Device and Specialty Firewalls
Overview
There are two kinds of firewalls—software based and hardware based. The previous chapters have
examined firewalls that run as applications on conventional operating systems such as Windows NT
or versions of Unix. This chapter describes those firewalls that provide their own underlying
operating system. With these firewalls you just turn them on, or (at most) insert a floppy disk and
turn them on. Also in this chapter, we talk about a couple of firewalls that run on unusual platforms
(for firewalls) such as AS/400 or NetWare.
The nicest thing about a device based firewall is that you only worry about keeping one piece of−
software current—that of the firewall itself, usually in the form of a firmware update. You don't have
to download operating system patches, new kernels, service packs, or security updates. This makes
keeping the firewalls current considerably easier. It also gives you one vendor to point your finger at
when a weakness is found.
Device based firewalls are also often much easier to set up and get running than software based− −
firewalls. They arrive with the software already installed in the device, and all you have to do is give
it valid IP addresses to use. Policy configuration is usually just a matter of installing and using a
Windows application or web interface to manage the machine.
This chapter also covers those firewalls that run on standard computers (all PCs, actually) but do
not use a standard Unix distribution or Windows NT as their host operating system. Despite the
hype, Windows NT and Unix are not the only operating systems in existence. Firewalls for other
operating systems abound and are, in many cases, more secure.
Because these firewalls are based on unusual operating systems, hackers have not yet created a
trove of the various attacks against them, such as exploiting buffer overruns in the Unix sendmail
daemon or exploiting bugs in Internet Information Server on Windows NT platforms. Many of these
operating systems were uniquely developed by their vendors to support a specific firewall product,
so they are completely proprietary. This lends a strong measure of "security through obscurity," and
keeps the hordes of typical hackers (those who merely read and repeat known attacks rather than
developing new ones) completely at bay.
Obscurity has its price, however. Almost all of this type of firewall require unique adapter drivers and
will only work with specific adapter models. Patches for these firewalls are rare, so if an exploit for
one of them is developed, it usually takes until the next revision of the software before it's fixed.

Some of these firewalls operate on platforms with arcane user interfaces that you may not be
familiar with.
These firewalls also suffer from a lack of complete features. They are either based on generic
SOCKS proxies or stateful inspection, and usually do not provide any support for the opposite type
of firewall. The firewalls also suffer from a generational lag behind the firewalls developed for Unix
and NT because software is much harder to develop for smaller market operating systems.−
NetWare is well entrenched in the server market, and thousands of "red" (Novell only) networks−
exist. Managers in these environments rightly balk at the requirement to become an expert in a
foreign operating system for the sole purpose of establishing a firewall. Novell markets a very strong
firewall that runs on NetWare called BorderWare for these environments.
372
The mainframes of yesteryear have been converted to the application servers of today. VAX and
AS/400 machines running VMS and OS 400 now serve as web servers, e mail hosts, and− −
e commerce engines. They also require protection, so there are firewalls available for them.−
I've rolled these smaller market operating systems together into a chapter because of the limited−
fields they represent. In many cases, the firewalls I profile here are the only serious firewalls
available for the platform shown.
Keep in mind that your choice of application or file server doesn't constrain your choice of
firewall—you can use an NT firewall in a Novell network and a Unix firewall to protect an AS/400.
Because of the high cost of small market software, it's usually more economical to use a−
larger market platform for generic services like firewalling. To run an OS 400 firewall on the− −
AS/400 will cost you tens of thousands of dollars, compared to the few thousand for a robust PC.
These costs should be balanced against the cost of training administrators on an unfamiliar
operating system and the security risk of operating a firewall in an environment that may not be
completely familiar.
SonicWALL
If you want the no holds barred easiest to use firewall you can buy, get a SonicWALL. You just− −
drop it in, point a web browser at it to configure it, and then use it. There's not a whole lot to
configure, just the interface addresses and what ports you want to let in and out. If you want a VPN,
you set up the shared secret IKE keys and the hosts to allow, and then, again, you just use it.

