JULY 2002 WatchGuard Technologies 505 Fifth Avenue South Suite 500 Seattle, WA 98104 www.watchguard.com
WHY PROXIES MATTER BRIEFING FOR EXECUTIVES GLOSSARY OF TERMS TCP/IP Transmission Control Protocol / Internet Protocol, a suite of defined computer procedures that allows communication between groups of dissimilar computer systems. TCP is the glue that enables the Internet to function. HEADER A unit of information that precedes a data packet. The header tells the packet s source address, destination address, type of packet, Time To Live, and more. The header is distinct from the useful content, or payload, of a packet, much as an envelope is distinct from the letter inside it. PORT In TCP/IP, port does not refer to a physical device, but to the endpoint of a logical connection. Ports are a convention programmers made up to help sort out different kinds of traffic traveling over the Internet. For example, by convention HTTP (Web) services should travel to and from port 80; SMTP (e-mail) services are assigned to port 25, and so on. EXECUTIVE SUMMARY This paper provides decision makers with background information they need when choosing a firewall to protect their computer networks. Some firewall vendors do not include proxies as part of their security offering; some do. Does that make enough difference to matter? This paper describes what proxies are and what they are not, presents the business case for proxies, then details specific proxies offered in WatchGuard products, describing what kinds of attacks they block. WHAT IS A PROXY? In the world of network security, people use the term "proxy" to refer to many different things. But generically, a proxy is a software application that intercepts Internet data packets en route, examines that data, and takes some action to protect the system to which the traffic is destined. The kind of firewall proxy this paper discusses has been variously called a "security proxy," a "transparent proxy," an "application layer proxy," or a number of other terms. For this discussion, we use proxy to mean a process that stops network traffic before it enters or leaves your network, examines all of it to see if it conforms to your security policy, and then determines whether to allow or deny that traffic passage through the firewall. Accepted packets are forwarded to the appropriate server; denied packets are discarded. WHAT A PROXY IS NOT Proxies are sometimes confused with two other common methods firewalls use to assess Internet traffic, packet filters and stateful packet filters. Each of these methods has its advantages and disadvantages, since there is always a trade-off between performance and security. We explain them here. A PROXY DIFFERS FROM A PACKET FILTER The earliest and most primitive method of allowing and denying TCP/IP-based traffic was the packet filter. A packet filter sits between two or more network interfaces and scans the address information in the Internet Protocol (IP) headers of all traffic that passes between them. The information this type of filter assesses generally includes: Source and destination address Source and destination port www.watchguard.com 2
GLOSSARY OF TERMS HANDSHAKE Procedure computers use to establish a new communication session. CLIENT AND SERVER When computers are networked, one style of connecting them calls for some computers to receive help from other computers to do certain tasks. This is called a client - server architecture. For example, when you view e-mail on your desktop or laptop computer, the e- mail doesn't come directly to your machine from the person who sent it. It is first received, then distributed, by mail servers on either end of the correspondence. In this case, your computer is an e- mail client. METACHARACTERS Characters that an operating system might interpret not as a letter, number, or punctuation mark, but as a command. Symbols such as / and # are metacharacters in certain operating systems. The packet filter allows or denies packets depending on what port they are on, where they are going, and from whom they are sent, based on rules created by the administrator. The major advantage of the packet filter is that it is fast, since headers are all it examines. The major disadvantage of a packet filter is that it never sees what is in the packet payload, making it possible for malicious content to sneak through the firewall. In addition, a packet filter treats every packet as an independent unit and does not track the "state" of the connection, which brings us to the next method of filtering. A PROXY DIFFERS FROM A STATEFUL PACKET FILTER A stateful packet filter does everything the regular packet filter does, and also tracks which computer is sending what traffic and what sort of traffic should