On Tue, 22 Apr 1997, Frank Willoughby wrote:
> >> BRIEF COMPARISON
> >> Criteria Checkpoint Gauntlet
> >> Firewall Type Packet Filter Application Gateway
> >It is inaccurate to call Checkpoint a "packet filter." SMLI, while certainly
> >not as secure as an application gateway (IMHO), is still not a packet filter,
> >which is exactly what you would call access lists on a Cisco.
> I disagree. The basic/core technology of the Checkpoint firewall is that it
> is indeed a packet filter. Checkpoint has added the "stateful inspection"
> to its firewall's capabilities, and while this provides a level of security
> in addition to a packet filter, it is still operating at level 3/4 of the
> OSI stack - and consequently, still is a packet filter.
Not true. Level 3 immediately realized by a cisco packet filter. 4 is
really an issue of protocol, ensuring that packets reach their destination.
Session is at level 5... SMLI/Checkpoint maintains session state tables
for all connections. Presentation (level 6) is less of a security issue
than is proper formatting, though I can see places where perhaps checking
certain size limits would be necessary, as the Presentation layer is supposed
to handle making certain that data is usable by applications. Finally,
I've heard that Checkpoint now does application level checking for some
things (like well-known sendmail-based attacks).
> >> Performance High Medium
> >It all depends on what you're passing. Both Checkpoint and TIS have
> >been shown to function admirably at Ethernet speed or faster, with
> >application load variance.
> I disagree with the first sentence. Granted, both handle Ethernet
> speeds very well. In fact, the Gauntlet's performance is much better
> than some other application-level firewalls on the market that we have
> tested. However, any packet filter will be able to outperform an
> application-level firewall because it isn't performing security checks
> at the application layer.
You are misunderstanding what I'm saying. A simple packet filter
fundamentally should be able to perform faster than a gateway application
firewall, but try to prove it with a 2501 vs. Gauntlet or FTWK on a good
box, and you're going to prove yourself wrong. That's why performance is
not an issue that deserves a "medium" "high" type rating system. What you
pass is key: if you are using a T1, then you have 1.544Mb to pass, and
even cramming, you'll never get more than 1.4 after overhead. And if you
compare what TIS does vs. Checkpoint on that T1, you'll find that
TIS is just as good, if not better. The "performance" rating that
always touts packet filtering as superior performance is based on maximum
load conditions, testing with 100Mb connectivity, which is an unreality for
most businesses. In these "flood" conditions, which can't ever come to
exist for most people, you can prove that certain packet filtering
firewalls will beat application gateways.
I bring up this point because it is often used to market packet filtering
as superior, but it is a completely bogus reasoning. A certain vendor,
which will remain unnamed, made a presentation at the Internet Expo
(DCI, I think?) a couple months ago, where they "explained" how firewalls
worked, and what the pros and cons were. Application Gateway firewalls were
basically touted as hampering performance. "And your users will notice,
and you won't want to deal with that," they said. So be careful when
making statements about relative performance. If you actually craft
security solutions, then you know that the only real measure of performance,
is that which pertains to a locate network solution. I've watched Raptor's
Eagle perform without any signifigant network degradation servicing a T1
off of a Sparc 4 with 32 megs. (single processor) I've seen full VPN
encryption be done across an ATM line (cross country) which only shifted
average latency from 70ms to 100ms, despite encrypting with Triple DES
and authenticating with MD5.
> >> Security Protection Low High
> >Checkpoint is Low? What's an access-listed router? Or just good system
> >administration with strong authentication? I do have more faith in TIS's
> >security, but "low" is not appropriate.
> Sorry, but I have to disagree again. I personally would rank Checkpoint
> in the same class as an access-listed router. While the "stateful
> inspection" provides an additional level of security, IMHO, it isn't
> enough to move it up to medium security level, nor is worthy of being
> put into a separate class of firewall as Checkpoint has been attempting
> to do for a while now.
I usually find myself on the other side of this debate, claiming Checkpoint's
FW1 isn't as secure as people believe. But there's a lot of things
that can be done on a low level that beat packet filtering, but state tables
will stop (most of which are UDP-based.) And Checkpoint forces some things
all the way up the stack to process at the application later. Definitely
not a packet filter.
