O'Reilly    
 Published on O'Reilly (http://oreilly.com/)
 See this if you're having trouble printing code examples


Hardware Versus Software Firewalls

by Chris Swartz and Randy Rosel
02/15/2007

According to estimates, an unprotected Windows computer system connected to the Internet could be compromised within twelve minutes. In light of this, the need for computer security has expanded in the last few years. Today, it is just as necessary for home users to secure personal computers as it is for businesses to secure office computers. In order to gain security benefits like those many businesses possess, home network security often utilizes the same models. The difference, however, has been that most home users do not have the financial resources for top of the line security equipment. This has led many home users to begin using security tools such as freeware firewalls and over-the-counter hardware firewall solutions.

This raises a question. How do the freeware firewalls compare to expensive, all-in-one firewall solutions such as the Cisco PIX? The goal for this project, then, is to compare the Cisco PIX with two freeware firewalls.

Test Goals

The general testing goal for this project was to observe and compare the behavior of each firewall. More specifically, to compare behavior caused by the testing adapted and common attack methods (not attacks for any specific system type).

The attack types break down into two groups: discovery and penetration. The discovery group establishes or verifies the actual location of the target device. The penetration group observes the defensive measures of each firewall. Table 1 lists each test used and its purpose.

Table 1. Tests and test groups

Test Group Test Type Test Description
Discovery Network sniffer Documents the discovery of the target IP address and any other useful information, such as protocols being used on the target network
Traceroute Attempts to locate the target device and all intermediate routers, switches, and systems
Penetration Synflood attack Used to see whether the firewall can overcome a repeated open connection request and also log the attack
Garbage attack Used to see whether the firewall can overcome random data packets on random ports
UDP Ping Used to see whether the firewall can overcome a large UDP ping packet sent to it
TCP Ping Used to see whether the firewall can overcome a large TCP ping packet sent to it
Ping of death Used to see whether the firewall can overcome a single over-sized packet sent to it

Testing Procedures

The overall testing structure for this project was developed from the perspective of an outside intruder. Because of this, the target network provided public access to itself as a means of establishing a gateway. We placed an FTP server inside the network and gave the outside world (the Internet at large) access to it. This gave the outside intruder a legitimate means of knowing the IP address of the FTP server.

Sniff Test Procedure

First, we ran the network sniff test, because it was necessary to determine the target IP address (the FTP server). The information discovered was necessary in order for many of the other attacking tools to work correctly. This test also verifies the IP addresses of the equipment being used.

  1. Open Ethereal
  2. Select Capture -> Interface, then choose the network interface.
  3. Select Capture.
  4. Allow Ethereal to capture packets for about 30 seconds, and then select stop.
  5. To save the captured packets, select File -> Export as Plain Text File.
  6. Enter an appropriate filename, then click OK.

Traceroute Procedure

The traceroute was an attempt to determine the route used to reach the target network. This step also tries to determine whether there are any other IP addresses, from any other network devices, that lead to the target server. This test helps to establish, if possible, the IP address of the route(s) to the target server.

  1. Open Netwag and select Traceroute.
  2. Ensure the Destination IP Address checkbox is checked.
  3. Enter the appropriate target network.
  4. Select Generate It (bottom of screen).
  5. Then select Run It.

We chose the attack types to test each system against a variety of attack types, not to test every possible type of progressive attack.

Synflood Attack Procedure

The synflood attack observes how each firewall behaves when it receives large amounts of SYN requests. The Netwag program's synflood attack also has the ability to spoof the source IP address.

  1. Open Netwag and select Synflood.
  2. Check the Destination IP Address checkbox.
  3. Check the Destination Port Number checkboxes.
  4. Enter the target IP address.
  5. Enter the target port number.
  6. Select Generate It (bottom of screen).
  7. Select Run It.

Garbage Procedure

The garbage attack, or random fragment attack, observes how each firewall behaves against an attack that uses random datatypes on random port numbers. The Netwag program random fragment attack also has the ability to spoof the source IP address.

  1. Open Netwag and select "Flood a host with random fragments."
  2. Check the Destination IP Address checkbox.
  3. Enter the target IP address.
  4. Select Generate It (bottom of screen).
  5. Select Run It.

UDP Ping Procedure

The UDP Ping attack observes how each firewall behaves against ping attacks using UDP. The Netwag program's UDP Ping also has the ability to spoof the source IP address.

  1. Open Netwag and select Ping UDP.
  2. Check the Destination IP Address checkbox.
  3. Check the Destination Port Number checkboxes.
  4. Enter the target IP address.
  5. Enter the target port number.
  6. Select Generate It (bottom of screen).
  7. Select Run It.

TCP Ping Procedure

The TCP Ping attack observes how each firewall behaves against the ping attack using TCP. The Netwag program's TCP Ping also has the ability to spoof the source IP address.

  1. Open Netwag and select Ping TCP.
  2. Check the Destination IP Address checkbox.
  3. Check the Destination Port Number checkboxes.
  4. Enter the target IP address.
  5. Enter target port number.
  6. Select Generate It (bottom of screen).
  7. Select Run It.

Ping of Death Procedure

The ping of death attack observes how each firewall behaves against attacks that send over-sized packets. Our goal was not to determine how many over-sized packets are required to shut down each firewall.