•
Pros Cons
No hardware or software required No true Application level proxying−
Strong stateful inspection
Simple configuration
Highly reliable
Highly compatible VPN
SonicWALL devices are the closest things you'll find to a true plug and play, install, and forget− −
firewall. For environments without on site support staff, they are the way to go since they're very−
easy to manage remotely and unlikely to suffer from failures that can't be corrected remotely. We
routinely update the firmware on these devices remotely and have never run into any significant
problems.
Major Feature Set
The SonicWALL Firewall provides the following major features:
• Packet filter (stateful)
• Network Address Translator (dynamic, static)
• DMZ support
• Port redirection
• Secure authentication (IPSec/IKE, certificates, RADIUS Server)
• VPN (IPSec/IKE)
• VPN Client Software (Windows 98/NT/2000/XP)
373
• Firewall high availability
• Logging including syslog and e mail notification−
The most obvious feature missing in the major feature set of the SonicWALL is proxy services. If
you need to strip viruses from mail attachments, then you'll have to install a separate proxy server to
do it.
The DMZ support includes a nice feature—the DMZ hosts supported can be configured to be in the
same (public) IP subnet that the firewall itself resides in. The SonicWALL must of course be
installed between the DMZ Ethernet and the public Internet connection, but that way it can

transparently redirect and filter traffic between the DMZ and the Internet. With a SonicWALL, you do
not set the IP address of the DMZ interface because it is set to be the same as the public interface,
even though it is a physically separate connection.
Minor Feature Set
The SonicWALL Firewall supports the following minor features:
• Scan detection, spoofing detection, and automatic blocking
• Limited HTTP content filtering
• DHCP
• Graphical administration
• Remote administration
• SYN flood protection−
• Anti spoofing control−
• High performance
The nicest thing about the SonicWALL is its web interface. You don't have to install any special
software to configure it, and you can manage it from any machine in your LAN that has a
Java capable web browser, including Unix or the Macintosh (which is an important feature for those−
few institutional holdouts that haven't caved to the Microsoft monopoly). Most other device based−
firewalls require you to install Windows specific software to control them. You can even manage the−
SonicWALL from outside your network if you have configured the VPN properly and enabled the
feature.
Installation, Interface, and Documentation
The SonicWALL is pretty much plug and play, with minimal web configuration. Chapter 11,− −
"Configuring a Real Firewall," covers SonicWALL in detail because it is the "real firewall" used in the
chapter. In summary, the installation is easy, the interface is simple, and the documentation is
straightforward, if a little shallow. Figure 19.1 shows the Sonic WALL web configuration interface.−
374
Figure 19.1: SonicWALL's web interface is the easiest to use that we've seen.
Security
A SonicWALL is a complete Layer 3 (Network layer) firewall. It does not do Application layer− −
proxying or content filtering. It has a simple HTTP filter included that can strip Java, ActiveX, and

cookies, but no more than that. Its packet filter, port blocking and redirection, and VPN configuration
are first rate and easy to configure.
Cost and Support
SonicWALL is neither cheap nor expensive, but when you add up the hardware and software costs
for anything but a free software firewall (see Chapter 16), the SonicWALL is very competitive in−
price. And if you instead add up the time and effort needed to configure a free software firewall,−
you'll most likely find that SonicWALL is still comparatively cheap. SonicWALL's technical support is
a little anemic, but there's not much to go wrong with the device anyway.
The devices range in price from about $400 for the SOHO small 10 user devices to around $3000−
for the PRO VX (which is the most useful and should be considered the baseline device for
protecting a real network), all the way up to $27,000 for the top of the line SonicWALL GX 650.− − −
One thing to keep in mind at the time of this writing: the Client VPN licenses for Sonic WALL cost−
around $70 each, and the VPN upgrade for the SOHO and XPRS firewalls (to enable the VPN
connectivity) is also around $500. The PRO devices and up all come with VPN enabled.
One nice thing about SonicWALL that distinguishes it from the WatchGuard firebox (see later
section in this chapter) is that the SonicWALL firewalls are essentially the same in configuration and
use from the bottom of the line (the SOHO units) all the way up to the top of the line GX 650.− − −
They merely add a few features and use faster hardware as you go up the product line. The
interface is the same from box to box. The smallest Watch Guard (the FireBox SOHO) is really a−
completely different device from the excellent Fire Box 1000 and is configured and interfaced to−
separately (via the Web instead of by a Windows client application).
375
WatchGuard Firebox 1000
If you want a full featured proxying firewall that doesn't take a rocket scientist to set up, the−
WatchGuard Firebox may be just what you're looking for. This product vies with the SonicWALL in
price, capabilities, and ease of use, and just by looking at the two firewalls it's obvious that they're
fighting over the same market segment. Of the two, the SonicWALL is easier to configure (requiring
only a web browser on a client inside the network), while the WatchGuard includes support for
proxying and content filtering that the SonicWALL does not.
•

