be used in conjunction with firewalls."

What is a "perimeter defense?"

Also known as perimeter-based security, it is "the technique of securing a network by controlling access to all entry and exit points of the network."

Before launching into a description of different types of firewalls, the concept of a perimeter defense should be understood because of its importance to the proper function of a firewall. To a site administrator, establishing a perimeter defense means that all communications between the internal network and external, untrusted networks must pass through the firewall(s) in order to monitor and control the traffic. The organization's Network Security Plan should specify that any form of connection to or from machines outside the internal network is strictly forbidden without review and authorization from the security administrator. This should include modems, leased lines to other networks, etc. Users should be aware that connections between their secure internal network and any outside network, including that of a trading partner or client, may expose the internal network to attackers that have broken into the other network. It makes little sense to have a strong, well-protected front door (the firewall) if the back door and all the windows are left open.

What are the different types of firewalls?

There are four types of firewalls: filtering gateways, circuit gateways, application gateways, and hybrid or complex gateways.

Filtering Gateway

Filtering firewalls use routers and packet filtering rules to grant or deny access from one source address (host) and port (service) to a second destination address and port. Also called a screening router, it is "a router configured to permit or deny traffic based on a set of permission rules installed by the administrator."

For example, the administrator can use the router rules to permit a particular machine on the external network to FTP to a specific machine on the internal network, but deny that same machine the ability to TELNET to the internal machine. Similarly, one specific address on the external network can be permitted to FTP to a specific address on the internal network while all other addresses are denied permission to FTP to that address on the internal network.

The advantages of a packet filtering firewall are that they are fast, generally inexpensive, very flexible, and transparent. Also, they can be implemented on routers, and most organizations already have routers. Routers support static (unchanging) filtering.

Another type of filtering, dynamic filtering, tries to make sense out of higher-level protocols and adapt filtering rules to accommodate protocol-specific needs (e.g., simulated connections for connectionless protocols such as NFS and RPC services).

A disadvantage of a filtering gateway is once access has been granted by the router to a host on the internal network, the attacker has direct access to any exploitable weaknesses in either the software or the configuration of that host.

Another disadvantage of a packet filter is the source and destination addresses and ports contained in the IP packet header are the only information available to the router for making the decision to grant or deny access to the internal network. Unfortunately, source destinations and ports can be spoofed so that you cannot be sure who is really making the request for access. This is a critically important concept to understand. In reality it means that if you permit anyone to come through your router and access software on one of your internal host machines, everyone can access that software on that host. And if the software being accessed cannot do strong authentication, or has a hole in it, the intruder has gained access to your network.

Also, routers do not generally provide robust (if any) logging facilities, making it difficult to know when your network is under attack, or how to recover from a successful attack.

Further, packet filtering firewalls do not support the concept of strong user authentication, and access from untrusted networks should not be granted without strong authentication (see the question on strong user authentication).

Another problem is that both the hardware and software of routers may contain exploitable weaknesses. Routers are generally designed for performance, not security.

Finally, router rules are complex and are very difficult to "get right." Even highly qualified network professionals will occasionally add or modify a rule in the router's rule-base, and in so doing, accidentally open a hole through the router.

Circuit Gateway

A circuit level firewall is a means of handing an outgoing connection request from a client on the internal network to a single machine acting as a firewall, such that it will appear to the remote site that the connection request actually came from the firewall.

The principal advantage of a circuit level firewall is that it prevents direct connection between internal and external machines. All incoming requests are blocked. If a user on an internal machine writes code that listens on some non-standard port, users on external hosts have no way to reach that port. This gives the Security Administrator a single point at which to control incoming connection requests.

A disadvantage, or limitation of a circuit level gateway, is client software on the internal network may have to be modified to do the necessary "handshake" with the circuit level gateway software (for example SOCKS), and source code for the client software may be unavailable.

Application Level Gateway

An application gateway is "a firewall system in which service is provided by processes that maintain complete TCP connection state and sequencing. Application level firewalls often re-address traffic so that outgoing traffic appears to have originated from the firewall, rather than the internal host."

An application level firewall is generally considered to be the most secure type firewall. The Gauntlet Internet Firewall is an application level firewall. Like the circuit level firewall, the Gauntlet firewall is configured to be the only host address visible to the outside network, requiring all connections to the internal network to go through the firewall. An application level firewall is distinguished by the use of proxies (application gateways) for services such as FTP, TELNET, etc., which prevent direct access to services on the internal network.