come next. This data is known as state. The TCP/IP communication protocol requires a set sequence to occur so that computers can dialog properly. In a normal TCP/IP handshake, Computer A tries to set up communication with Computer B by sending a SYN (synchronize) packet. Computer B sends back a SYN/ACK packet -- an acknowledgement of Computer A's SYN number, and a SYN number from Computer B. Computer A responds by sending an ACK packet to acknowledge Computer B's SYN, and communication can begin. TCP allows other states, too, such as FIN (finish) to indicate the last packet in a series. Hackers prepare for an attack by gathering information about your system. A common technique is to send a packet in the wrong state on purpose; for example, send a packet flagged "Reply" to a system that didn't make a request. Normally, the receiving computer should send back a message that, in essence, says "I don't understand." In doing so, it reveals to the hacker that it exists, and that it is listening for communication. The format of its reply can also reveal what operating system it uses, providing a hacker with a solid starting point. A stateful packet filter understands the logic of a TCP/IP session and can block a "Reply" that is not replying to a request -- something that an ordinary packet filter doesn't track and can't do. Stateful packet filters can write accept-or-deny rules on the fly, based on what the next expected packet should look like in a normal session. The benefit of this is tighter security. This extra security, however, comes at the cost of some performance. Maintaining a dynamic rule list for each session and filtering the extra fields adds more processor overhead to stateful packet filtering. www.watchguard.com 3
APPLICATION GATEWAYS, OR PROXIES Application Gateways, more commonly called proxies, are the most advanced method used to control traffic through firewalls. A proxy stands between the client and server, examining all aspects of their dialog to verify compliance with the established rules. In doing so, the proxy examines the actual payload of all the packets passing between the server and client, and can modify or strip things that violate security policies. Note that packet filters only examine headers, while proxies screen the packet's content, blocking malicious code such as executable files, Java applets, ActiveX, and more. Many people are surprised to learn that a proxy is the only technology that actually examines the contents, including the data portion, of a packet en route. Proxies also examine content to ensure it matches protocol standards. For example, some forms of computer attack involve sending metacharacters intended to trick the victim machine; other attacks involve overwhelming the machine with too much data. Proxies can spot illegal characters or overlong fields and block them. In addition, proxies do everything a stateful packet filter does. Because of all these advantages, proxies are considered the most secure method of passing network traffic. They are also slower than packet filters at processing traffic because they scan the payload of all packets. However, "slower" is a relative term; in general, WatchGuard proxies scan packets at around half the speed of packet filters on the same system. For example, on the Firebox III model 1000, the packet filter can easily keep up with a full speed 100 mbps connection, whereas the proxies process data at around half that rate. But is that slow? It is many times faster than the performance of most organizations' Internet connections. Usually the Internet connection itself is the speed bottleneck of any network. Proxies can slow down some traffic in lab benchmarks but still not slow the traffic down enough for your users to perceive a network slowdown. In comparing firewalls, merely comparing data throughput numbers does not tell the entire story. If one firewall posts a faster throughput number than another, be sure to ask, What does the firewall do with that data before it passes it through? Packet filter systems will look faster than proxied systems on paper, but do not provide as much security. WatchGuard products seek to maximize both speed and security, using proxies in situations where their strengths outweigh their weaknesses. Where there is no clear benefit to using a proxy, WatchGuard uses stateful packet filtering to keep your network both fast and secure (for convenience, WatchGuard lists figures for both proxied and packet filtered throughput). In the final analysis, you need to have a firewall that is well suited to your environment and able to provide maximum security that meets your particular needs. www.watchguard.com 4
