Timothy
Parker Consulting Incorporated
|
|
|
|
Three Linux Firewall Packages This issue’s theme is security. Staying in that vein, we
decided that the IT Corner should look at firewall products for Linux.
Instead of simply comparing all the firewalls on the market, which range
from freeware to over $30,000, we selected three products that have a solid
following in the Linux market at three different price points (all reasonable)
and examined each for its own merits and strengths.
This is a little like comparing apples to oranges, but the goal is not to
pick a “best” firewall but to show you the differences you get with
increasing money. Firewalls perform a variety of services, all important to
protect your network. Firewalls sit
between your network and the Internet (or an ISP) at a “choke point”, the
single (or redundant) point of entry into your network.
By monitoring the traffic that comes into the choke point, a firewall can
prevent attacks on machines behind the firewall as well as prevent unauthorized
access to services. Many firewalls allow filtering based on the type of
information required (such as blocking all FTP requests or ping packets), and
many act as proxy servers as well. Firewalls have become an important addition to networks
because of the wide variety of hacking tools available today (see the sidebar
“Hacking Tools”). Anyone can
download a hacking program and run it against your network, exploiting
weaknesses and crashing your systems. To
prevent this, a good firewall needs to be properly configured and ready to block
all these hack attempts. While
firewalls are available for all operating systems, we look at those that run
under Linux specifically because Linux makes an ideal platform for firewalls and
gateways. To test these packages, we set up a dedicated internal
network of ten machines (half Linux and half Windows) on a Fast Ethernet subnet,
attached to our normal test network through the Linux firewall. Two of the three
products include implementations of Linux, so we installed them as new setups.
The third is a self-contained Linux-based box, which we used instead of
the Linux machine at the choke point. The
test network was then used to bombard the firewall with all manner of hack
attempts including all the tools mentioned in the firewall.
Some of the hacking techniques are kept confidential as they belong to
the author’s security testing suite, but suffice it to say these tools are
used to validate extremely secure military networks. We kept track of the
ability of the firewall to stop the different probe attempts, as well as the
performance of the firewall and the internal network. After testing the firewalls with hack attempts we attempted
several denial-of-service routines to see if the firewalls would crash.
Finally, we modified the optimum configuration of each firewall to expose
specific holes in the security setup to see how well the hacking tools could
detect and exploit those holes. It is important to note that the configuration used for
exhaustive testing of all three firewalls is considerably different than the
default setups. To properly button
up a firewall you have to filter and block most packets coming in.
This requires a good knowledge of the possible traffic as well as the
nature by which seemingly innocent packets can be used to exploit security
holes. The good news is that all
three firewalls do a very good job, especially when configured manually. NetMax Firewall ProSuite NetMax offers a range of firewall software, from the
inexpensive Firewall, through Firewall Suite (which adds proxy server, port
forwarding and IP address mapping) to the ProSuite which we tested (which adds
SSL, dial-in modem, and UPS support). There’s a Server version available too
which adds Triple DES encryption and IKE support. Firewall ProSuite is shipped
with a RedHat based Linux version and can be installed from scratch as a
preconfigured firewall, or the firewall software can be loaded on top of
existing Linux installations. The Firewall ProSuite package includes a well-written and
illustrated manual, although we found the font used in the book to be tiring to
read. The software installs easily, either as an addition to our existing RedHat
6.2 test machine or from scratch with the included version of Linux.
As with other firewalls tested, two NICs are necessary unless you rely on
PPP to connect through a modem. As with most Linux versions, finding drivers for
some NICs will be problematic unless you have well-known brands installed. Configuring the Firewall ProSuite software itself is easy
through a Web interface. A quick
configuration process lets you set up default actions quickly, and covers most
of the steps you need to perform to button up the firewall.
For more flexibility, individual aspects of the software can be
configured through the interface, allowing much better control of the behavior
of the firewall. One neat feature is a traffic monitor interface that shows you
incoming packets and their volume, as well as what is being handled by the
firewall software under the rules you lay down. We found the traffic monitor especially helpful during
denial-of-service attacks. Firewall ProSuite worked well in our tests, denying all the
usual attack methods when properly configured.