One advantage of this type of firewall, is that proxies prevent direct connection between internal hosts and external, untrusted hosts. All incoming requests for services such as HTTP, FTP, TELNET, RLOGIN, etc., regardless of which host on the internal network will be the final destination, must first go through the appropriate proxy software on the firewall.

For example, consider a host on the external network requesting a connection to port 25 on any one of the many hosts on a network not protected by the Gauntlet Internet Firewall. Every host on the internal network could be running a different implementation of Sendmail, or different versions of the same implementation, each with known security problems. Because an attacker has direct access to every host on your internal network, he can try port 25 on every host on the internal network until he finds one running an implementation of Sendmail with an exploitable hole. From there he can gain access to the machine, and then to your entire internal network.

To protect against this type of attack, you can either secure every computer in your organization (usually impossible to enforce), or require that all connections go through a control point on which you have already made the security adjustments.

Strong user authentication (see below) should be required for all incoming connection requests before granting access to the requested service on the internal host when the protocol supports it. Application gateways, or proxies, allow enforcement of user authentication.

Comprehensive logging at the application level can be performed by proxies.

Since all communications between the internal and external networks are required to go through one of the application proxies, the proxies can restrict those communications to transactions appropriate to the specific service being used. They are also in position to do content-type filtering, such as blocking Java code from coming in from the outside.

The principal limitation of application gateway firewalls is that in some environments, there may be a requirement for data transfer rates in excess of the capacity of the firewall. The capacity of the Gauntlet Internet Firewall has not been determined, but it has demonstrated throughput of 10 Megabits/second (Ethernet speed), exceeding the capacity of a T1 link (about 1.5 Megabits/second).

Hybrid or Complex Gateways

Hybrid gateways, combine two or more of the above methods. If these methods are added in parallel, the network security perimeter will be only as secure as the least secure of all methods used. If they are added in series, the overall security is enhanced. All commercial firewalls that are hybrid systems, have the mechanisms in parallel.

A vendor who claims that a hybrid firewall is more secure by virtue of being more complex does not understand security. A useful truism of security to keep in mind is "complexity and security are often inversely proportional."

What are stateful multilevel inspection firewalls?

Stateful inspection can also be called stateful filtering, as it is basically a filtering type of firewall (see above) with additional granularity. Stateful filters parse IP packets and keeps state about connections in the operating system kernel. They may be faster than proxies - the proxy mechanism is at a lower level - but are also more complex.

If an interface for a particular service has protocol specific knowledge, a SMLI firewall will have more security for that particular service than a more simpler packet filter would. (And so, to add new services requires additional code, just like for a proxy-based firewall.) If it does not have protocol specific knowledge, then there is no added security - it has the same level of security as a filtering gateway.

Which is the most secure type of firewall?

Experts agree that the most permissive, and least secure, type of firewall is the filtering gateway, and the most secure is the application gateway. Experts, such as Cheswick and Bellovin -- see reference in the "further reading" area of this document, Ted Julian in IDC's Firewall Marketing report dated February 1996, and Rik Farrow, for example in the May 1996 issue of UniForum's "IT Solutions" magazine.

Bill Cheswick, well known firewall and Internet security expert, pointed out (in the June 17, 1996 issue of LAN TIMES), "Packet filters can protect your [network] quite adequately if they are properly designed. The hard part is getting the rules right and testing the filter to see if it is truly secure."

Winn Schwartau, president of InterPact, Inc., a security consulting company added, in the same article, "Don't bother [with packet filters]. They are a waste of money. ... if you are going to have no control over user activities, why bother?"

What are application gateways (proxies)?

The terms "application gateways" and "proxies" mean the same thing. A proxy in a firewall is a software mechanism that acts on behalf of another. It will sit between a client on one side of the firewall and a server on the other. To the client it looks and acts like a server; to the server it looks like client software. It acts as a proxy for both sides.

All application data flows through the proxy. Because of this the proxy is in a unique position to log information (time of connection, number of bytes transferred, etc.) and enforce access rules (who can connect to what for which service at what time).

Aren't application gateways and proxies different things?