GLOSSARY OF TERMS COOKIES A packet of information sent by an HTTP server to a World-Wide Web browser and then sent back by the browser each time it accesses that server. Cookies can contain any arbitrary information the server chooses. Typically this technique is used to authenticate or identify registered users of a Web site without requiring them to sign in again every time they access that site, but cookies can also be abused to represent a severe privacy threat to the user. CYBER-SLACKING An undesirable employee practice of spending excessive time on the Internet browsing Web sites that have no relevance to your organization's stated mission. THE BUSINESS CASE FOR PROXIES We've covered the definition of "proxy," and distinguished proxies from packet filtering. With that background established, we can now list the advantages that proxies provide to the security-aware organization: Proxies make your network harder to hack by blocking entire categories of commonly-used attacks Proxies make your network harder to hack by concealing details about your network servers from the public Internet Proxies help you use network bandwidth more effectively by preventing unwanted or inappropriate content from entering your network Proxies reduce corporate liability by preventing a hacker from using your network as a launch point for further attacks Proxies can simplify the management of your network by providing your administrator with tools and defaults that can be applied broadly, rather than desktop by desktop To distill these advantages to their essence: proxies help you run your network more safely, more effectively, and more economically. The remainder of this paper provides details to support the assertions above. If you don't have time to read further, our point is simply that in your firewall evaluation, these advantages translate into bottom-line benefits deserving serious consideration. FIREBOX PROXIES, AND WHAT THEY DO To this point, we have discussed proxies as a generic class of technology. Actually, there are different kinds of proxies, each handling different kinds of Internet traffic. The following section describes some of the proxies that come with WatchGuard Firebox products, and explains what kinds of attack each proxy defends against. Each WatchGuard proxy has numerous configurable features and settings, easily controlled by a simple Windows interface. The combination of proxies and WatchGuard's other firewall management tools gives your network administrators power to control network security down to the finest nuance. The most important Firebox proxies protect the functions most common to business use of the Internet. These proxies are discussed in detail below: SMTP Proxy HTTP Proxy FTP Proxy DNS Proxy www.watchguard.com 5
THE SMTP PROXY The SMTP proxy inspects the content of incoming and outgoing e-mail to protect your network from danger. Some of its capabilities include: Specifying the maximum number of message recipients. This is a first-level of defense against spam, which is often addressed to hundreds or even thousands of recipients. Specifying the maximum message size. This helps prevent mail server overload and mail bombing attacks, helping you use bandwidth and server resources judiciously. Allowing specific characters in e-mail addressing as recommended in accepted Internet standards. As discussed previously, some attacks depend on sending illegal characters in the addressing. The proxy can be set to disallow all but the proper characters. Filtering content to deny executable content types. The most popular method for sending viruses, worms, and Trojan horses is to send them as innocuous-looking e-mail attachments. The SMTP proxy can recognize and strip these attacks from an e-mail by type and name, so that they never enter your network. Filtering address patterns for allowed/denied e-mail. Every e-mail contains a record of the Internet address where it originated. If a particular address keeps hitting your network with excessive amounts of e- mail, the proxy can block everything from that Internet address. In many cases, the proxy can also detect when a hacker has spoofed his address. Since the only reasons to hide the "return address" are hostile reasons, the proxy can be set to block spoofed e-mail automatically. Filtering e-mail headers. Headers contain transport data such as whom the e-mail is from, whom it is for, and more. Hackers have found many ways to manipulate the header information to attack mail servers. The proxy makes sure the headers fit appropriate Internet protocols, denying e-mail containing malformed headers. By enforcing strict adherence to normal mail standards, the proxy can block attacks that have yet to be invented. Masquerading domain names and message IDs. Your outgoing e-mails contain header data, just as incoming e-mails do. Header data can give away more than you want others to know about the internal workings of your network. The SMTP proxy can hide or alter this information so that your network keeps a low profile when hackers search for a clue on how to get in. www.watchguard.com 6