There are still ways through the firewall if the configuration is not
complete, of course, and a smart hacker can probably detect weaknesses, but the
default configurations will stop all but the most determined attempts.
There is no support for VPNs included with Firewall ProSuite, but for
many this is not a missing feature. Phoenix Adaptive Firewall Progressive Systems’ Phoenix Adaptive Firewall arrived
installed on a Cobalt Networks Qube (a small, cube-shaped, turnkey gateway and
web server running Linux). Since the operating system, all the support software,
as well as the firewall application was already installed on the Qube we simply
configured it as-is on our test network. Installing is simple: plug in the
network connectors (internal and external), turn on the power, and use the back
panel’s buttons and small LCD display to configure an IP address for the Qube.
After a reboot, any machine on the internal network can enter the
internal IP address in a web browser and the Phoenix Adaptive Firewall
configuration screen appears. Setup time was five minutes. A three-fold single
page instruction sheet contains everything you need to know to install the Qube
and configure the IP addresses. The Phoenix Adaptive Firewall documentation is acceptable,
but lacks any screen captures and explanation of details behind the
configuration options. If you
don’t want to read the manual and jump right into the firewall configuration
process, you’ll find the software very accommodating. The menu-driven system
lets you configure every aspect of the firewall and the prompts and explanations
are more than enough for most firewall setups. Apart from the usual options for blocking specific
protocols and services, packet filtering and blocking of port scanning and
sniffing routines, you can also block specific file formats (such as RealAudio)
from passing through the firewall. Of
note is the setup for a VPN, which is excellent. The “adaptive” in the product name would usually be
interpreted as implying that the software learns from actions and adapts itself
for future use. We didn’t find
anything “adaptive” in our short-lived tests, but there may be features we
didn’t uncover or learn from the manual. The Phoenix Adaptive Firewall can be
purchased as a software package for many platforms, but after playing with the
Qube and Phoenix Adaptive Firewall combination together I can’t think of any
reason not to buy the combination. The other software installed on the Qube is designed to act
as a gateway and server for your network, and can be configured separately from
the Phoenix firewall product. Since
we’re not concentrating on gateway products here, we’ll ignore them but do
recommend you check the Qube out: it’s a heck of a neat Linux-based turnkey
system. Stormix Storm Firewall A quick search of linux.org for firewall software quickly
turns up Stormix’ Storm product. Designed
for Storm’s own Storm Linux 2000 version as well as Red Hat and Debian
versions, Storm Firewall can be installed on top of an existing Linux setup or
installed from scratch to include the firewall software as well as Storm Linux.
(Storm Linux is a Debian-based distribution including KDE and GNOME.) Storm Firewall is designed to be a relatively inexpensive
firewall product that is easy to configure for those not interested in extensive
manipulation of their firewall software. The installation routine is graphical
and proceeds quickly with a minimum of prompts. If you are installing Storm
Linux at the same time, the firewall and router software are loaded as part of
the package. Naturally, you need a computer with two NICs (one internal and one
to your ISP), and there’s the usual fuss of figuring out which NICs are
properly supported. Installation of the Storm Linux operating system and
firewall package proceeds as well as any other Debian-based Linux version. The box for Storm Firewall contains two manuals, one for
Storm Linux 2000 and one for the Firewall software itself.
The Firewall document takes half the pages in the book to explain basics
of networking, firewalls, and TCP/IP (which may or may not be interested to
readers, depending on their knowledge level). After an installation procedure,
there are only a few pages devoted to the firewall software itself, yet they do
the job for using the product. Configuring the firewall software itself is made easier by
the interface used. In fact, there are several ways to configure the firewall,
depending on the level of expertise and granularity that you want to achieve.
A firewall setup wizard takes the easy route, using default behaviors in
response to a few choices. For more
complicated setups, an advanced configuration routine lets you work at the chain
level. Using the easy setup wizard could leave potential problems in the
configuration, including susceptibility to denial-of-service attacks, although
the risks are small. There are several features about Storm Firewall we like.
First, the inclusion of Storm Linux and the configuration wizard provide
an almost install-and-forget approach to firewalls.
