At 03:00 PM 6/20/97 -0400, Joe Klemmer allegedly wrote:
> And it's in a proprietary format I can't read (Excel)
According to the checklist's home page
(http://www.fortified.com/fwcklist.html),
there are two formats for the free version: Excel & tab-delimited ascii. Both
are available for downloading.
For your convenience, a copy of the tab-delimited ascii format follows:
--------------------- 8< cut here >8 ----------------------------------
FIREWALL EVALUATION CHECKLIST
"© 1995, 1996 by Fortified Networks Inc."
"This document is made available to the Internet community as a public
service. This document may not be used, in whole or in part, for personal
or commercial gain without permission in writing from Fortified Networks
Inc."
EVALUATION CRITERIA VENDOR A VENDOR B
TYPE OF FIREWALL
Router-based firewall (incl. screening & filtering routers)
"IP Packet Filter (includes ""stateful"" packet filters)"
Application Gateway
Hardware Only Solution?
Software Only Solution? (Vendor supplies the software. The customer must
obtain the hardware)
Turnkey (Hardware/Software) Solution? (Vendor supplies the entire
firewall)
"The firewall's Operating System (O/S) has been secured by the vendor -
either by stripping out all functionalities which may cause problems or
using a secure O/S (MLS system, etc. (More info on this in the Operating
System section)"
HARDWARE CONFIGURATION
Type of CPU / CPU speed (MHz)
Hard disk storage capacity (MB)
Memory (MB)
Supports Ethernet
Supports Token Ring
Supports FDDI
VENDOR-SPECIFIC FEATURES
VENDOR-SPECIFIC LIMITATIONS
PURCHASE COSTS
Cost of Hardware
Cost of Software
Cost of Router (if we don't already have one)
"Number of systems required (we did remember to order a backup system,
right?)"
Total price per system
Installation costs
Training costs
o Basic training
o Advanced training
COST - GRAND TOTAL:
PRODUCT AVAILABILITY (Earliest delivery date)
INFORMATION ABOUT THE VENDORS:
Web Site Address: http://
Internet Mail Address:
Sales Contact:
Phone:
EVALUATION CRITERIA VENDOR A VENDOR B
"IMPLEMENTATION COSTS, CONSIDERATIONS, & GOTCHAS"
PERFORMANCE
Number of firewalls required to handle a saturated T1
Number of firewalls required to handle a saturated T3
CAN THE FIREWALL PROTECT AGAINST THESE SECURITY PROBLEMS?
Node Spoofing Attacks
TCP Sequence Number Prediction Attacks
Session Hijacking Attacks
Source Routing Attacks
DNS Attacks
RIP Attacks
ICMP Attacks
Some firewalls have a small window of vulnerability during the boot process
where an incoming connection may be allowed through the firewall before the
rules tables are fully loaded. Does the firewall have this vulnerability?
GENERIC QUESTIONS
Has the firewall ever been breached? (for reasons other than being
misconfigured by the Firewall Administrator)
The Firewall always expressly prohibits that which is not explicitly permitted
All connections are automatically disabled in the event of a power failure
(fail-safe functionality)
Can attachments be filtered? (allowed or blocked)
Electronic Commerce Solution is integrated in the Firewall
The firewall uses TCP wrappers
The firewall supports SOCKS
If your corporation has non-NIC-approved IP addresses:
o The firewall presents one (NIC-approved IP address) to the outside world
o Mail headers are re-written to present one entity to the outside world
Applications are not allowed to reveal any information about the internal
network
The firewall can support dial-up connections
The firewall can encrypt in-bound sessions over dial-up lines
"The firewall can be replaced in less than 1 hour (we did think to order a
spare firewall as a backup, right?)"
Automatic Load Balancing is performed across multiple firewalls
LOGGING & REPORTING CAPABILITIES
All connections which are blocked or go through the firewall are logged in
great detail
"Statistics are provided which measure usage, break-in attempts, etc. "
The firewall has the capability of having security logs being sent/stored
on a remote system - automatically (remote logging)
Filter reports everything except those events which the user does not want
to see (preventing a new type of event/attack from being overlooked)
OR Filter reports only user-defined events
The firewall contains tools for audit analysis and producing reports
"Reports can be generated of network activity through the firewall (games,
GIFs, etc.)"
"Reports can be generated of firewall usage (for cross-charging, etc)"
EVALUATION CRITERIA VENDOR A VENDOR B
MANAGING THE FIREWALL
The Admin. Interface on the firewall is NOT a GUI or X-Windows-based (for
security reasons)
"The Admin. Interface is easy-to-use (menu driven, etc), yet secure"
"Can the firewall be administered from the console or remotely, or both?"
Multiple firewalls can be managed securely from a central location
FIREWALL FILTERING RULES
The firewall filtering & rules definitions should be easy to read &
implement (i.e. - no confusing tables)
The rules of multiple firewalls can be synchronized (preferably automatically)
The firewall can filter on the IP address
o Source Address
o Destination Address
Can filter on application/service
FILTERING CAPABILITIES
The firewall can prevent or allow IP tunneling
The firewall can prevent Source-Routing & IP Forwarding through the firewall
Filter FTP
Filter HTTP
Filter IPX
Filter MIME
Filter RPCs
Filter SNMP
Filter SMTP
Filter TELNET
Filter UDP
INTEGRITY
Integrity checking of the firewall is fully automated
Automatic notification of personnel (including paging & e-mails) is
provided in the event that the integrity is suspected to have been compromised
AUTHENTICATION CAPABILITIES
The firewall can provide authentication of Internet and Dial-up connections
Challenge-Response authentication mechanisms are supported
Mutual Authentication is performed before connections are allowed
The following authentication implementations are supported:
o SecurID
o Digital Pathways
o S/Key
Supports single sign-on
ENCRYPTION
The firewall can provide encryption of Internet and Dial-up connections
Firewall-to-firewall encryption supported
User-to-firewall encryption supported (STRONGLY RECOMMENDED)
Types of encryption supported:
The firewall supports automated key distribution (securely)
"Frequency of key exchanges (number per session, number per time interval,
etc.)"
EVALUATION CRITERIA VENDOR A VENDOR B
OPERATING SYSTEM
"All ""r-commands"" (rlogin, rsh) have been removed from the system"
All compilers have been removed from the system
"The Operating System (O/S) has been ""stripped-down"" (ie only the basic
necessities are installed)"
A line-by-line code check of the O/S has been performed and potential
security vulnerabilities have been removed
The Source Code for the Operating System is available for public examination
NOTES:
"All questions should be answered on the basis that the feature currently
exists in the vendor's firewalls at existing customer sites. Items
available in the near future are considered ""vaporware"" and should be
indicated as such."
REFERENCES USED DURING THE PREPARATION OF THIS CHECKLIST:
Firewalls and Internet Security - Repelling the Wily Hacker by Cheswick &
Bellovin
o ISBN: 0-201-63357-4
Security Problems in the TCP/IP Protocol Suite by Steve Bellovin
--------------------- 8< cut here >8 ----------------------------------
Best Regards,
Frank
The opinions of the author of this mail may not necessarily be
representative of the opinions of Fortifed Networks, Inc.
Fortified Networks, Inc. - http://www.fortified.com/
Expert (vendor-neutral) Computer and Network Security Consulting
Phone: (317) 573-0800 Fax: (317) 573-0817
|
|