No, they are different technical terms for the same mechanism.. It is possible that some people use them to mean different things in their marketing literature, but they are synonymous terms.

Aren't application gateways, or proxies, outmoded, old technology?

Of course not. Application gateways have been around only a few years. As discussed above, they are the most secure kind of firewall mechanisms. Anyone who says otherwise disagrees with the experts, and is probably blowing marketing smoke.

Applications gateways are much more secure than any other kind of firewall mechanism, certainly more so that any filter-based solution. At a CSI conference during the Meet the Enemy session, hackers fingered a stateful inspection firewall as their "favorite firewalls" to come up against. Hackers would rather not find an application gateway firewall such as the Gauntlet Internet Firewall.

What is the Gauntlet Internet Firewall?

The Gauntlet Internet Firewall is an application-based firewall featuring the most secure firewall design in the industry. The Gauntlet product features:

What services are supported by the Gauntlet Firewall?

The Gauntlet Internet Firewall includes proxies for the following services:

There is also a proxy that acts as a "patch panel" for simple services in a one-to-one or one-to-many configuration, called the "plug gateway." Through this gateway, the Gauntlet Internet Firewall supports

An authenticated circuit gateway allows the firewall manager to configure certain "plug gateway" services to be available on a per user basis after users authenticate themselves to the firewall.

An authentication server supports the use of strong user authentication (identification) via security tokens or one-time password mechanisms.

Additionally, the Gauntlet Internet Firewall provides optional support for extended content security;

Are Gauntlet proxies easy to use?

All proxies supplied with the Gauntlet Internet Firewall can be installed for "transparent mode" operation. In transparent mode, the user just issues the command to connect to a machine on the other side of the firewall, and the connection is made. All communication goes through the appropriate application gateway. It just seems like a direct connection to the user.

If I use the Gauntlet Firewall, do I have to modify software on inside machines?

None of the Gauntlet Internet Firewall proxies require modification of the software on the internal network.

What are the customer needs addressed in version 4.0 of the Gauntlet firewall?

The Gauntlet Internet Firewall Version 4.0 addresses the following customer needs:

Secure Multimedia Communications

Extended Content Security

Support for Enterprise Network Management

Extended DBMS Security

Enhanced Native Management

What new features will I find in version 4.0 of the Gauntlet firewall?

Streaming Multimedia Support For Most Popular Real-Time Information Services

Support For Virus Scanning of Mail, FTP, and HTTP Traffic

HP Network Management Support (OpenView)

New JAVA-Based GUI for Local and Remote Management

Extended DBMS Security with Oracle SQL*NET proxy

What are some of the services supported for secure multimedia communications?

ReadAudio/RealVideo, Xing, NetShow, VDOLive, are all supported through specialized proxies.

Can I use multiple Gauntlet Firewalls at an Internet gateway?

Many of our customers install multiple Gauntlet units in parallel at gateways for load balancing and redundancy. This configuration works very well.

Do I need special software or a certain operating system to use the Gauntlet Management GUI?

The management system can be accessed using any "Web browser" program (e.g., Microsoft Internet Explorer, Netscape Navigator) from any platform that supports them. No special software is needed.

What is a Virtual Private Network?

A virtual private network, or VPN, through encryption, provides privacy for all allowed network traffic between two gateways. In a VPN, no level of trust between the networks need be assumed. A VPN provides privacy only. A VPN is not necessarily a Virtual Network Perimeter.

What's a Virtual Network Perimeter?

This term was coined by TIS in a technical paper (#1 in the reading list later in this document). A VNP is a Virtual Network security Perimeter: network that appears to be a single protected network behind firewalls, which actually encompasses encrypted virtual links over untrusted networks. The use of firewalls, encryption, and standard administration, control, and policies that allows an organization to extend a network to include multiple locations that may be connected over an untrusted network, such as the Internet. In a VNP, all network services may be opened up between the trusted networks, allowing even "insecure" network services, by virtue of the protection allowed by the network security perimeter. A VNP is also a Virtual Private Network.

What are the benefits of VPNs and VNPs?

For sake of example, envision a corporate headquarters in Maryland with a branch office in California. Each site has a private local area network protected by a Gauntlet Internet Firewall. Without encryption, all of the traffic passing between the two sites would go across the Internet "in the clear," meaning that anyone with a "sniffer" attached to one of the many network links between Maryland and California could read and understand the traffic. If I were sending e-mail, they could read my e-mail. If I were sending a proposal via FTP, they could read the proposal.

