Three Linux Firewall Packages
This issue’s theme is security. Staying in that vein, we decided that the IT Corner should look at firewall products for Linux. Instead of simply comparing all the firewalls on the market, which range from freeware to over $30,000, we selected three products that have a solid following in the Linux market at three different price points (all reasonable) and examined each for its own merits and strengths. This is a little like comparing apples to oranges, but the goal is not to pick a “best” firewall but to show you the differences you get with increasing money.
Firewalls perform a variety of services, all important to protect your network. Firewalls sit between your network and the Internet (or an ISP) at a “choke point”, the single (or redundant) point of entry into your network. By monitoring the traffic that comes into the choke point, a firewall can prevent attacks on machines behind the firewall as well as prevent unauthorized access to services. Many firewalls allow filtering based on the type of information required (such as blocking all FTP requests or ping packets), and many act as proxy servers as well.
Firewalls have become an important addition to networks because of the wide variety of hacking tools available today (see the sidebar “Hacking Tools”). Anyone can download a hacking program and run it against your network, exploiting weaknesses and crashing your systems. To prevent this, a good firewall needs to be properly configured and ready to block all these hack attempts. While firewalls are available for all operating systems, we look at those that run under Linux specifically because Linux makes an ideal platform for firewalls and gateways.
To test these packages, we set up a dedicated internal network of ten machines (half Linux and half Windows) on a Fast Ethernet subnet, attached to our normal test network through the Linux firewall. Two of the three products include implementations of Linux, so we installed them as new setups. The third is a self-contained Linux-based box, which we used instead of the Linux machine at the choke point. The test network was then used to bombard the firewall with all manner of hack attempts including all the tools mentioned in the firewall. Some of the hacking techniques are kept confidential as they belong to the author’s security testing suite, but suffice it to say these tools are used to validate extremely secure military networks. We kept track of the ability of the firewall to stop the different probe attempts, as well as the performance of the firewall and the internal network.
After testing the firewalls with hack attempts we attempted several denial-of-service routines to see if the firewalls would crash. Finally, we modified the optimum configuration of each firewall to expose specific holes in the security setup to see how well the hacking tools could detect and exploit those holes.
It is important to note that the configuration used for exhaustive testing of all three firewalls is considerably different than the default setups. To properly button up a firewall you have to filter and block most packets coming in. This requires a good knowledge of the possible traffic as well as the nature by which seemingly innocent packets can be used to exploit security holes. The good news is that all three firewalls do a very good job, especially when configured manually.
NetMax Firewall ProSuite
NetMax offers a range of firewall software, from the inexpensive Firewall, through Firewall Suite (which adds proxy server, port forwarding and IP address mapping) to the ProSuite which we tested (which adds SSL, dial-in modem, and UPS support). There’s a Server version available too which adds Triple DES encryption and IKE support. Firewall ProSuite is shipped with a RedHat based Linux version and can be installed from scratch as a preconfigured firewall, or the firewall software can be loaded on top of existing Linux installations.
The Firewall ProSuite package includes a well-written and illustrated manual, although we found the font used in the book to be tiring to read. The software installs easily, either as an addition to our existing RedHat 6.2 test machine or from scratch with the included version of Linux. As with other firewalls tested, two NICs are necessary unless you rely on PPP to connect through a modem. As with most Linux versions, finding drivers for some NICs will be problematic unless you have well-known brands installed.
Configuring the Firewall ProSuite software itself is easy through a Web interface. A quick configuration process lets you set up default actions quickly, and covers most of the steps you need to perform to button up the firewall. For more flexibility, individual aspects of the software can be configured through the interface, allowing much better control of the behavior of the firewall. One neat feature is a traffic monitor interface that shows you incoming packets and their volume, as well as what is being handled by the firewall software under the rules you lay down. We found the traffic monitor especially helpful during denial-of-service attacks.
Firewall ProSuite worked well in our tests, denying all the usual attack methods when properly configured. There are still ways through the firewall if the configuration is not complete, of course, and a smart hacker can probably detect weaknesses, but the default configurations will stop all but the most determined attempts. There is no support for VPNs included with Firewall ProSuite, but for many this is not a missing feature.
