Unix Firewalls
A version of Unix exists for every microprocessor being mass produced today and for nearly every−
type of computer. Unix is the closest thing to a universal operating system that has ever existed.
You can load many kinds of Unix (Solaris, Linux, BSD, etc.) on your PC, you can get OS X, Linux,
or BSD for your Macintosh, you can run Unix on your IBM mainframe or your Cray supercomputer,
or for your VAX, if you still have a VAX. You can even get Unix for your iPAQ pocket computer.
Most commercial versions of Unix (and all the versions discussed in this chapter) are based on the
original AT&T Unix, whereas most open source Unixes are based on either the Unix derivative−
developed somewhat independently by the University of California at Berkeley, or on Linux, a
completely independent version of the Unix operating system that was designed to be compatible
with both AT&T's Unix and Berkeley's Unix. A program written for one version of Unix will probably
compile and run on another version of Unix with just a little porting effort, so if you're looking for a
firewall for your specific brand of high performance workstation, you might find it in this chapter.−
Computer Associates eTrust Firewall
In really big networks containing hundreds or thousands of computers, the task of administering to
all those clients and servers can be overwhelming. Computer Associates developed the Unicenter
TNG suite of tools to help network administrators centrally administer to a large number of network
devices, including client workstations, file servers, messaging servers, network devices, routers,
and firewalls. The portion that implements a firewall for Unicenter managed networks is the eTrust−
firewall, formerly designated the Network Security Option for Unicenter TNG, or GuardIT.
The eTrust firewall runs on various versions of Unix and on Windows NT. Unicenter provides for
centralized management of multiple eTrust firewalls distributed throughout your enterprise,
providing ease of configuration and use as well as a consistent security policy for your network.
Because eTrust ties into the rest of the Unicenter resource management tools, you can combine
user authentication and resource access rules with the typical address and port restrictions of
packet filtering.
The eTrust firewall provides stateful packet inspection, Network Address Translation, packet
inspection and rewriting for supported protocols, generic proxying for redirectable protocols, and
centralized authentication. The sophisticated security event monitoring, logging, and response
features of this firewall even allow for automatic reconfiguration of the security policy when
suspicious or threatening activity is detected, which allows the system to lock itself down and gives

you time to respond to the problem.
•
Pros
Runs on Unix and NT
Integrates with Unicenter
Cons
Cost
Requires Unicenter TNG
Centralized management Long Learning Curve
Strong remote management
Fast and flexible
The platform requirements are as follows:
• Intel Pentium Microprocessor or Unix workstation of equivalent power
355
• 64MB RAM (128MB recommended)
• 500MB hard disk drive, additional for caching
• Unix or NT
• At least two network interfaces
Major Feature Set
The major features of eTrust include the following:
• Packet Filter (stateful)
• Network Address Translator (dynamic, static)
• DMZ support
• Port redirection
• Proxies (HTTP, FTP, RealAudio, etc.)
• Transparent proxies
• Reverse proxies (HTTP, SMTP, FTP, etc.)
• Secure authentication (NT Server, RADIUS Server)
• Logging to databases and e mail notification−
The included stateful inspection filter is very strong and comparable to the stateful inspection

services provided by Checkpoint Firewall 1. Network Address Translation is built into the stateful−
inspector.
The proxy functionality of eTrust doesn't really occur at the Application layer; protocol payloads are
rewritten directly by the stateful inspector rather than being handed off to a separate Application
layer service, which regenerates the connection in its entirety. Rewriting provides much the same
benefit; portions of the protocol that the firewall doesn't know about can't be rewritten, and such
parameters as proper buffer length can be checked to prevent buffer overrun conditions.
Minor Feature Set
Some of the minor features of eTrust include the following:
• Content filtering (Java, Virus Scanning, URL blocking) through the additional eTrust Content
Inspection and eTrust AntiVirus packages
• Scan detection, spoofing detection, and automatic blocking through the additional eTrust
Intrusion Detection package
• Graphical administration
• Remote administration
• Centralized administration
• Integration with overall enterprise management tools
• Transparent ARP support
• SYN flood protection
• Anti spoofing control−
• Real time monitoring and reporting−
• Policy based configuration and management−
• Calendar support
A central policy based management application (Unicenter TNG) provides strong centralized−
management for the firewall. Policies can easily be created and applied across the enterprise from
the Unicenter control application. Unicenter TNG also provides a platform for strong integration with
the other IT management options available for the system and provides the foundation for the log,
356
alert, event detection, and response features.
The calendar support of the eTrust firewall is a useful feature that allows you to change the firewall