Now let's assume that we turn on encryption between the two firewalls. As traffic leaves the site in Maryland, the firewall uses a secret key known only to the firewall in California to scramble the traffic in such a way that it cannot be read or understood by anyone as it passes across the Internet. Your e-mail, or proposal, would look like unintelligible garbage to anyone using a sniffer.

There are two main benefits to using firewall-to-firewall encryption. The obvious benefit is that traffic cannot be "seen" by others (including intruders) as it passes across the Internet between the two firewalls. This prevents sensitive information from falling into the wrong hands, and denies intruders access to information they might use to attack your network. The less obvious benefit of such encryption is that traffic between the two firewalls is no longer restricted to the services provided by the firewall proxies. Now any application can safely be used. Client/server database or financial applications can be used. TELNET logins can be permitted without the need for strong authentication. The encrypted link between the firewalls turn the two protected networks into a single trusted environment.

Are Gauntlet Firewalls with encryption available outside the USA?

Yes, Gauntlet Global Virtual Private Networks (GVPNs) are available worldwide. Strong cryptography (56 bit DES and Triple DES) are available. Gauntlet firewalls are the only firewalls available worldwide with strong, standard cryptography.

Doesn't the strong encryption require government escrowing of keys?

No, not at all. TIS can export 56 bit DES free and clear. Triple DES can be exported in conjunction with TIS's RecoverKey™ technology. This patented technology requires no escrowing of keys, and has been available on the Gauntlet firewall since January of 1996.

Why do you say you are the only firewall vendor to export strong cryptography? Vendor XYZ is doing it.

We say it because it is true. If you look closely, vendor XYZ supports DES only the in the US. They cannot export DES from their home (non-US) country. They use a proprietary encryption algorithm that has been approved by their government for export. They are not exporting DES worldwide. They may not export DES from the US nor from their home country. Also, they do not suport Triple DES at all.

Can a Gauntlet Internet Firewall be used in a VPN with a different firewall?

While we cannot understand why anyone would use any other firewall, the answer is "yes." Gauntlet firewalls can communicate over a VPN with any product supporting IPSEC and ISAKMP.

What is network address translation (NAT)?

Devices that support NAT, allow networks to use unregistered or "illegal" (unsupported or unassigned) IP address on a network on one side of the NAT device, while being connected on the other side to the Internet. The NAT device translates the illegal address into a legal address for outside use. Does the Gauntlet Internet Firewall support NAT?

Yes, because the firewall is your only connection to the outside world, the outside network has no knowledge of IP addresses on the inside network. The Gauntlet Internet Firewall, by nature of its design as an application gateway-based firewall, translates all internal addresses to the firewall's address, and is designed to hide internal addresses from the "untrusted" network.

Does the Gauntlet Internet Firewall support E-mail and DNS?

Yes, since a firewall often acts as an internetwork gateway to an organization, the Gauntlet Internet Firewall includes an e-mail gateway and DNS set-up. Both the e-mail gateway and the name server hide internal addresses from the outside.

What is meant by the term "strong user authentication?"

This discussion of strong user authentication is from our paper "A Network Perimeter With Secure External Access":

"We use 'authentication' as defined by the National Computer Security Center's 'Red Book' [2] as '(1) to establish the validity of a claimed identity or (2) to provide protection against fraudulent transactions by establishing the validity of ... the individual ....' Identification of a user is often accomplished on computers through the use of a user name and password pair. The password is kept secret and must be difficult to guess; only the user knows the proper name and password pair to use. In reality, passwords are often weak (guessable). Further, in the case of identifying users over outside communication links, there exist opportunities for capture of the user name and password information (although the password is usually not echoed, it is transmitted over the communications link 'in the clear'). Consequently, while it would seem that a user name and password pair constitute good identification criteria, the password is too easily guessed or captured. [With strong user authentication], authentication of a user is done in such a fashion that we can apply a high degree of trust to the identification. This can be accomplished with one-time passwords, or authentication devices ..."

Do Gauntlet products support strong user authentication?