Phoenix Adaptive Firewall
Progressive Systems’ Phoenix Adaptive Firewall arrived installed on a Cobalt Networks Qube (a small, cube-shaped, turnkey gateway and web server running Linux). Since the operating system, all the support software, as well as the firewall application was already installed on the Qube we simply configured it as-is on our test network. Installing is simple: plug in the network connectors (internal and external), turn on the power, and use the back panel’s buttons and small LCD display to configure an IP address for the Qube. After a reboot, any machine on the internal network can enter the internal IP address in a web browser and the Phoenix Adaptive Firewall configuration screen appears. Setup time was five minutes. A three-fold single page instruction sheet contains everything you need to know to install the Qube and configure the IP addresses.
The Phoenix Adaptive Firewall documentation is acceptable, but lacks any screen captures and explanation of details behind the configuration options. If you don’t want to read the manual and jump right into the firewall configuration process, you’ll find the software very accommodating. The menu-driven system lets you configure every aspect of the firewall and the prompts and explanations are more than enough for most firewall setups.
Apart from the usual options for blocking specific protocols and services, packet filtering and blocking of port scanning and sniffing routines, you can also block specific file formats (such as RealAudio) from passing through the firewall. Of note is the setup for a VPN, which is excellent.
The “adaptive” in the product name would usually be interpreted as implying that the software learns from actions and adapts itself for future use. We didn’t find anything “adaptive” in our short-lived tests, but there may be features we didn’t uncover or learn from the manual. The Phoenix Adaptive Firewall can be purchased as a software package for many platforms, but after playing with the Qube and Phoenix Adaptive Firewall combination together I can’t think of any reason not to buy the combination.
The other software installed on the Qube is designed to act as a gateway and server for your network, and can be configured separately from the Phoenix firewall product. Since we’re not concentrating on gateway products here, we’ll ignore them but do recommend you check the Qube out: it’s a heck of a neat Linux-based turnkey system.
Stormix Storm Firewall
A quick search of linux.org for firewall software quickly turns up Stormix’ Storm product. Designed for Storm’s own Storm Linux 2000 version as well as Red Hat and Debian versions, Storm Firewall can be installed on top of an existing Linux setup or installed from scratch to include the firewall software as well as Storm Linux. (Storm Linux is a Debian-based distribution including KDE and GNOME.)
Storm Firewall is designed to be a relatively inexpensive firewall product that is easy to configure for those not interested in extensive manipulation of their firewall software. The installation routine is graphical and proceeds quickly with a minimum of prompts. If you are installing Storm Linux at the same time, the firewall and router software are loaded as part of the package. Naturally, you need a computer with two NICs (one internal and one to your ISP), and there’s the usual fuss of figuring out which NICs are properly supported. Installation of the Storm Linux operating system and firewall package proceeds as well as any other Debian-based Linux version.
The box for Storm Firewall contains two manuals, one for Storm Linux 2000 and one for the Firewall software itself. The Firewall document takes half the pages in the book to explain basics of networking, firewalls, and TCP/IP (which may or may not be interested to readers, depending on their knowledge level). After an installation procedure, there are only a few pages devoted to the firewall software itself, yet they do the job for using the product.
Configuring the firewall software itself is made easier by the interface used. In fact, there are several ways to configure the firewall, depending on the level of expertise and granularity that you want to achieve. A firewall setup wizard takes the easy route, using default behaviors in response to a few choices. For more complicated setups, an advanced configuration routine lets you work at the chain level. Using the easy setup wizard could leave potential problems in the configuration, including susceptibility to denial-of-service attacks, although the risks are small.
There are several features about Storm Firewall we like. First, the inclusion of Storm Linux and the configuration wizard provide an almost install-and-forget approach to firewalls. There are some features that are useful, such as IP masquerading (where all the IP addresses inside a network can use the same IP address externally: not quite a proxy server but the same basic idea for hiding IP addresses). The rules available to limit the packets that are transmitted through the firewall are simple enough, although some advanced users will find they do not offer enough flexibility. There are also some features missing that would have been nice to see, such as proxying, virtual private networking, and packet type blocking.