policy based on the time. For example, you could significantly restrict outbound communications
from your protected LAN after working hours, when users are not expected to be using the network.
Violations can be logged and investigated as potentially compromised computers opening a back
channel to outside hosts.
Interface
With eTrust, there is a graphical interface for both Windows NT and for Unix. Firewalls appear as
resources to be administered from the Unicenter administration suite. Because the eTrust uses the
same framework as all of the other Unicenter options, administrators in a Unicenter shop will find
the interface to be friendly and comfortable.
The graphical interface makes it easy to set up rules and enable or disable specific services for
particular computers or users. The security objects are integrated with the other components of the
Unicenter system (such as the Single Log On option), sparing you the effort of both establishing
user account information and recording security restrictions in multiple locations.
Security
The eTrust firewall uses a stateful inspection packet filter, which keeps track of connection
information across multiple packets. These include UDP packets, which do not retain session
information. The packet filter checks all the typical IP packet features such as source and
destination addresses, port numbers, options set, SYN bit, ICMP messages, and so on. In addition,
the packet filter can integrate into its rule set additional information obtained from the rest of the
Unicenter framework, including user identity, allowed access times, and network resource
restrictions. The firewall checks every packet before the IP stack processes it, thereby blocking
attacks against the firewall itself using malformed and maliciously constructed IP packets, such as
the Ping of Death, teardrop attacks, and so on.
One performance advantage of the firewall is that it can perform the equivalent of protocol proxying
for some protocols by directly manipulating the IP packets, rather than handing the packets off to a
separate proxy server application. This provides for much faster proxying and therefore increased
throughput and reduced latency between your network and the Internet. The firewall also provides
for generic port redirection and integration with the Internet Web Management option to Unicenter
TNG.
Documentation, Cost, and Support

Using eTrust requires a Unicenter TNG network infrastructure, which is designed for larger
businesses. Because pricing varies widely and depends largely upon your Unicenter infrastructure,
there's no meaningful way for us to provide pricing information. Contact a CA sales representative
directly to obtain pricing information if you use or want to use Unicenter TNG.
Tip You can get more information about Unicenter TNG at />357
SecurIT Firewall
The SecurIT firewall from SLM (formerly MilkyWay) is available for both Unix and NT. This firewall,
like the free TIS FWTK described in Chapter 16, does not perform any packet filtering. Instead it
provides Application level proxies for each of the protocols that will pass from the internal network−
to the Internet. Also like FWTK, the SecurIT firewall uses authentication to provide user based as−
well as IP address based access control. Where SecurIT really shines, however, is in the wide−
variety of protocols it "scrubs" or provides proxy redirection for. In addition to the proxies, SecurIT
has a strong VPN component that allows you to establish encrypted IP tunnels between your
protected LANs over the Internet.
•
Pros
Runs on Unix and NT
Supports a wide range of protocols
VPN
Centralized authentication
High speed application proxying
Cons
No packet filtering
NT Version does not harden
OS
Cost
Difficult to acquire
Platform requirements for SecurIT Firewall include the following:
• SunSparc 5 or any Ultra SPARC, Intel Pentium−
• 2GB hard disk drive

• 32MB RAM
• PCI Quad adapter
• 2 or more network cards
• CD ROM drive−
Major Feature Set
SecurIT provides the following major features:
• Bidirectional transparent proxy services for a wide variety of protocols
• VPN between SecurIT protected networks
• DMZ Support
• Secure authentication (Unix passwords, S/Key software, SecureID, Safeword Enigma Logic)
• Logging to databases and e mail notification−
SecurIT provides numerous security proxies for common Internet protocols, which makes its
protocol security very strong.
SecurIT uses its generic TCP proxy functionality to perform client hiding, a function their
documentation calls Network Address Translation. The functionality is not equivalent to true
Network layer NAT.−
Secure authentication is performed via Bellcore's (now Telcordia's) S/Key one time password− −
algorithm.
Conspicuously missing from the major feature set are packet filtering and Network Address
358
Translation. Neither function is necessary in a strong security proxy as long as the base operating
system is sufficiently hardened. Neither Solaris nor NT is hardened in our opinion, and this
considerably weakens the ability of firewalls that do not implement their own packet filtering
accordingly. SecurIT ships with a version of Solaris that has apparently been hardened, and
recommends security patches as additional vulnerabilities are discovered, but the NT version is
susceptible to a wide range of denial of service attacks.− −
Minor Feature Set
SecurIT provides the following minor features:
• SQL proxying
• Remote administration