> As long as we are on the subject of "stateful inspection", here's my
> opinion in a nutshell. Personally, I think it is overrated. On a
> packet filter, it is a nice bell and whistle. The problem is that
> you are still stuck with the security of a packet filter. However,
> I think it would be an attractive enhancement to application level
> firewalls as well as packet filters.
Stateful Inspection is a signifigant enhancement over straight packet
filtering ("dumb filtering"). And it's irrelevent on an application gateway
firewall, which should be taking a connection on one of its interfacing,
spawning a process to proxy, and opening another connection entirely on the
other side. This renders "stateful inspection" irrelevent. There are
2 sessions, each termination at the firewall (on in to it, one from it
to the final destination).
> FWIW, good system administration with strong authentication also
> does not provide adequate security. I don't recommend that people
> use any authentication-only technologies when attempting to connect
> to a system behind the firewall from the Internet. Other technologies
> are more appropriate (like heavy-duty crypto).
Good system administration + strong authentication say nothing about a
firewall. Obviously, one time authentication does nothing to stop
sendmail attacks, buffer overruns in most cases, etc. The wave of the
future for access to a protected network is VPN tunneling. It's user
friendly, since good implementations will require nothing but a daemon
and client software. Properly implemented it uses strong encryption and
authentication, along with dynamic key exchange on the fly, so that
it remains totally secure again brute force attacks.
> >> Appropriate Customers ISPs Commercial businesses
> >> Sites which use a Military or Gov't customers
> >> "sacrificial lamb" Sites which must protect
> >> or host an external sensitive data (private,
> >> web server financial, competitive,
> >> Inappropriate Customers Commercial businesses ISPs
> >> Military or Gov't Sites which use a
> >> Sites must protect lamb or host an external
> >> sensitive data server
> >> (private, financial,
> >> competitive, etc.)
> >You only seem to be basing how appropriate a firewall is on two things:
> >-- the presence of some external host (which is very common)
> >-- the level of security required
> The above statement is not correct. There are a number of factors which
> are involved in choosing the right type of firewall. Security and performance
> are the two most important factors. A sacrificial lamb situation is
> of a situation where low levels of security are desired.
A sacraficial lamb is only required if you wish to prosecure intruders that
try to break in. Or if you have heavy traffic to a certain system that
you don't wish to pass through a firewall. (If you consider that a
"sacraficial lamb", which I don't.)
> >A sacraficial lamb host is really only necessary on its own if you're
> >interested in trying to garner information to prosecute potential intruders.
> >An external web server is common, but with the transparency, you would
> >only need a web server to be external if it were on 100Mb (which probably
> >assumes you're running on something like an Enterprise 5k).
> >Then you classify commercial businesses and the military or government as
> >needing maximum security, which is preposterous.
> Sorry, I disagree again. I never said the words "maximum security". Every
> organization has its own unique business and security requirements. A
> company has higher security requirements than an ISP. Putting in NSA-type
> security into most companies would severely hinder business operations and
> would be a waste of money to boot.
You can't get NSA type security anyhow. ;) It wouldn't surprise me to
find out that the NSA has already beaten most of the common crypto.
(triple DES and PGP). (PGP because of implementation, not because of the
weakness in IDEA).
Anyhow, on topic, you need to learn who the real targets are. ISPs are
very, very commonly attacked. They are high-profile targets, and they
have useful things to "control", such as mail servers and DNS servers.
They're position as an ISP give a cracker with control of their systems
the ability to snoop an enormous amount of traffic, compromising
many more systems. On the flip side, many companies would never receive
more than trivial attempts to break in, and an access list on their router
will be more than fine.
> >Nothing Top Secret is
> >accessible from the Internet, and it's going to remain that way, rightly so.
> This also is my hope and prayer. I think that this is dependent on several
> o Rigorous testing of products which are involved in classified environments
> o Certification of products by a central agency
> o Correct implementation of those products
The final factor is security is whether or not the entire security plan
implementation is done by a qualified professional, or someone who jumped
on the security bandwagon selling some firewall they happen to like.