Storm Firewall is aimed squarely at the low-cost market, and it does a very good job of providing a solid firewall product for that market. It’s not as talented and flexible as more expensive firewall products, but at its price point it is very good. The amount of protection Storm Firewall offers will suffice for home networks and many small companies, but it will be out of place in larger and more security-conscience environments.
All three firewalls did a very good job of blocking hack attempts, especially those generated by the readily-available Linux or Windows based hacking tools. The testing process did show that the security of all these firewall products is very sensitive to the configuration. All three products all quick and easy configuration of security setups based on simple questions and prompts, and the defaults these configurations create will suffice for many users. However, unless you are willing to spend the time to understand all the aspects of the firewall software, as well as the types of attempts hackers use, you will always have some vulnerability in your system. Manual configuration of the firewall is really the best way to prevent most hack attempts.
You can look at these three firewall products as a progression in both price and features. The Storm Firewall is the least expensive and a very good buy at its price. It will stop most attacks, and is the easiest to configure. NetMax ProSuite adds features and price, allowing blocking of more types of attacks, monitoring, and proxy serving. Phoenix Adaptive Firewall costs more and adds even more features. As mentioned earlier, you will find the Storm Firewall suitable for home networks and smaller commercial operations, but if you want better security you need to pay for it. The Phoenix Firewall software did the best job of stopping all the attacks we threw at it, letting our Web server continue operating when the other two firewall products could be overloaded resulting in denial-of-service. The amount of protection you need will depend on your purpose, how vulnerable you feel, and your budget. All three firewalls are suitable to the proper balance of these three factors.
Phoenix Adaptive Firewall
$895 (software only)
$2449 (software preinstalled on Qube)
Progressive Systems, Inc.
2000 W Henderson Rd.
Columbus, Ohio 43220
Summary: Excellent turnkey solution with the Qube, excellent firewall all by itself.
$99.95 (including Storm Linux)
10180 Telesis Court - Suite 165
San Diego, CA 92121
Fax: (858) 623-9140
Summary: Very good value in a firewall but missing some features larger networks may require.
Cybernet Systems Corporation
727 Airport Blvd.
Ann Arbor, MI 48108-1639
Summary: Good balance of features against price, very good management routines.
Sidebar: Hacking Tools
There are a wide variety of hacking tools readily available over the Internet that can be downloaded and run by anyone. The list below is a short summary of different tools and their purposes. All are Linux based. There are many more Windows and UNIX based hacking tools, as well.
Sniffers: Sniffer is a slang term for a protocol analyzer which can monitor network traffic, usually surreptitiously, and report potential holes and capture valuable information passing through.
Sniffers are a problem because they can catch password and login information (usually sent in cleartext), as well as data that is embedded in datagrams. Sniffer attacks have caused more security problems than any other kind of attack (including Denial Of Service).
There are several sniffers designed specifically for Linux:
|captures usernames and passwords (easy to use, very good at the job)||similar to linsniffer (easy to use, more details than linsniffer)||similar to linsniffer but less output, easier to read; provides command tracking||more output than linsniffer, very configurable, complex tool to learn and use||(Angel Network Monitor): monitors all standard system services for timeouts, connection refused messages, and so on as well as disk usage. More a system monitor than a sniffer. HTML output color coded.||GUI-based sniffer with real-time capture or analysis of recorded data. Can monitor SNMP and other protocols over Ethernet, Token Ring, FDDI, PPP and more.||watches ICMP packets||(IP Accounting Package): monitors IP and generates IP traffic reports||gathers TCP connection packets and produces network statistics. Can be used over many connections including PPP and SLIP||(KDE Network Statistics Utility): KDE-based network traffic monitor|
of all interfaces or run a detector utility such as the Network Promiscuous Ethernet Detector (NEPED) which can detect sniffer activity on a subnet. NEPED scans subnets looking for interfaces in promiscuous mode (using ARP bugs in the kernel). NEPED can be fooled, and later versions of the Linux kernel fix the ARP bug blocking some testing procedures.
Scanners: a scanner is a security tool for detecting system vulnerabilities (such as empty password fields in /etc/passwd). Most scanners can be broken into system scanner or network scanner categories. System scanners scan the local machine for improperly set file permissions, default accounts not closed or deleted, and erroneous or duplicate UID entries.