THE HTTP PROXY The HTTP proxy monitors traffic going in and out of your network generated by your users accessing the World Wide Web. It selectively filters content to protect your Web clients and other applications that rely on Web access from Internet- and HTML-based attacks. Some of its capabilities include: Removing client connection information. The proxy can strip out header information that reveals operating system version, browser name and version, even the last Web page visited. In some cases, this information is sensitive, so why give it out? Using the HTTP proxy, you can choose not to. Forcing strict compliance with established standards for Web traffic. Many attacks involve hackers purposely sending malformed packets, creatively manipulating other elements of a Web page, or otherwise attempting to get in using an approach your Web browser programmers didn't anticipate. The HTTP proxy doesn't put up with such nonsense. Web traffic must conform to official Web standards, or the proxy drops the connection. Filtering MIME content type. MIME types help a Web browser know how to interpret content, so that a graphic image is treated as a graphic, a.wav file is played as sound, text is displayed as text, and so on. Many Web attacks involve packets that lie about their MIME type or don't specify a type at all. The HTTP proxy spots this suspicious activity and stops such traffic. Filtering Java and ActiveX controls. Programmers utilize Java and ActiveX to create miniature programs that execute within a Web browser (for example, if an employee visits a pornographic Web page, an ActiveX script on that page could automatically make that page the new home page of the employee's browser). The proxy can block such applications, sealing off innumerable attack vectors. Removing cookies. The HTTP proxy can strip out all cookies from HTTP requests, defending your network's privacy. Removing unknown headers. The HTTP proxy strips out non-conforming HTTP headers. This means that, instead of having to recognize a particular attack based on its signature, the proxy simply gets rid of any traffic playing outside the rules. This simple approach defends you against unknown attack techniques. www.watchguard.com 7
Content filtering. The courts have ruled that all employees have a right to a work environment that is not "hostile." Good business practices suggest that some things on the Web have no place on a corporate network. The HTTP proxy enforces your company's security policy regarding what content is acceptable in your work environment, and when, reducing your liability arising from inappropriate use of the Internet in a work environment. In addition, the HTTP proxy can cut down on cyber-slacking. Certain classes of Web sites that constitute a real distraction to workers can be rendered inaccessible. THE FTP PROXY Many organizations use the Internet to transfer large data files from location to location. While smaller files can be transported as e-mail attachments, larger files are often sent by File Transfer Protocol, or FTP. Hackers love to break FTP servers, because they provide a ready space for storing files. WatchGuard's FTP proxy offers these kinds of protection: Limiting incoming connections to "read only." This allows you to make files available to the public, without also granting the public the capability to write files to your server. Limiting outgoing connections to "read-only." This prevents users from writing confidential company files to FTP servers outside your internal network. Specifying the amount of time-out seconds. This allows your server to disconnect more quickly from hung or idle requests -- which means it's free to move on to more productive activity. Disabling the FTP SITE command. This prevents bounce attacks, where a hacker establishes a beachhead on your server, then launches his next attack using your machines. www.watchguard.com 8