Pros Cons
No hardware or software required Can only be managed from Windows clients
Strong Application layer inspection−
Strongest device based firewall−
Highly reliable
We had to scrape to come up with a negative for the above table—this device functions exactly as a
theoretically perfect firewall would. It contains no significant failure components so it's reliable, yet it
performs strong Application layer filtering and is easy to administer. The interface isn't quite as−
easy as the SonicWALL devices, but it allows you to perform real time monitoring that the−
SonicWALL can't. And when you consider that these devices cost about the same, they're the
firewall of choice for higher security environments with more experienced staff.
Major Feature Set
The Firebox 1000 provides the following major features:
• Packet filter (stateful)
• Network Address Translator (dynamic, static)
• DMZ support
• Port redirection
• Proxies (DCE RPC, FTP, H323, HTTP, RealNetworks, RTSP, SMTP, Stream Works,− −
VDOLive)
• Secure authentication (Proprietary, Windows NT, RADIUS, SecurID, and CRYPTOCard)
• VPN (proprietary, DES, 3DES, IPSec/IKE, PPTP)
• VPN client software (Windows 98/NT/2000/XP, Unix, Linux)
• Bandwidth control and quality of service
• Logging and e mail notification−
The most impressive aspect of the Firebox 1000 is its built in proxy support, a feature not found in−
other device based firewalls (i.e., firewalls that don't expose you to the underlying operating−
system). Its VPN support, network address translation, packet filtering, and DMZ support are all first
rate, but the same could be said of most other firewalls of its class. VPN support, which just a
couple of years ago was a novelty in a device based firewall, is now the order of the day—certainly−
in the future everybody's "drop in firewall" will have built in proxying, but if you want it now and you−

want it easy to use, the Firebox 1000 is pretty much it.
376
Minor Feature Set
This firewall supports the following minor features:
• Network transparent drop in configuration−
• Content filtering (Java, virus scanning, URL blocking)
• Scan detection, spoofing detection, and automatic blocking
• DHCP
• Graphical administration
• Remote administration
• Centralized administration
• SYN flood protection−
• Anti spoofing control−
• Real time monitoring and reporting−
• Policy based configuration and management−
• High performance
Proxying is only half of securing ports for Application layer protocols like HTTP, SMTP, and FTP.−
Proxying is important because it makes sure that the ports are being used for the protocols they
were meant for, but it does not protect interior computers from malicious content (such as devious
ActiveX controls and viruses) that are sent via those protocols. Content filtering is the other half of
securing the ports, and the Firebox does that as well.
The firebox is also good at incident detection—telling you when you're under attack (and what kind
of attack you're facing). The real time graphical monitor is nice to watch—you can see traffic−
pattern changes as they happen. The lights on the front of the box are also helpful and intuitive: it is
obvious at a glance how much traffic is flowing to or from the DMZ and the Internet, the protected
LAN and the Internet, or between the DMZ and the protected LAN.
A nice feature of the WatchGuard 1000 firewall is that if you already have a publicly routed subnet
that you want to protect, then you can place the firewall in "drop in" mode—where it is given an IP
address on that subnet (rather than being set up as a router for that subnet), and it transparently
intercepts the traffic between that subnet and the Internet. You have to place it connection wise−

between the subnet and the router, but you don't have to reconfigure the clients or the router to
protect your LAN.
Installation
After installing a number of command line based free firewalls (see Chapter 16) and firewalls that−
run on top of Unix or Windows (see Chapters 17 and 18), installing and configuring the Firebox
1000 was a breath of fresh air. The graphical Windows application for administration was a breeze
to install and use. After setting the IP addresses of its interfaces and giving it a range to supply for
DHCP, the box was ready to use in a minimally configured state.
Security
A Firebox 1000 that is fully locked down with proxies in place is about as secure as you're going to
get with a modern firewall. Perhaps OpenBSD does a better job of obfuscating TCP sequence
numbers, perhaps Gauntlet has a better set of proxy services, but for the price and ease of use
there's no comparison. Because the Firebox is based on Linux, its TCP sequence number generator
is considerably more random than most devices.
377
Interface
The Windows client application that comes with the firewall for administration is easy to set up and
use. The only easier way to administer a firewall is through your web browser (SonicWALL does
this, as do the majority of the little home office firewalls), because the management application−
limits you to configuring the machine from Windows (as opposed to, say, Solaris). See Figure 19.2
for a view of the Firebox management interface.
Figure 19.2: Firebox's rule based interface−
The Windows application does have the advantage that you can do more from it, including real time−
monitoring of the status of the firewall. The policy based rule editor is also easy to use, including−
allowing you to save a policy locally before uploading (so you can test out new configurations, for
example, and fall back if they're too restrictive).
Documentation
The installation booklet provided with the firewall concisely and clearly walks you through the
process of installing the firewall, but you'll have to look to the documentation supplied on the CD in
PDF format for instructions on how to make policies to really secure your network.