The classic scanner is COPS (Computer Oracle and Password System) which looks for bad file, directory and device permissions, weak passwords, poorly applied security on password and group files, inappropriate SUID/GUID bits on files, and suspicious changes in file checksums. Tripwire is another excellent scanner which checks permissions and checksums of many system files, and file and directory modification dates. Tripwire uses two checksums to foil hackers, alerting you through mismatching checksums when files have been modified without your knowledge. The most commonly used scanner is crack, a commonly-available utility that checks for easily-broken passwords. It scans the /etc/passwd file for dictionary and userID-based passwords.
Network scanners perform on an entire network, not just a single machine. The Internet Security Scanner (ISS) scans for obvious holes in network connections including TCP ports. There are two major releases of ISS available with different purposes, and both are often used for hacking. ISS can be set to different levels of analysis (light, medium, heavy) and there is an X-based version available (xiss) for those who like a GUI. The most famous network scanner is Security Administrator’s Tool for Analyzing Networks (SATAN) which scans IP networks for vulnerabilities. SATAN performs more tests than most network scanners and is available in character and GUI versions. An enhanced and updated version of SATAN is Security Administrator’s Integrated Network Tool (SAINT) which adds Web-oriented analysis and Denial of Service attacks to the routines.
Detecting scanners (which are illegal) requires a tool that watches for typical scanner behavior. Linux-based scanner detectors are
Courtney (a Perl script that detects SATAN and SAINT), icmpinfo (detects ICMP scanners and bomb detectors), Scan-detector (a generic UDP scan detector), Klaxon (detects port scans by service) and Psionic portsentry (an advanced tool with many functions and can block scan attacks in real-time).
Spoofing: The traditional definition of spoofing is using one machine is authenticated by another by forging packets from a trusted host. The definition has been expanded to include any method of subverting address-based or hostname-based trusts or authentications. There are many ways to spoof a network and we don’t have room to go into details here. Commonly available spoofing tools for Linux are: mendax (a tool for TCP sequence number predication and spoofing IP addresses), ipspoof (a simple TCP and IP spoof tool), spoofit (a C .h library for adding spoofing capabilities to a program) and seq_number (a C library that adds sequence number exploitation for spoofing applications).
Denial of service: The basic definition of a Denial of Service attack is any action that incapacitates your host’s hardware, software, or both, rendering your system unreachable and therefore denying service to legitimate users. In a DoS attack the attacker’s aim is straightforward: knock your hosts off the Internet. DoS attacks are malicious (except when conducted as part of a security check) and also illegal. DoS attacks are persistent and common for two reasons: DoS attacks are fast and easy to perform and they generate no immediate, noticeable result. For these reasons DoS attacks are popular with novice hackers. DoS attacks can be difficult to trace to their origin.
Linux tools available for DoS attacks include: sesquipedalian (a C library that creates IP fragmentation cache attacks which floods the cache preventing processing of TCP packets), NMAP (floods TCP ports with SYN packets followed by RST reset packets before a connection is established; because of the speed and number of requests the inetd daemon hangs) and mimeflood (a Perl script that floods Apache web servers and chews up all CPU resources and crashes the Web server). Others include socket bomb (also called garbage) which is a C library that floods the standard UNIX/Linux garbage collection system with thousands of simultaneous entries (default limits are 1,000), overwhelming the system and causing a kernel panic, time and daytime which overwhelms TCP ports 13 (time) and 37 (daytime) causing TCP crashes, and teardrop, a C library that fragments IP packets to a negative fragment value (causing a system crash in the kernel unless patched to refuse them). There are about two dozen other DoS attack packages available for Linux!
There is no single cure for DoS attacks. In general to prevent them you should: disable broadcast addressing, use a firewall to filter incoming ICMP, ping, and UDP traffic, and use TCP interception to validate TCP connections (drop invalidated connections after a short timeout). Packet filters can be used to drop suspicious source addresses.
There are far more tools available to the hacker than there are tools to prevent them, and buttoning up a system requires a lot of knowledge from a system or network administrator. For this reason, security is almost always a catch-up affair.