THE DNS PROXY DNS stands for Domain Name System. Though it is not as well-known a service as HTTP or SMTP, Paul Albitz and Cricket Liu explain, "Think of DNS as the lingua franca of the Internet: nearly all of the Internet's network services use DNS. That includes the World Wide Web, electronic mail, remote terminal access, and telnet."1 DNS is what enables you to type a name like www.watchguard.com into your Web browser, hit "Go," and actually come up with our Web page - no matter where in the world you connected from. DNS makes the translation from the English domain names we can readily remember, to the IP addresses computers understand, in order to locate and display the resources you want from the Internet. Essentially, it's a database distributed all over the Internet, indexed by domain names. However, the fact that name servers all over the world are busily querying one another all day in order to answer our requests for Web pages gives hackers plenty of transactions and - traveling data to mess with. DNS-based attacks are not yet well known because they generally require a level of technical sophistication most attackers cannot muster. However, when the attack techniques we know of are successful, the hacker gains total control. So WatchGuard offers the innovative DNS proxy, which protects you with these functions: Ensuring protocol conformity. A highly technical class of exploit can turn the very transport layer that conveys DNS requests and answers into a toxic tool. These types of attacks create malformed packets in order to convey the malicious code. The DNS proxy checks DNS packet headers and discards packets that are incorrectly structured, categorically stopping many kinds of exploits. Filtering header content selectively. Invented in 1984, DNS has evolved in the years since. Some DNS-based attacks rely on deprecated features. The DNS proxy can monitor the header content of DNS requests and block queries where the header class, type, or length is abnormal. CONCLUSION You now have an initial understanding of what proxies are and how they are used. A firewall is not the end of all your security concerns -- but it is an excellent tool when used with other security measures, such as standard anti-virus software, server security software, and physical security systems to provide you with "defense in depth." Similarly, proxies are not the only feature by which you should measure a firewall, but they do offer top-notch capabilities and unbeaten security features www.watchguard.com 9
when used with other techniques such as stateful packet inspection. So as you evaluate firewalls, evaluate proxies, too. Consider how their strengths may benefit you in your unique situation. While they do impose a performance penalty, they're the only tools that inspect the contents of data packets, and thus the only tools that gives you the detailed, tightly controlled security you might need. If you have further questions, feel free to call your WatchGuard representative. THE WATCHGUARD PRODUCT LINE The WatchGuard Firewall line is divided into two families, the Firebox III / Firebox SOHO family, and the Firebox Vclass family. Each family is optimized for the needs of a particular class of business. For organizations that place a high priority on VPN throughput, flexible management options, and advanced network management features, we offer the Firebox Vclass line of products. For smaller organizations that place a high priority on ease of management and a full feature set, we offer the Firebox III / Firebox SOHO family. As the table indicates, a smaller remote office or business will find enough horsepower in the Firebox 700. If VPN tunnels are a factor in your plans, you'll want to look closely at the Firebox 1000 for those same offices. If the office is a little bigger, check out the numbers for the Firebox V60. If you have 1000 to 5000 users and use the Web heavily, or run a mid-size business, we recommend the Firebox 2500. If you're firewalling a larger enterprise in the 1000 to 5000 user range, and have heavy VPN needs - well, we think the Firebox 4500 or V80 is just what you're looking for. For gigabit VPN and carrier grade network management choose the Firebox V100. www.watchguard.com 10
FIREBOX VCLASS PRODUCT LINE FIREBOX V100 FIREBOX V80 FIREBOX V60 FIREBOX V10 Recommended For Large Enterprises, Service Providers, and Data Centers Large Enterprises Large/Mid-size Enterprise Enterprise Telecommuting Maximum Security in 1RU enclosure Maximum Security in 1RU enclosure Maximum Security in 1RU enclosure Desktop Enclosure Multiple T3 or OC-3 Gigabit Firewall with up to 20,000 VPN Tunnels T3, Fast Ethernet, and OC-3 Wire-speed Firewall with up to 8,000 VPN Tunnels T3, Fast Ethernet, and OC-3 Wire-speed Firewall with up to 400 VPN Tunnels DSL/Cable/ISDN Firewall and VPN Remote Office User License Unlimited Unlimited Unlimited 10 upgrade to 25 Firewall Throughput 600 Mbps 270 Mbps 200 Mbps 75 Mbps 3DES Encryption Throughput 300 Mbps 150 Mbps 100 Mbps 20 Mbps Branch Office VPNs 20,000* 8,000* 400* 10 Mobile User VPNs 20,000* 8,000* 400* 0 Interfaces LiveSecurity Service 2 1000BaseSX Fiber Gigabit Ethernet 2 Dedicated HA Ports 4 RJ-45 10/100 Fast Ethernet 2 Dedicated HA Ports 4 RJ-45 10/100 Fast Ethernet 2 Dedicated HA Ports 2 RJ-45 10/100 Fast Ethernet TOP 5 REASONS TO CHOOSE 