There are some features that are useful, such as IP masquerading (where
all the IP addresses inside a network can use the same IP address externally:
not quite a proxy server but the same basic idea for hiding IP addresses). The
rules available to limit the packets that are transmitted through the firewall
are simple enough, although some advanced users will find they do not offer
enough flexibility. There are also some features missing that would have been
nice to see, such as proxying, virtual private networking, and packet type
blocking. Storm Firewall is aimed squarely at the low-cost market,
and it does a very good job of providing a solid firewall product for that
market. It’s not as talented and
flexible as more expensive firewall products, but at its price point it is very
good. The amount of protection
Storm Firewall offers will suffice for home networks and many small companies,
but it will be out of place in larger and more security-conscience environments. Summary All three firewalls did a very good job of blocking hack
attempts, especially those generated by the readily-available Linux or Windows
based hacking tools. The testing
process did show that the security of all these firewall products is very
sensitive to the configuration. All
three products all quick and easy configuration of security setups based on
simple questions and prompts, and the defaults these configurations create will
suffice for many users. However,
unless you are willing to spend the time to understand all the aspects of the
firewall software, as well as the types of attempts hackers use, you will always
have some vulnerability in your system. Manual
configuration of the firewall is really the best way to prevent most hack
attempts. You can look at these three firewall products as a progression in both price and features. The Storm Firewall is the least expensive and a very good buy at its price. It will stop most attacks, and is the easiest to configure. NetMax ProSuite adds features and price, allowing blocking of more types of attacks, monitoring, and proxy serving. Phoenix Adaptive Firewall costs more and adds even more features. As mentioned earlier, you will find the Storm Firewall suitable for home networks and smaller commercial operations, but if you want better security you need to pay for it. The Phoenix Firewall software did the best job of stopping all the attacks we threw at it, letting our Web server continue operating when the other two firewall products could be overloaded resulting in denial-of-service. The amount of protection you need will depend on your purpose, how vulnerable you feel, and your budget. All three firewalls are suitable to the proper balance of these three factors. Phoenix Adaptive Firewall Summary: Excellent turnkey solution with the Qube,
excellent firewall all by itself. Storm Firewall Summary: Very good value in a firewall but missing some features larger networks may require. NetMax ProSuite Summary: Good balance of features against price, very good
management routines. Sidebar: Hacking Tools There are a wide variety of hacking tools readily available
over the Internet that can be downloaded and run by anyone.
The list below is a short summary of different tools and their purposes.
All are Linux based. There
are many more Windows and UNIX based hacking tools, as well. Sniffers: Sniffer is a slang term for a protocol analyzer which can monitor network traffic, usually surreptitiously, and report potential holes and capture valuable information passing through. Sniffers
are a problem because they can catch password and login information (usually sent in cleartext),
as well as data that is embedded in
datagrams. Sniffer
attacks have caused more security problems than any other kind of attack
(including Denial Of Service). There are several sniffers designed specifically for Linux:
Sniffer attacks are difficult to detect and thwart because sniffers are passive. They don’t generate a log (evidence trail) and don’t use a lot of memory or disk space. To block sniffer attacks you need to find out if any network interfaces are in promiscuous mode. Run ifconfig and ifstatus to determine the modes of all
interfaces or run a detector utility such as the Network Promiscuous Ethernet Detector (NEPED) which can detect
sniffer activity on a subnet. NEPED scans subnets looking for interfaces in
promiscuous mode (using ARP bugs in the kernel). NEPED can be fooled, and later
versions of the Linux kernel fix the ARP bug blocking some testing procedures. Scanners: a scanner is a security tool for detecting system
vulnerabilities (such as empty password fields in /etc/passwd). Most scanners
can be broken into system scanner or network scanner categories. System scanners
scan the local machine for improperly set file permissions, default accounts not
closed or deleted, and erroneous or duplicate UID entries. The classic scanner
is COPS (Computer Oracle and Password System) which looks for bad file,