Certification already happens (NCSA, for example), and it's a worthless
certification, more or less. (That is to say, NCSA certification has no
bearing on the final security a firewall provides a network.)
> >The government is only a popular target because it is the government, but
> >they are the least likely to have any information of value online.
> Depends on who the opponent is. Hackers, foreign intelligence agencies,
> and terrorists have a vested interest in breaking into gov't sites.
Information that has restricted access is not on machines connected to
the public internet.
> >The average commercial business does not need strong security, only good
> >backups and a decent admin/consultant. The exception is those who conduct
> >online -transactions-, but that is an entirely different ball of wax.
> I STRONGLY disagree with the above statement. Based on my personal
> expertise and experience, the above statement differs widely with reality.
> Most companies are EXTREMELY vulnerable to attacks from disgruntled employees
> or from external (remote) attacks. It is fairly trivial to penetrate,
> bankrupt, or cause serious harm to most companies. (Fortunately, we are
> impeccably honest, or we wouldn't be having this conversation now.) 8^)
A good admin that I referred to can properly harden and maintain a system
so that it meets the needs of a business without being vulnerable to
common (trivially easy) attacks. It's all a question of relevent value.
People don't often hack machines for no reason, and a small business that
has a connection for internet access won't require a firewall. At most,
they may need some access lists on their router.
> >The real appropriateness is based on: level of security required, what
> >resources are being protected, what the cost of compromise would be,
> >the inconvenience acceptable to users in exchange for security (one time
> >authentication, etc).
> Except for the last 4 words, I agree.
I heard your shpiel on the weaknesses of one-time authentication. But
one-time authentication is much stronger than plaintext re-usable
passwords, and it also is an inconvenience. I provided "one time
authentication" as an example of a security measure than inconveniences
> >> IMHO, under no circumstances should the Checkpoint firewall (or any packet
> >> filter for that matter) be used as the primary firewall for any
> >> configuration which processes classified information.
> >Again, you sound as though you don't understand Checkpoint. It is
> >fundamentally passed on packet inspection, but more than a filter.
> Yes. It performs packet inspection as an addition to packet filtering.
> It still doesn't change anything.
Again, you completely discard SMLI, and I think it is because you don't
understand Checkpoint's firewall. Your statement that Checkpoint only
inspects up to level 3/4 of the OSI model points to the same thing.
> >Every product is different... even 2 application gateway firewalls, TIS
> >and Raptor, are far different in operation, and base their rules and
> >security measures on different assumptions and needs.
> I agree. I know both of the products you mentioned and both are good.
> Some products are better used in some situations, another products are
> more applicable in other situations.
Raptor I've enjoyed because of their VPN networking capabilities. I don't
know if TIS now provides similar capabilities. TIS does have a much wider
range of proxies, though.
> >> FWIW, a copy of the Free Firewall Evaluation Checklist may be found at
> >> my company's home page (the address is listed below).
> >The firewall checklist seems rather buckshot. A lot of good questions,
> >certainly, but it asks a lot of questions that any average sysadmin
> >will not be able to answer without extensive research.
> Which is what it is designed to do. The commercial version asks a lot
> more questions and provides more answers as well.
> >Of course, that is
> >what a security officer or consultant is supposed to know or provide.
> Absolutely. And we do provide this service. If I may say so myself,
> our vendor-neutral Firewall Evaluation / Penetration Tests are one of
> our most popular services.
And so you do penetration testing, where you attempt to compromise
firewalls? How many have you done this to? What tools have you used?
I do admire your dedication to the application gateway concept, and I agree
that it -is- more fundamentally sound, but you don't seem to understand
checkpoint. I actually said something similar to what you said a month or
so ago on this list, in regards to checkpoint being less secure than
Raptor. I received a challenge from someone at Checkpoint to justify
how you could build a more secure network with Raptor Vs. FW-1. I pointed
out quite a few points, and never did receive a response to that mail.
But to be fair, I think you should investigate what FW-1 really does.
It operates to a much higher level than you think. (They claim to scan
all 7 layers. Personally, I'd like to hear how Checkpoint deals with
Physical and Data Link security, and I think their application level
checking is lacking. But a packet filter, they are not.)