The PDF documentation walks you step by step through using every feature of the Firebox,− −
including establishing policies, setting up VPNs to other Fireboxes and to remote Windows clients,
blocking URLs, and setting up content filters. It doesn't go into great detail explaining why you would
do any of these things, but another book (such as this one) can tell you what to do to protect your
network; the Firebox documentation will tell you how to do it.
Cost and Support
A WatchGuard Firebox is not cheap; at the time if this writing the Firebox 1000 will cost you about
$3000. Getting the top of the line model (a model 4500) can cost $7700. The support is good− − −
378
though, including (in addition to your regular dial up support) online documentation, questions and−
answers, and a web based forum on which customers can exchange problems and solutions.−
The home unit, which is really a different device entirely but can be used to establish a VPN
connection to a model 1000, costs about $300, though the VPN upgrade for it costs another $400.
Elron Firewall
Elron Firewall is available on its own proprietary operating system and was ported to Windows NT in
its latest edition. I find the port to NT interesting in light of the fact that Elron considers their secure
OS to be one of the primary features of their firewall.
•
Pros
Fast stateful inspector firewall
Includes VPN
Supports IPX
Minimal hardware
Cons
No proxy servers
Adapters limited to 3c905
Ethernet
Poor user interface design
Elron employs multilayer stateful inspection rather than proxy servers for filtering in the Application
layer. This is somewhat similar to Firewall 1's support for HTTP and FTP filtering. Filtering in the−

Application layer is capable of blocking numerous attacks, but filters may not recognize certain
attacks that proxies would not forward because the attack would not be created. In other words,
filtering still passes the originally formed packet, so undetected malformations can still be routed
through. Multilayer filtering is considerably more secure than Network layer filtering alone, but not as
secure as security Application layer proxies.−
Elron Firewall running on its own operating system is not subject to standard operating system
vulnerabilities. Although a proprietary operating system is not necessarily more secure than a
standard operating system, few hackers attempt hacks against operating systems that are not
widely deployed, so the firewall is not vulnerable to most of the exploits developed by hackers.
Since superfluous firewalling services (like file and print sharing) are not provided, no holes exist in
the operating system.
Elron software maintains that, because 32OS source code has not been released to the public,
there is virtually no possibility that hackers will be familiar with it. While this may be true to some
extent, good hackers can read machine language source code through a process called
disassembly, where the binary image is turned back into human readable assembly language.−
While assembly language is not nearly as clear as the C programming language (relatively
speaking), hackers who are familiar with the i386 microprocessor and its descendants could read it
and thereby understand in detail the operation of a piece of proprietary software. I've done it, and so
can any decent programmer. Though software based on a proprietary operating system will keep
the masses at bay, security through obscurity should never be relied upon. Note also that 32OS
uses MS DOS as a boot loader, and could therefore be susceptible to certain types of RAM−
resident viruses.
Elron's documentation describes some alarming problems that can happen when the firewall runs
out of memory, including losing Network Address Translation addresses, which would cause
translated connections to be lost. While neither fatal nor a security risk, these sorts of problems are
379
the result of using proprietary operating systems that aren't completely thought out.
Hardware requirements for the Elron Firewall are (SecureOS Version):
Connections <1.5Mb/sec (T1)
• 486DX 2/66−