1. High-Speed ASIC processor 2. Scalability for up to 20,000 VPN tunnels 3. Secure Java-based management 4. Gigabit fiber interfaces 5. Powerful Networking Features MANAGEMENT FEATURES NETWORKING FEATURES Install Wizard Device Discovery Security Policy Manager Policy Checker (Auditing) Network Diagnostic Tools Command Line Interface Secure Encrypted Logging Active Tunnel Display Real-time Traffic Monitoring Real-time Graphs Notification Stateful Packet Filtering Branch Office & Mobile User VPN Remote Access Authentication* PKI Support PPPoE and DHCP Support Predefined Services Spoof Detection Port and Site Blocking Synflood Protection DDoS, DoS Prevention Hacker Defense High Availability** Multi-Tenant Security** VLAN Support** NAT (Static, Dynamic & Virtual IP)** VPN Tunnel Switching** Server Load Balancing** Dynamic Routing Traffic Shaping QoS * The total number of Branch Office plus Mobile User VPN tunnels. **Supported on V60, V80 and V100 models. www.watchguard.com 11
FIREBOX III AND FIREBOX RECOMMENDED FOR SOHO PRODUCT LINE Firebox 4500 Firebox 2500 Firebox 1000 Firebox 700 Central Office, VPN Hub 5,000 Authenticated Users T-3/E-3 or Multiple T-1/E-1 Need Wire Speed VPN Support Medium Business, Web Business 5,000 Authenticated Users T-3/E-3 or Multiple T-1/E-1 High Volume Web Traffic Mid-Size Business or Branch Office 1,000 Authenticated Users ISDN or T-1 Wire-speed Firewall with up to 400 VPN Tunnels Smaller Business or Remote Office 250 Authenticated Users ISDN or Fractional T-1 Connection DSL/Cable/ISDN USER LICENSE Unlimited Unlimited Unlimited Unlimited STATEFUL PACKET FILTER THROUGHPUT HTTP PROXY THROUGHPUT Firebox SOHO / SOHO tc 197 Mbps 197 Mbps 185 Mbps 131 Mbps 9 Mbps 60 Mbps 52 Mbps 43 Mbps 43 Mbps N/A Smaller Stand- Alone or Remote Office 10 Users (Upgradeable to 50 Users) DSL/Cable/ISDN 10 (Upgradeable to 50 Users) 3DES ENCRYPTION THROUGHPUT 100 Mbps 70 Mbps 55 Mbps 5 Mbps 1.3 Mbps BRANCH OFFICE VPNS 1,000* 1,000* 1,000* 150* 5 (Requires VPN Manager) MOBILE USER VPNS 1,000* 1,000* 1,000* 150* 5 (Optional) INTERFACES 3 RJ-45 10/100 Fast Ethernet 3 RJ-45 10/100 Fast Ethernet 3 RJ-45 10/100 Fast Ethernet 3 RJ-45 10/100 Fast Ethernet 5 RJ-45 10BaseT Ethernet LIVESECURITY SERVICE * The total number of Branch Office plus Mobile User VPN tunnels. www.watchguard.com 12
MANAGEMENT (FB III MODELS) QuickSetup Wizard Security Policy Manager VPN Manager, 4-node (N/A on FB700) Real-time Monitoring HostWatch Historical Reporting Secure Encrypted Logging Colorized Logging Notification MANAGEMENT (FB SOHO MODELS) Easy Setup Remote Management Secure Encrypted Logging Internet Sharing FEATURES (FB III MODELS) Stateful Packet Filtering Security Proxies (SMTP, HTTP, DNS, FTP) Mobile User VPN Branch Office VPN Static and Dynamic NAT One-to-one NAT Firewall Authentication PKI with internal Certificate Authority (CA) VPN Authentication (Windows NT, RADIUS, PKI, WG Server) Web Content Filtering Scan and Spoof Detection Port and Site Blocking Synflood Protection Anti-virus DHCP Support (client and server)** PPPoE Support (client)** FEATURES (FB SOHO MODELS) Stateful Packet Filtering Mobile User VPN (Optional) Branch Office VPN (Optional with SOHO, included with SOHO tc) Static and Dynamic NAT Web Content Filtering (Optional) Anti-virus **Limits several features ADDRESS: 505 Fifth Avenue South Suite 500 Seattle, WA 98104 WEB: www.watchguard.com E-MAIL: information@watchguard.com U.S. SALES: +1.800.734.9905 INTERNATIONAL SALES: +1.206.521.8340 FAX: +1.206.521.8342 ABOUT WATCHGUARD WatchGuard (Nasdaq: WGRD) is a leading provider of dynamic, comprehensive Internet security solutions designed to protect enterprises that use the Internet for e-commerce and secure communications. Thousands of enterprises worldwide use WatchGuard's award-winning products and services. These products include our Firebox firewall and VPN appliances for access control and secure communications, and our ServerLock technology and anti-virus solution for content and application security for servers and desktops. Centralized point-and-click management makes it easy for even the non-security professional to install, configure, and monitor our security solutions. Our innovative LiveSecurity Service also enables our customers, with minimal effort, to keep their security systems up-to-date in a continuously changing environment. For more information, please call 206-521-8340 or visit www.watchguard.com. 2002 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, Firebox, LiveSecurity and Designing peace of mind are either trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and/or other countries. All other trademarks and tradenames are the property of their respective owners. Part# 080702WGCLE64661 www.watchguard.com 13
www.watchguard.com 14