The network authentication server provides a generic authentication service for firewall proxies. Its use is optional, required only if the firewall interactive proxies are configured to require authentication. It acts as a piece of "middleware" that integrates multiple forms of authentication, permitting an administrator to associate a preferred form of authentication with an individual user. This permits organizations that already provide users with authentication tokens to enable the same token for authenticating users to the firewall. Several forms of challenge/response cards are supported, along with software-based one-time password systems, and plaintext passwords. Use of plaintext passwords over the Internet is strongly discouraged, due to the threat of password sniffing attackers.

The Gauntlet Internet Firewall supports may third party authentication devices. Please contact TIS for an up-to-date list.

Can I use reusable passwords for outbound connections?

Many sites would like to be able (usually for accounting purposes) to have users on the internal network use a password for outbound TELNET or FTP connections. However, since they do not want to go to the expense of providing all of their internal users strong authentication tokens, the question becomes "Can I require them to use the normal username and reusable passwords like the ones they use for logging into the internal network in the first place?" In general, the answer is a guarded "yes."

What are the qualifications of a firewall administrator?

The firewall administrator should be a qualified TCP/IP network administrator. This is not because others cannot easily learn to make necessary changes to the firewall using the firewall maintenance interface, but rather because the peripheral TCP/IP issues (such as DNS configuration, etc.) are important to understanding how the firewall will function in a network environment. The firewall is only one component in a complex architecture of interdependent components, and the firewall administrator should understand how changes to the firewall will affect the rest of the network.

Can you guarantee that my Gauntlet Firewall will never crash?

No, firewalls run on computers, and computers occasionally fail. Since the firewall is the only link to networks outside the private network, if the firewall fails you lose your connection to those outside networks until the firewall machine can be repaired. Because some sites have a critical need for continuous access to and from the Internet or other private networks, TIS permits clients of the Gauntlet Internet Firewall to maintain a cold backup capability. A cold backup refers to a machine identical to the firewall, with all of the Gauntlet Internet Firewall software, the operating system, system files, etc., sitting on a shelf ready to replace a failed machine. The only restriction is that the primary firewall machine and the backup machine cannot be actively operating as a firewall at the same time. If your organization feels a backup unit is necessary, ask your TIS sales representative about the current cost of a backup unit.

What kind of logging does the Gauntlet firewall do?

The Gauntlet Internet Firewall provides detailed audit logs of sessions. All services accessed through the firewall are logged to the security log system. This is turned "on" by default at the highest level of logging. The following events are logged by default:

All operating system kernel warnings and errors

All file system warnings and errors

All attempted accesses to network services, whether successful, whether a supported service, including rejected source routed addresses and ICMP redirects.

All successful network accesses, logging source and destination addresses, service, time of day, disconnection time of day, number of bytes transferred (if applicable), commands accessed (FTP), and URLs accessed (HTTP)

All interactions with the user authentication server subsystem

What firewall activity reports come with Gauntlet firewalls?

The Gauntlet Internet Firewall is supplied with two log reduction reports. The first is a Summary Report in which the use of each service (such as FTP) is summarized by user and usage. For example, the firewall administrator might choose to have the report show him who the top 20 users of TELNET were (how many times they connected to that service, what address they connected to, and how many bytes of data they transferred, etc.)

The second report is the Exception Report. To produce this report, the firewall administrator specifies the information he is not interested in seeing, and everything else is included in the report. As a rule, administrators will quickly develop a feel for the normal activity of the firewall usage at their site. The exception report can then be used to examine closely any "unusual" activity.

In addition, because the firewall logs are human-readable UNIX syslogs, each site can have simple UNIX scripts written that look for specific events that are of special interest, and have the script perform such actions as send a message to the administrator's console if the event should occur.

More extensive logging, intrusion detection, etc. will be available through third party products in mid-1997.

If I have a Gauntlet box, do I still need a router?

The Gauntlet Internet Firewall does not require the use of a router, but routers may be employed to enable certain configurations and architectural options. While most customers employ routers when connecting to a WAN, filtering rules installed in the router are only used as a way to reduce network "noise," rather than protect the Gauntlet Firewall. The Gauntlet Internet Firewall is designed to be a self-contained security system, not relying on other network components for its own or the internal network's security. TIS will assist Gauntlet Internet Firewall clients in determining the need for routers.

On what operating systems do Gauntlet products run?

The Gauntlet Firewall Software is available for the following operating system platforms:

BSD/OS operating system from Berkeley Software Design, Inc.