• 8MB RAM
• 200MB hard disk drive
• MS DOS 6.22−
• Two or three 3C905 10/100 NICs
• Floppy drive
Connections >T1
• Fastest possible processor
• 16MB RAM
Requirements for the management station are:
• Windows 9x or NT
• 50MB available disk space
• 16MB RAM
Major Feature Set
Elron Firewall provides the following major features:
• Stateful inspection packet filter
• Network Address Translation
• Encrypted authentication
• Virtual Private Networking
Elron Firewall's stateful inspection filter is unique in that it is capable of filtering the application
(payload) portion of a packet for known content. The firewall compares packets to bit patterns of−
previously filtered packets before passing the packet into the protected network. This ensures that
unknown deformations of packets will be filtered out.
Elron Firewall's NAT option supports IP address hiding only by using the Firewall's IP address. This
provides an upper limit of about 64,000 outbound connections, but that's generally high enough that
this limitation is not serious for most organizations.
User authentication clients are provided for Windows 9x and NT. Authentication is password based−
and supports RADIUS and CHAP authentication. The user authentication software also supports
periodic authentication.
The included VPN option provides IP in IP tunneling, which provides a measure of internal security
by hiding the true source and destination addresses. IPSec is used to encrypt the encapsulated IP

packet.
Elron makes two completely separate Application layer filters called the InternetManager (HTTP)
and the MessageInspector (e mail, news, and FTP). These products run on their own Windows NT−
380
server and work with any firewall or security service. The Message Inspector filter performs−
powerful keyword string matching and statistical analysis (for spam filtering) to block e mail,−
newsgroups, and FTP downloads.
Minor Feature Set
Elron supports the following noteworthy minor features:
• IP and IPX filtering
• VPN continuous key regeneration
Elron supports both IP and IPX filtering. IPX filtering is not usually a big concern unless you run a
large IPX network where internal security between divisions is important. For most enterprises, IPX
filtering is not a function required of bastion hosts. The firewall also supports IPX bridging
(forwarding all IPX packets transparently and irrespective of their contents), which is not a security
function and reduces the security posture of your network.
The continuous key regeneration feature provides a facility somewhat akin to Kerberos ticketing.
After an established amount of VPN traffic has passed between two firewalls, the firewalls will both
g e n e r a t e n e w k e y s a n d e x c h a n g e t h e m . T h i s r e d u c e s t h e a m o u n t o f u s e f u l t i m e a
brute force decrypted key would be useful, thus moving the probability domain for a brute force− − −
attack from highly unlikely to practically impossible.
Interface
Elron firewall is configured remotely through a Windows based policy manager. The firewall itself is−
initially configured using the firewall management software on a Windows computer and transmitted
to the firewall located on the same Ethernet collision domain.
The user interface bespeaks an amateurish attempt at design, suffering from such problems as a
non sizeable main window that takes up the entire screen and the use of purely modal dialogs−
throughout the software, which prevents you from seeing two content windows at the same time.
There seems to be an unwritten rule in the firewall industry that user interfaces aren't worthy of
programming effort. Figure 19.3 shows the clunky management interface.

381
Figure 19.3: The Elron Firewall Management Interface
The interface is not particularly easy to use since it doesn't conform to any specific interface
methodology. In some cases, you right click to access features, while in others you double click.− −
There's also no indication of which interface elements can be activated and which can't.
Security
Elron Firewall's multilayer inspection filter is the heart of the firewall. The multilayer filter is
interesting because it can filter content in the Application layer to reject unrecognized information.
The level to which this functionality is actually used varies from protocol to protocol, but
administrators can customize it on a per protocol basis.−
Customizing the firewall is not easy and requires a solid knowledge of TCP/IP and firewalling. If
you've read through this book so far, you'll have no problems.
Elron Firewall running on 32OS should be considered hardened, since no OS specific exploits are−
known for the operating system. This makes it equivalent at least to a Windows NT installation with
no extra services running, no extra user accounts, and in a state of complete lockdown where
additional software (like Trojan horses) cannot be installed.
Hardened operating systems are operating systems in which no extraneous services or exploitable
mechanisms exist because the operating system simply doesn't support them, or in which all
software functions not directly related to supporting the firewall have been disabled. Hardening an
OS reduces considerably the number of vectors a hacker can attempt to exploit, and thereby
dramatically improves the security posture of the firewall system.
Documentation, Cost, and Support
Documentation is provided in PDF format and is very strong. It is highly task oriented, containing
detailed procedures for performing most firewall administrative tasks, yet adequately covers the
theory behind the features used. Most administrators will have no trouble getting the firewall up
382