Appliance Firewalls A Technology Review By: Brent Huston T h e B l a c k H a t B r i e f i n g s July 7-8, 1999 Las Vegas
Disclaimer Product names contained within are the copyright and trademark of their respective companies. For company names, please see the last slide of this presentation.
Agenda What is an appliance firewall? What technologies do they employ? What were we looking for? The successes we had The problems we discovered The future of network appliances Summary of information
What is an appliance firewall? Integrated hardware solution All software, including OS comes pre-loaded on the platform Network “black box” approach to security
Evolution Originated as firewall features added to routers Basic packet filtering –Source, Dest., Protocol Application specific proxies “Stateful Inspection” Appliance firewalls
What technologies do they employ? Network Address Translation (NAT) Most use packet filtering rules to determine packet access Some use “stateful inspection” to manage connections Some application proxy support –A few allow custom proxy creation *BONUS*
Some Have Other Helpful Features Built in application servers - mail, web, ftp DHCP support Built-in VPN capability - p2p and client based Strong authentication support URL/content blocking DMZ configuration alerting SNMP support
Management Functions Web based was easiest to use and allowed greatest flexibility Custom applications provided some ease, but lacked true remote management ability Direct cable solutions were poor and inflexible Worst case was a direct custom cable via SLIP
Our Mock Deployment Goal: Locate an appliance firewall that could protect our medium size business (500 users) from the Internet –Ease of deployment and management –Provide adequate security for internal systems –Allow external access to our mail and web servers –Alert us in the event of an attack
“Bonus” Features Good documentation Ease of maintenance Real time reports Content blocking SNMP alerting VPN between branches Failure recovery
Our Security Desires Extensive logging of successful connections, rejected packets and suspected attacks Immunity to Denial of Service attacks Protection against information gathering probes Initial deny all ruleset for access
The Starting Field Located 23 vendors whose products were appliances as defined by our process
Our Successes In no particular order... Phoenix Adaptive Firewall SonicWALL/DMZ PIX Firewall Firebox II Interceptor
Phoenix Adaptive Firewall Pros: –Excellent setup process using front panel –Management via web based JAVA applet –Many logging options –Alternate command interface allows access to underlying Linux OS Cons: –Crashed twice during rule application and changes –Access control ruleset management is a bit confusing
SonicWALL/DMZ Pros: –Excellent management interface –Integrated DHCP server –Predefined ruleset for most common applications –Good documentation Cons: –Cheap, lightweight feel and package design, afraid we were going to break it –Logging could be more robust, and sometimes misses events –Upgrade process is firewall replacement
Interceptor Pros: –Easy setup and management –Includes security auditing software –Excellent reliability and resistance to Denial of Service attacks Cons: –Nmap determined underlying OS –Logging failed to notice port scans –No ability to build custom application proxies
PIX Firewall Pros: –Configurable and useable logs –Great documentation –Amazing failover capability –Stable and resistant to Denial of Service attacks Cons: –Setup and configuration is very complex –Initial setup is serial cable only –Requires Windows NT to administer via GUI –No application proxies
Firebox II Pros: –Configuration and management is easy –Robust security and Denial of Service attack resistance –Adequate logging –Visual status determination is excellent Cons: –Management is via a dedicated application –Documentation was a bit unclear
Some Discoveries Several products were significantly less than what we considered a firewall –Some performed only NAT with no logging or access controls –Some were only point to point encryptors Logging, in general, was poor compared to other firewall platforms
Other Issues Most of the devices featured management that was difficult to use or “kludgy” at best Most of the devices had no automated system to manage failure Most of the devices did not notice or log attempted attacks in any format other than rejected packet information
Long Term Issues Upgrade process for most products is replacement Most appliances do not offer high speed connectivity options
The Future of Network Appliances Better management and configuration processes More configurable logging Integrated intrusion detection software Improvements in alerting methods
Summary of Findings Appliance firewalls can serve as a good resource for small and medium size businesses They can provide adequate security with ease of deployment and management They possess excellent width of product options but may lack in product depth
Companies and Products Phoenix Firewall by Progressive Systems SonicWALL/DMZ by Sonic Systems Interceptor by Technologic, Inc. PIX Firewall by Cisco Systems Firebox II by WatchGuard Technologies Please Contact Vendors Directly for Product Information
Thank You! Thank you for attending today, please contact me if you have any questions or comments at This presentation is copyright MicroSolved, Inc., All rights reserved. Complete results whitepaper will be available at