HP-UX from Hewlett-Packard

Solaris from Sun Microsystems

Windows NT from Microsoft

TIS has hardened these operating systems for use with the Gauntlet firewall.

Additionally, Gauntlet Firewall Software for IRIX is available from Silicon Graphics.

Why is it important to "harden" an operating system for a firewall?

The operating system is the base platform for firewall software. Most commercial operating systems are created to allow general use and access and provide many services useful for multiuser, server systems (services such as NFS), but too insecure to allow on a firewall. The base operating system must be "tightened" to disallow insecure services and to apply security patches. Unfortunately, most firewall vendors do not bother to do this. Consequently, their firewalls may be installed on insecure systems, devaluing the firewall's security.

Does the Gauntlet Internet Firewall support FDDI, Token Ring, or ATM?

Gauntlet Firewall Software supports all network interfaces supported by the operating systems. The turnkey version of the Gauntlet Internet Firewall supports only Ethernet connections at this time.

Should user accounts be permitted on a firewall?

No! The only account on the firewall is that of the Firewall Administrator, and he should either be required to use strong authentication, or be restricted to logging in from the firewall console.

Should general servers, such as WWW servers, be permitted on a firewall?

Only if you are using the secure servers available with the Gauntlet Internet Firewall, version 3.1 and later. Every application that is in any way directly accessible to attack from untrusted networks runs the risk of opening holes into the protected network. Only software specifically written to be secure, and rigorously reviewed for security relevant flaws (such as the proxies), should be placed on the firewall.

Does the Gauntlet Internet Firewall allow UDP or ICMP through?

The Gauntlet Internet Firewall does not standardly permit any connectionless protocols such as UDP or ICMP across the firewall. Because their connectionless nature makes it impossible to determine their actual source, all such applications must be considered inherently insecure and inconsistent with conservative firewall security. These services may be run through a VNP. Select services - SNMP, RealAudio, and Finger, for example - are supported securely through Gauntlet firewalls.

If anyone tries to sell you a firewall that allows generic UDP services through, ask to see their security assessment paper on the service, so you can understand why they think they can secure such services.

Does the Gauntlet Internet Firewall check for viruses?

Virus scanning software is supported by the Gauntlet Internet Firewall. Check with your sales representative for products and support options.

Is the Gauntlet Internet Firewall available in my country?

Yes. The Gauntlet Internet Firewall may be purchased from a growing list of resellers throughout the world, including Africa, Asia, Australia, Europe, and North and South America. Please contact TIS for a list of resellers.

Isn't the Gauntlet Internet Firewall based on freeware?

The Gauntlet Internet Firewall was originally based on the TIS Internet Firewall Toolkit, but is no longer. The TIS Internet Firewall Toolkit is licensed and freely available, but it is not "freeware," "public domain," nor "shareware." The FWTK has been downloaded by more than 50,000 individuals.

What are the differences between the Gauntlet Internet Firewall and the TIS Internet Firewall Toolkit (FWTK)?

The FWTK is a licensed, freely available set of tools for building internetwork firewalls. It is made to be used by experts. The Gauntlet Internet Firewall is a complete, fully functional, fully supported product. This table provides a comparison:
Gauntlet Internet Firewall TIS Internet Firewall Toolkit
Source CodeSource Code
TELNET ProxyTELNET Proxy
Rlogin ProxyRlogin Proxy
FTP ProxyFTP Proxy
HTTP Proxy (WWW)HTTP Proxy (WWW)
Gopher ProxyGopher Proxy
SMTP ProxySMTP Proxy
NNTP ProxyNNTP Proxy
X11 GatewayX11 Gateway
Authentication ServerAuthentication Server
Java and ActiveX blockingJava blocking (contributed)
RSH Proxy
URL Screening (to control WWW access)
SSL
SHTTP
POP3
Authenticated Circuit
Printer
Secure Server (FTP and HTTP)
E-mail Gateway
DNS Server
RealAudio
RealVideo
Xing
NetShow
VDOLive
Netmeeting
Sybase SQL
Oracle SQL*Net
Graphical Management Interface
Management Tools
Configuration Tester
Hardened Operating System
Smoke Alarms (intrusion probing alarms)
IP Spoof Protection
Routing Attack Protection
Transparent Access
Firewall-to-Firewall Encryption
Firewall-to-Desktop Encryption
Integrated Hardware Platform
Fully Integrated Software Components
Installation Support
Training
Telephone Support
Updates

Does TIS support the FWTK?