  1. Open a Windows command prompt window.
  2. Enter ping -l 65000 <target_IPaddress>.

Configuration

The aim of this configuration is to simulate a condensed, real-world, corporate network layout. We placed one server on the outside router's external interface to act as the Internet in order to demonstrate how the internal network could gain permitted access to the Internet. The server on the inside network provides the outside world with a specific target. The access list for all three firewalls permits WWW traffic to pass out on port 80 while at the same time allowing for FTP to pass in on port 21. Because the PIX implicitly denied anything not on the access list, we had to create rules to allow these transmissions to pass through. We created the baseline (PIX Firewall) by modifying the Advanced Router Lab's configuration. SmoothWall and openBSD layouts modified this layout even further. Neither software firewall has an inside router in its configuration. We removed the inside router due to issues it caused in allowing connections to the SmoothWall web-based administrative console.

We kept this configuration for simplicity and uniform results in the later configuration and testing of the openBSD firewall.

Test Results

Our test results were interesting.

Cisco PIX Results

Regardless of which port the attack used, with the state full packet inspection activated, the Cisco PIX blocked all transmissions on every test we conducted. The PIX also continued to allow the proper connections that were not considered attacks during the tests. The PIX effectively blocked the outgoing and incoming packets. One of the few issues with the PIX is finding proper documentation. The PIX was designed with a professional support team in mind, not the typical home user.

SmoothWall Express Results

Compared to the PIX, SmoothWall was more simplistic in design and easier to configure, but also less robust. Unlike the PIX, SmoothWall uses stateless packet inspection. Attacks on specific ports locked up the firewall system until the attack stopped. SmoothWall was designed with the home user in mind, not corporations.

The documentation provided for SmoothWall is centered on the web-based GUI, which does a good job detailing how to set up and configure the system. SmoothWall also uses the open source intrusion detection system Snort. One of SmoothWall's problems is that the GUI does not list any outbound packet inspection options. (You can activate stateful inspection by modifying the source code manually.) Another issue is that SmoothWall has a limit of three interfaces: an inside, an outside, and a DMZ.

OpenBSD Results

OpenBSD is everything one might expect from an open source firewall. It has the power and potential of the PIX without the cost. As for performance, OpenBSD performed just as well as the Cisco PIX at blocking unwanted incoming or outgoing packets with no degradation to the system. OpenBSD also kept detailed text logfiles of each attack, which were fairly easy to read. Like SmoothWall, OpenBSD does not provide any type of graphical results analysis of the logged attacks; the PIX does provide this.

The main issue with OpenBSD is that you may require professional support. But without the cost of the hardware PIX, you might consider this an even offset. OpenBSD also does stateful or stateless packet inspections, remembers sessions, and modulates the session to assist with preventing the data connections from being hijacked. Because it is an operating system, OpenBSD has the ability to add Snort or other advanced IDS options. OpenBSD also has the option of creating VPN connections.

When installed, OpenBSD is secure by default. As with SmoothWall, the documentation for BSD is very detailed. However, unlike SmoothWall, the configuration instructions direct you to perform manual command-line operations. OpenBSD is our runner-up firewall. The available interfaces are only limited by the number of possible interface cards you can install in the PC.

Conclusion

The Cisco PIX behaved as expected and is an outstanding choice if cost is not an issue. Cisco's built-in graphical results are effective quick-references for observing the firewall status. For cost effectiveness and features, OpenBSD is an excellent choice. Out of the three firewalls tested, SmoothWall Express is our least preferred because it is the least powerful. However, SmoothWall Express is a good choice for a home-based network. This version is not recommended for business or corporate use. SmoothWall Express is open source; however, it does have a corporate professional edition that we did not evaluate for this project.

Choosing a firewall depends on the needs of your business or network. If you have a large corporate network behind the firewall, it would probably suit your needs to invest in a system like Cisco; however, a small entrepreneur should consider OpenBSD or SmoothWall, depending on the required security level denies and experience level.

When should a corporation consider using one of these three firewalls? The choice depends on its needs. If it wants top of the line defense that provides detailed reports (including graphs), then the Cisco PIX is the best choice. If the corporation needs a good defense but cannot afford the PIX, OpenBSD is an effective, inexpensive choice. Based on the testing results of this project, SmoothWall Express is not an effective option for a corporation.

Small business or home users are most likely unable to afford the Cisco PIX. They are just as unlikely to be able to maintain such a device, assuming they are not a technology-based business or user. Because most small business and home users do not have the money or technical experience to use a PIX or OpenBSD, the best option for them is SmoothWall.

One of the key differences between a corporation and a small business (including home users) is that a corporation stands a high risk of being a target of script kiddies and professional hackers. With a small business, this risk is low, although small business and home users are still at risk. Because of this difference, and in light of maintainability concerns, SmoothWall is a good choice for a small business or home user.

References

Chris Swartz is a senior at East Tennessee State University. Currently he is working on completing a Bachelorís degree in Computer Science and minors in Anthropology and Japanese.

Randy Rosel works as an Application Developer for a cellular phone repair company in Upper East Tennessee.

Return to SysAdmin.

Copyright © 2009 O'Reilly Media, Inc.