SAN MATEO (06/05/2000) - Security break-ins via e-mail worms or controlled hacks make for big stories. But although IT executives need to be ever more security-conscious these days, their focus should not be solely on external attackers. Remote bad guys get most of the press, but the majority of the damage comes from someone on the inside, according to U.S. Federal Bureau of Investigation Director Louis Freeh. Firewalls are obvious first steps in protecting against external attacks, but they are also effective in battling the potential internal menace.
If you are looking to protect a modest number of Windows NT or Windows 2000 servers and are also attracted by the promise of easy installation, administration, and maintenance, consider the firewall CyberwallPlus-SV from Network-1 Security Solutions Inc. CyberwallPlus-SV, Version 5.2, is not a turnkey security solution; you should employ it as part of a comprehensive security plan that also includes intrusion-detection elements. CyberwallPlus-SV is cost-effective however, with a relatively low price of $995, and with administration that shouldn't overly tax your support staff. I give it a score of Good.
Network-1 ships a CD with three products: CyberwallPlus-AP, CyberwallPlus-IP, and CyberwallPlus-SV. CyberwallPlus-AP is a LAN firewall designed for internal network security, operating as a transparent bridge. It receives, filters, and forwards Ethernet frames of more than 4,500 IP and non-IP protocols.
CyberwallPlus-IP is a traditional Internet firewall that filters only IP traffic, supports NAT (network address translation), and can act as a router.
CyberwallPlus-SV, the product I reviewed, is what Network-1 terms an "embedded firewall with intrusion prevention." Unlike traditional firewalls that require two network interfaces, CyberwallPlus-SV resides on current NT servers, such as your FTP, Web, and mail servers, and protects them from network attacks.
Network-1 promotes two main uses for CyberwallPlus-SV: for internal network servers and "DMZ" servers. Using CyberwallPlus-SV on internal servers protects them from unauthorized access by employees. It also adds a layer of protection to your network in case it is ever compromised. Network-1's recommendation for use in the DMZ is to remove the single point of failure that today's standard firewall configuration creates by installing CyberwallPlus-SV on each server. I do not agree with this use, because once a protocol is allowed to pass through, any application hacks will succeed. I would use a product that recognizes application-level attacks -- Web server hacks, for example -- and has a larger attack signature database, such as Clicknet's entercept.
The core of CyberwallPlus-SV is a multilevel stateful-inspection engine. This engine, as with other stateful-inspection firewalls, examines each communication in detail. By understanding packet by packet what happens and what to expect, stateful inspection allows the security engine to detect incorrect or suspicious activity.
In Windows NT, the core OS services operate in a protected environment known as kernel mode. CyberwallPlus-SV is implemented as an extension of the kernel, surrounding it with security that "hardens" it from network attacks. The filter engine monitors every packet that passes to the server, inspecting it before it ever reaches higher layers in the protocol stack.
Read the fine manual
I installed CyberwallPlus-SV on an NT Server running Internet Information Server (IIS) 4.0. The early press CD I received did not contain any documentation except a seven-page readme file; I also did not receive a manual, although one is now available. The manual will soon be included on the CD, according to Network-1.
The installation process is very simple and straightforward. After installing the server and before I made any configuration changes, I tested a few things.
CyberwallPlus-SV picked up a port scan I ran against the machine, logging a lot of useful information, including the source IP address. But it allowed an anonymous null connection to the NT server.
After researching a bit, I was surprised to find that the default installation is wide open, allowing all traffic to pass through. Once I set all traffic to Fail and Log Failed Packets between untrusted nodes and the CyberwallPlus-SV system, the null connection was not allowed and I saw my attempts recorded in the log file. In future releases, I would like to see a Deny-all configuration as the default.
I performed firewall administration through a fairly intuitive, tabular GUI.
The Main tab is "home" and is where you start and stop the filter engine, set license information, set connection policies (based on time), back up configuration files, and connect to other systems for remote management.
CyberwallPlus-SV does not have the capability to push preconfigured policy files to other systems. The recommendation from Network-1 is to create a policy, back it up, and restore the policy on each system. This is better than manually configuring numerous identical policies, but I would like to see a policy-push feature in a future release.
Using the Nodes tab, I defined systems on the network and set inheritance rules. You can define specific nodes for servers that may be required in a rule, such as a domain name server. The default for any system not specifically defined is the untrusted AnyNode. By right-clicking on a node, you can specify rule inheritance, what protocols are allowed to connect to the machine, and what is logged (the choices are No Packets, All Packets, Passed Packets, or Failed Packets). For example, I set the rule inheritance for the local machine (the system running CyberwallPlus-SV) to not allow IP connections between untrusted nodes and itself. This configuration was inherited by all IP protocols. One attractive feature is to select Log All Packets; this gives you a network "sniffer" that provides fairly extensive logging capabilities.
The Rules tab is where you set the complete security policy for the server.
CyberwallPlus-SV comes with many predefined policies for common server configurations; these include FTP, mail, IIS, Exchange, LDAP, Certificate Authority, and Web server. This is a good start for an initial setup, but rules should be modified to reflect your company's security policy. Adding a rule is a simple process of selecting the trusted node; the untrusted node; the protocol, such as HTTP or FTP; inbound access; outbound access; and logging.
One thing I disliked about the rules interface is that the rules are not listed in the order they are applied to packets, which makes it difficult to visualize how a packet passes through the filter engine. CyberwallPlus-SV applies rules that start at the bottom layer of the OSI model and work their way up the protocol stack to the application layer. I would like to see the rules listed in this order in a future release.
CyberwallPlus-SV comes pre-configured with extensive protocol support; but if you can't find one you need, you can create a new one in the Protocols tab. It is a simple process of naming the protocol and specifying what port to listen on.
CyberwallPlus-SV also performs some intrusion prevention by looking for DoS (denial of service) attacks and port scans. The sensitivity of your server to these attacks can be configured in the Intrusion Setup tab. Right now, CyberwallPlus-SV can detect about 11 attacks, including Smurf, WinNuke, and Fraggle. Additional attack signatures will be added as they become available, according to Network-1.
I can't see using CyberwallPlus-SV for all firewall needs, but I do recommend it for protecting a few internal Windows NT or Windows 2000 servers. It is easy to install, administer, and maintain and provides a good security comfort level when used in conjunction with other security products, such as complete intrusion-detection systems and Internet firewalls. At $995 per server, CyberwallPlus-SV is a fairly cost-effective solution that deserves a Good rating.
Mandy Andress is director of Information Security at Privada Inc., a privacy infrastructure provider. Her e-mail address is email@example.com.
THE BOTTOM LINE: GOOD
CyberwallPlus-SV, Version 5.2
Business Case: Adding an additional layer of protection to servers containing sensitive corporate information helps protect against internal and external attacks that may otherwise destroy or compromise data. The benefits in time spared from combating attacks or restoring data can be considerable.
Technology Case: CyberwallPlus' kernel-mode architecture protects the operating system from network attacks. Its multilevel stateful-inspection engine logs and examines every packet that passes by and stops those on its danger list.
+ Easy to use
+ Intuitive graphical interface
- No remote policy-push capabilities
- Current documentation poor
- Rule application not intuitive
- Default installation allows all protocols to passCost: $995 per serverPlatform(s): Windows NT, Windows 2000 serversNetwork-1 Security Solutions Inc. Waltham, Massachusetts; (781) 522-3400, 800-NETWRK1; www.network-1.com