TIS engineers will monitor the FWTK mailing lists, but no direct support is available. The fwtk-support list is used for support questions and answers; the user community provides its own support for the FWTK.

TIS distributes the FWTK, provides an FTP area for contributed software, and will package a new version, containing contributed code and bug fixes, at least every 12 months.

Doesn't the availability of source code make a firewall more vulnerable to attacks?

All firewalls are under the threat of attack. Vulnerability is a measure of whether a weakness exists that someone can exploit. We do not believe in security through obscurity. Our software has been developed using strong testing methods with the knowledge that it would be available in source code. We are depending on our design criteria and strong methods of development and testing rather than depending on the secrecy of our code. When ("when," not "if") someone's secret algorithm is reverse engineered, if they do not know it, they end up being vulnerable to attack, while still believing that they are safe.

Isn't making source code available contrary to good security practices?

On the contrary, formal security mechanisms are often based on open (well known) mechanisms. One example, is the Data Encryption Standard (DES). A characteristic of good security is that knowing the algorithm does not get you any closer to breaking the security, as with DES, knowing the input, the output, and the algorithm, does not get you the secret key.

What is an "intranet?"

According to the "Internet Marketing and Technology Report," Volume 2, Number 3, dated March 1996, "the term Intranet refers to an internal network that uses Internet technology and protocols (TCP/IP) to distribute informational resources to individuals within an organization." Think of it as internetworking within a trusted network. Even within a trusted network's security perimeter, an organization might want to compartmentalize systems and networks within networks. Firewalls within an organization's security perimeter can accomplish this.

What is the Gauntlet Intranet Firewall?

It is a firewall meant to be deployed within an organization's network security perimeter. It's used on the enterprise intranet. It is an add-on to an existing Gauntlet Internet Firewall, that allows you to place additional network strongholds within your network security perimeter.

Isn't the Gauntlet Intranet Firewall just a Gauntlet Internet Firewall with a different name?

It has most all the features of the Gauntlet Internet Firewall, at a lower price, but the main difference is that it is configured in conjunction with, and managed through an existing Gauntlet Internet Firewall. Operating within an organization's network security perimeter, the Gauntlet Intranet Firewall protects an enclave within an enclave. It's general access rules come from the controlling Gauntlet Internet Firewall. Additional access rules may be added. All logging is done via the logging rules defined by the master Gauntlet Internet Firewall. Encryption may be added. Additional services, normally considered insecure through an outer firewall, may be permitted through a Gauntlet Intranet Firewall. Also, because it is deployed within an organization's "trusted" network, firewall-to-firewall encryption is an option.

What's the Gauntlet Net Extender?

The Gauntlet Net Extender is a firewall for a remote office. It is an add-on to an existing Gauntlet Internet Firewall and has all the functionality of the Gauntlet Internet Firewall. Like the Gauntlet Intranet Firewall, it is managed through a master Gauntlet Internet Firewall and logging is done through the master firewall. The Gauntlet Net Extender must have an encrypted link to the master Gauntlet Internet Firewall. This can be used to set up a VPN or a VNP (see above). The Gauntlet net Extender "extends" the network security perimeter (see above discussion) to include other, remote offices.

What is the Gauntlet PC Extender?

The Gauntlet PC Extender is an add on to an existing Gauntlet Internet Firewall, extending the network security perimeter to include remote or mobile users. It allows for private and secure connections from home, hotel room, or remote Internet site, through your firewall into your private network. This means that a traveling user can use his or her PC in the same way and for the same services available when in the office, even services normally considered insecure (such as PC-NFS). Strong authentication and encryption provide the security needed.

The Gauntlet PC Extender runs on Windows 3.1.

Does Gauntlet PC Extender run on Windows 95 or Windows NT?

Yes

With what PC network products does the PC Extender work?

Contact your Gauntlet sales representative for the latest list of tested products, which includes Chameleon, Beame & Whiteside TCP, and Trumpet Winsock.

What do we have to do before we install our Gauntlet firewall?