• Content filtering (Java, Virus scanning, URL blocking, etc.)
As with most true firewalls, SecurIT is capable of logging to databases and transmitting e mail to−
alert on security events. A SQL security proxy is provided to support SQL*Net transactions through
the firewall.
Security
SecurIT does not filter packets before they are delivered to the IP stack for processing. The firewall
relies on the underlying operating system to be resistant to IP level attacks. Both Solaris and−
Windows, at their most current patch or service pack, have finally been made highly resistant to
known attacks, but undiscovered vulnerabilities almost certainly exist in both operating systems.
SecurIT for Solaris ships with a hardened version of Solaris.
Instead, SecurIT is a proxy server, which examines the data portions of IP packets to ensure that
the traffic traversing a particular port conforms to the protocol for that port (that only HTTP requests
and replies are going over port 80, for example).
SecurIT is designed with performance in mind. This highly optimized proxy server uses threads and
shared memory to minimize the time required to filter the proxied protocols, allowing more traffic to
pass through the firewall, while still fully examining all of the data to ensure that it conforms to
protocol specifications.
SecurIT comes with a number of application specific firewall proxies. In addition to providing−
content filtering for the specific protocol (guaranteeing that the port is actually used by the
appropriate protocol instead of some other program), each protocol can be configured to block
certain IP addresses and Internet domains. SecurIT provides proxies for the following protocols:
• FTP—A standard FTP service proxy.
• Generic SOCKS—Allows the administrator to redirect easily proxied protocols by specifying
the address and port to forward TCP and UDP packets to.
• Gopher—Proxies the text based hypertext protocol that (barely) predates the Web.−
• HTTP++—Allows basic web traffic, but allows the administrator to block applets and URLs.
• HTTP—For basic port 80 proxying or for web traffic on other ports, but using the HTTP
protocol.
• LDAP—Allows network clients to access directory servers exterior to your firewall.
• Mail—Stores and forwards e mail delivered to the firewall for delivery on your local network.−

• NNTP—Forwards Usenet news through the firewall.
• POP—Provides a channel for internal clients to access external e mail servers.−
359
• Real Media—Channels audio and video conforming to the Real Media standard through the
firewall.
• RPC—Provides for secure Remote Procedure Call through the firewall.
• SSL—Forwards secure socket communication through the firewall.
• Telnet—Proxies command line control of remote computers.−
• VDO Live—Mediates VDO multimedia from internal clients to external multimedia servers.
Documentation, Cost, and Support
The SecurIT firewall is sold by the number of open simultaneous connections (sessions) rather than
the number of IP addresses inside the network. This means, for example, that a 15 user network−
could probably get away with a 10 session version of the firewall if only 66 percent of the users−
were using the Internet at any one time. Prices shown are for the Solaris edition with one year of
included support. The U.S. distributor would not quote pricing for the Windows version, as they
considered the Windows operating system to be nonsecure. The product is sold primarily to military
and government channels since SLM has no significant marketing through commercial channels.
The product ships with a hardened version of Solaris so there's no need to purchase the operating
system. Hardware costs for a Sun Ultra 5 run about $5,000.−
• 10 sessions: $3,600
• 40 sessions: $7,200
• 100 sessions: $16,200
• Unlimited: $23,400
• VPN: +$1,200
Tip You can browse SLM's website at slmsoft.com. To purchase SecurIT, contact Neoteric at
(212) 625 9300.−
NetWall
Group Bull, a major European manufacturer of electronics and software has packaged their internal
IP security expertise into a firewall product called NetWall. This firewall runs on Sun's Solaris and
IBM's AIX versions of Unix as well as Windows. The secure remote control software for the firewall

runs on Windows platforms as well as AIX.
NetWall gives you the full range of security options to work with—from stateful packet inspection to
Application level proxies for a wide variety of protocols, NAT, VPN, authentication, load balancing,−
remote control, and support for third party content inspectors thrown in as well.−
•
Pros
High speed
High reliability
Centralized authentication
Versatile proxying
Cons
Cost
NetWall suffers from a difficult setup and a lack of integration among software components.
Configuring the firewall is not particularly easy compared to the majority of firewall offerings in this
book.
360