directory and device permissions, weak passwords, poorly applied security on
password and group files, inappropriate SUID/GUID bits on files, and suspicious
changes in file checksums. Tripwire is another excellent scanner which checks
permissions and checksums of many system files, and file and directory
modification dates. Tripwire uses two checksums to foil hackers, alerting you
through mismatching checksums when files have been modified without your
knowledge. The most commonly used scanner is crack, a commonly-available utility
that checks for easily-broken passwords. It
scans the /etc/passwd file for dictionary and userID-based passwords. Network scanners perform on an entire network, not just a
single machine. The Internet
Security Scanner (ISS) scans for obvious holes in network connections including
TCP ports. There are two major releases of ISS available with different
purposes, and both are often used for hacking. ISS can be set to different
levels of analysis (light, medium, heavy) and there is an X-based version
available (xiss) for those who like a GUI. The most famous network scanner is
Security Administrator’s Tool for Analyzing Networks (SATAN) which scans IP
networks for vulnerabilities. SATAN performs more tests than most network
scanners and is available in character and GUI versions. An enhanced and updated
version of SATAN is Security Administrator’s Integrated Network Tool (SAINT)
which adds Web-oriented analysis and Denial of Service attacks to the routines. Detecting scanners (which are illegal) requires a tool that watches for typical scanner behavior. Linux-based scanner detectors are Courtney (a Perl
script that detects SATAN and SAINT), icmpinfo (detects ICMP scanners and bomb
detectors), Scan-detector (a generic UDP scan detector), Klaxon (detects port
scans by service) and Psionic portsentry (an advanced tool with many functions
and can block scan attacks in real-time). Spoofing: The
traditional definition of spoofing is using one machine is authenticated by
another by forging packets from a trusted host. The definition has been expanded
to include any method of subverting address-based or hostname-based trusts or
authentications. There are many ways to spoof a network and we don’t have room
to go into details here. Commonly
available spoofing tools for Linux are: mendax
(a tool for TCP sequence number predication and spoofing IP addresses), ipspoof
(a simple TCP and IP spoof tool), spoofit (a C .h library for adding spoofing
capabilities to a program) and seq_number (a C library that adds sequence number
exploitation for spoofing applications). Denial of service: The
basic definition of a Denial of Service attack is any action that incapacitates
your host’s hardware, software, or both, rendering your system unreachable and
therefore denying service to legitimate users. In a DoS attack the attacker’s
aim is straightforward: knock your hosts off the Internet. DoS attacks are
malicious (except when conducted as part of a security check) and also illegal. DoS
attacks are persistent and common for two reasons: DoS attacks are fast and easy to perform and they generate no
immediate, noticeable result. For these reasons DoS attacks are popular with novice hackers. DoS
attacks can be difficult to trace to their origin. Linux
tools available for DoS attacks include: sesquipedalian
(a C library that creates IP fragmentation cache attacks which floods the cache
preventing processing of TCP packets), NMAP (floods TCP ports with SYN packets
followed by RST reset packets before a connection is established; because of the
speed and number of requests the inetd daemon hangs) and mimeflood (a Perl
script that floods Apache web servers and chews up all CPU resources and crashes
the Web server). Others include socket bomb (also called garbage) which is a C
library that floods the standard UNIX/Linux garbage collection system with
thousands of simultaneous entries (default limits are 1,000), overwhelming the
system and causing a kernel panic, time and daytime which overwhelms TCP ports
13 (time) and 37 (daytime) causing TCP crashes, and teardrop, a C library that
fragments IP packets to a negative fragment value (causing a system crash in the
kernel unless patched to refuse them). There are about two dozen other DoS attack packages
available for Linux! There
is no single cure for DoS attacks. In
general to prevent them you should: disable
broadcast addressing, use a firewall to filter incoming ICMP, ping, and UDP
traffic, and use TCP interception to validate TCP connections (drop invalidated
connections after a short timeout). Packet filters can be used to drop
suspicious source addresses. There are far more tools
available to the hacker than there are tools to prevent them, and buttoning up a
system requires a lot of knowledge from a system or network administrator.
For this reason, security is almost always a catch-up affair. |
|
Send mail to
tparker@tpci.com with
questions or comments about this web site.
|