TIS will send you a document explaining the questions that need answering and all preparations you need to make. This is a summary or key preparations:

If the installation is intended to connect the site to the Internet, an Internet connection available configured to the address of the Internet side of the firewall. This is to permit testing of the installed firewall.

A properly implemented firewall should be consistent with the goals of the site's Network Security Plan. The Network Security Plan should be made available to the firewall installer prior to installation.

The site should have a UNIX system administrator who is familiar with the site's various system files and network configuration available to work with the TIS installation personnel.

Prior to installation, a questionnaire is sent to the client's system administrator eliciting information concerning internal address schemes, DNS requirements, E-mail configuration requirements, etc. This questionnaire should be returned at least one week prior to installation.

What is the price of the Gauntlet Internet Firewall?

Contact TIS or your Authorized Gauntlet Reseller for current pricing and configurations.

How can TIS claim that it has "The Most Secure Firewalls"?

TIS bases its claim on the years of experience we have in formal computer, communications, and network security, and on building our firewall products using the most secure design approach in the industry.

What is your design approach?

Since an application gateway is the most secure type of internetwork firewall, TIS has designed the Gauntlet Internet Firewall to rely on proxies to provide services. Firewalls that combine application, circuit, and filtering gateway technology are only as secure as the weakest link of the three. In the Gauntlet Internet Firewall, all communication between one network and another is turned off. Network services are individually enabled through the application data bridges, called proxy software or proxies. Network packets are never passed between the networks, only application data. No direct connection is ever made between machines on opposite sides of the firewall.

The design approach, expanded in our functional summary document, combines the following seven tenets:

Simplicity in services provided and mechanisms

Simplicity in software design, development, and implementation

A "Crystal Box" approach, in which source code is distributed to allow for assurance reviews by our customers, our resellers, and other experts

No users are allowed on the firewall system itself

Anything that can be logged, should be logged, for a complete security audit trail

Strong user authentication methods and mechanisms must be supported and encouraged

A firewall should enforce an organization's network security policy, not impose one of its own

What can you recommend for further reading?

  1. Frederick M. Avolio and Marcus J. Ranum, "A Network Perimeter with Secure External Access", TIS Report.
  2. Frederick M. Avolio, "Building Internetwork Firewalls," Business Communications Review, January, 1994.
  3. William Cheswick and Stephen M. Bellovin, Firewalls and Internet Security: Repelling the Wily Hacker, Addison-Wesley, 1994.
  4. Steven B. Lipner, "Barbarians at the Gateway," Business Communications Review, January, 1995.
  5. Marcus J. Ranum, "Thinking About Firewalls," Proceedings of Second International Conference on Systems and Network Security and Management (SANS-II), April, 1993.
  6. http://www.tis.com/ has white papers on firewalls and network security.
  7. http://www.gocsi.com/firewall.htm has information about firewalls.

How is TIS different from other firewall vendors?

TIS is not a new, one-product company. Since its founding in 1983, TIS's business has been computer, communications, and network security associated with today's local and wide area networking environment. The TIS staff has experience in computer and communication security evaluation; development of computer security systems; development and use of formal security methodologies and tools; and security evaluation, certification, and accreditation of systems and networks. The focus of TIS's corporate organization is in providing systems security engineering support.

Trusted Information Systems, Inc. (TIS) specializes in advancing the state of information security technology and in reconciling system security requirements with the functional and mission requirements of operational systems. TIS is internationally known and respected for its research and applications solutions. TIS provides security products, such as the Gauntlet Firewall Family of products. TIS's consulting services are well known for excellence, completeness, and integrity.

TIS is publicly traded on the NASDAQ, symbol TISX.

TIS has offices located in the Washington, DC area, with its headquarters in Glenwood, Maryland, and the headquarters of its Commercial Division in Rockville, MD. TIS also has offices in McLean, Virginia, Los Angeles, San Francisco, London, and Munich.

How do I contact TIS for more information?

For further information please send electronic mail to:
gauntlet-sales@tis.com, call us toll-free at 888-FIREWALL, or (301) 527-9500, send a fax to (301) 527-0482, or write to us at:
Trusted Information Systems, Inc.
Gauntlet Sales Department
15204 Omega Drive
Rockille, MD 20850


TIS Home

webmaster@tis.com


Last-modified: Wed, 28 Apr 1999 03:01:02 GMT
: