AddThis Social Bookmark Button

Print

Hardware Versus Software Firewalls
Pages: 1, 2

Garbage Procedure

The garbage attack, or random fragment attack, observes how each firewall behaves against an attack that uses random datatypes on random port numbers. The Netwag program random fragment attack also has the ability to spoof the source IP address.



  1. Open Netwag and select "Flood a host with random fragments."
  2. Check the Destination IP Address checkbox.
  3. Enter the target IP address.
  4. Select Generate It (bottom of screen).
  5. Select Run It.

UDP Ping Procedure

The UDP Ping attack observes how each firewall behaves against ping attacks using UDP. The Netwag program's UDP Ping also has the ability to spoof the source IP address.

  1. Open Netwag and select Ping UDP.
  2. Check the Destination IP Address checkbox.
  3. Check the Destination Port Number checkboxes.
  4. Enter the target IP address.
  5. Enter the target port number.
  6. Select Generate It (bottom of screen).
  7. Select Run It.

TCP Ping Procedure

The TCP Ping attack observes how each firewall behaves against the ping attack using TCP. The Netwag program's TCP Ping also has the ability to spoof the source IP address.

  1. Open Netwag and select Ping TCP.
  2. Check the Destination IP Address checkbox.
  3. Check the Destination Port Number checkboxes.
  4. Enter the target IP address.
  5. Enter target port number.
  6. Select Generate It (bottom of screen).
  7. Select Run It.

Ping of Death Procedure

The ping of death attack observes how each firewall behaves against attacks that send over-sized packets. Our goal was not to determine how many over-sized packets are required to shut down each firewall.

  1. Open a Windows command prompt window.
  2. Enter ping -l 65000 <target_IPaddress>.

Configuration

The aim of this configuration is to simulate a condensed, real-world, corporate network layout. We placed one server on the outside router's external interface to act as the Internet in order to demonstrate how the internal network could gain permitted access to the Internet. The server on the inside network provides the outside world with a specific target. The access list for all three firewalls permits WWW traffic to pass out on port 80 while at the same time allowing for FTP to pass in on port 21. Because the PIX implicitly denied anything not on the access list, we had to create rules to allow these transmissions to pass through. We created the baseline (PIX Firewall) by modifying the Advanced Router Lab's configuration. SmoothWall and openBSD layouts modified this layout even further. Neither software firewall has an inside router in its configuration. We removed the inside router due to issues it caused in allowing connections to the SmoothWall web-based administrative console.

We kept this configuration for simplicity and uniform results in the later configuration and testing of the openBSD firewall.

Test Results

Our test results were interesting.

Cisco PIX Results

Regardless of which port the attack used, with the state full packet inspection activated, the Cisco PIX blocked all transmissions on every test we conducted. The PIX also continued to allow the proper connections that were not considered attacks during the tests. The PIX effectively blocked the outgoing and incoming packets. One of the few issues with the PIX is finding proper documentation. The PIX was designed with a professional support team in mind, not the typical home user.

SmoothWall Express Results

Compared to the PIX, SmoothWall was more simplistic in design and easier to configure, but also less robust. Unlike the PIX, SmoothWall uses stateless packet inspection. Attacks on specific ports locked up the firewall system until the attack stopped. SmoothWall was designed with the home user in mind, not corporations.

The documentation provided for SmoothWall is centered on the web-based GUI, which does a good job detailing how to set up and configure the system. SmoothWall also uses the open source intrusion detection system Snort. One of SmoothWall's problems is that the GUI does not list any outbound packet inspection options. (You can activate stateful inspection by modifying the source code manually.) Another issue is that SmoothWall has a limit of three interfaces: an inside, an outside, and a DMZ.

OpenBSD Results

OpenBSD is everything one might expect from an open source firewall. It has the power and potential of the PIX without the cost. As for performance, OpenBSD performed just as well as the Cisco PIX at blocking unwanted incoming or outgoing packets with no degradation to the system. OpenBSD also kept detailed text logfiles of each attack, which were fairly easy to read. Like SmoothWall, OpenBSD does not provide any type of graphical results analysis of the logged attacks; the PIX does provide this.

The main issue with OpenBSD is that you may require professional support. But without the cost of the hardware PIX, you might consider this an even offset. OpenBSD also does stateful or stateless packet inspections, remembers sessions, and modulates the session to assist with preventing the data connections from being hijacked. Because it is an operating system, OpenBSD has the ability to add Snort or other advanced IDS options. OpenBSD also has the option of creating VPN connections.

When installed, OpenBSD is secure by default. As with SmoothWall, the documentation for BSD is very detailed. However, unlike SmoothWall, the configuration instructions direct you to perform manual command-line operations. OpenBSD is our runner-up firewall. The available interfaces are only limited by the number of possible interface cards you can install in the PC.

Conclusion

The Cisco PIX behaved as expected and is an outstanding choice if cost is not an issue. Cisco's built-in graphical results are effective quick-references for observing the firewall status. For cost effectiveness and features, OpenBSD is an excellent choice. Out of the three firewalls tested, SmoothWall Express is our least preferred because it is the least powerful. However, SmoothWall Express is a good choice for a home-based network. This version is not recommended for business or corporate use. SmoothWall Express is open source; however, it does have a corporate professional edition that we did not evaluate for this project.

Choosing a firewall depends on the needs of your business or network. If you have a large corporate network behind the firewall, it would probably suit your needs to invest in a system like Cisco; however, a small entrepreneur should consider OpenBSD or SmoothWall, depending on the required security level denies and experience level.

When should a corporation consider using one of these three firewalls? The choice depends on its needs. If it wants top of the line defense that provides detailed reports (including graphs), then the Cisco PIX is the best choice. If the corporation needs a good defense but cannot afford the PIX, OpenBSD is an effective, inexpensive choice. Based on the testing results of this project, SmoothWall Express is not an effective option for a corporation.

Small business or home users are most likely unable to afford the Cisco PIX. They are just as unlikely to be able to maintain such a device, assuming they are not a technology-based business or user. Because most small business and home users do not have the money or technical experience to use a PIX or OpenBSD, the best option for them is SmoothWall.

One of the key differences between a corporation and a small business (including home users) is that a corporation stands a high risk of being a target of script kiddies and professional hackers. With a small business, this risk is low, although small business and home users are still at risk. Because of this difference, and in light of maintainability concerns, SmoothWall is a good choice for a small business or home user.

References

Chris Swartz is a senior at East Tennessee State University. Currently he is working on completing a Bachelor’s degree in Computer Science and minors in Anthropology and Japanese.

Randy Rosel works as an Application Developer for a cellular phone repair company in Upper East Tennessee.

Return to SysAdmin.


  • An error in your article
    2007-02-21 14:05:09  nick haddock [View]

    The last time I checked netfilter fully supports stateful packet inspection. As Smoothwall uses netfilter, then your comment on it not having stateful inspection is invalid. All outbound traffic from the SW is allowed by default in SWE2 but will be an option in SWE3 filtering. I also seriously doubt some of your conclusions. I have personally set up and managed sites with several hundred users behind a SW2 without issue.
  • Home Firewalll Appliances
    2007-02-20 16:12:47  fs4724 [View]

    I would like to see the ZoneAlarm Z100G and the Watchguard Firebox SOHO 6 firewall appliances tested as well as the PIX. Please reprise this report.
  • Ian F. Darwin photo Up to date?
    2007-02-19 10:26:19  Ian F. Darwin | O'Reilly Author [View]

    The authors don't state at the beginning what version of OpenBSD they tested, but the refs at the end refer to 3.8, which is more than a year old (4.0 is out, with 4.1 in the wings).


    They also state that there is no firewall graphing software for OpenBSD, but pfstat has been in OpenBSD's ports tree since 2002/07/26. pfstat bills itself as "a small utility that collects packet filter statistics and produces graphs." To try it out just do<br/>
    cd /usr/ports/net/pfstat; make install <br/>with the appropriate privileges (e.g sudo).

  • Cisco PIXs and VPNs
    2007-02-19 08:38:54  PB-User [View]

    PIX firewalls are also very capable of terminating and creating VPN tunnels, not just OpenBSD.

  • Need a GUI for OpenBSD PF ?
    2007-02-19 01:10:18  DomDom [View]

    I think there is one great open source firewall missing... pfSense

    "pfSense is a open source firewall derived from the m0n0wall operating system platform with radically different goals such as using OpenBSD's ported Packet Filter, FreeBSD 6.1 ALTQ (HFSC) for excellent packet queueing and finally an integrated package management system for extending the environment with new features."

    http://pfsense.com/
  • competence ?? What does the author need a firewall for ??
    2007-02-15 23:44:53  noxxi [View]

    I think the first question one need to ask before evaluating a firewall is the attack scenario, which differs if you need to protect windows computers in a company, a web or ftp server, a VOIP gateway ...

    From the first sentences in the article one could assume that it is about computers inside a company, which are today mainly windows. So it is missing all the virus and trojans scan stuff which is essential for this environment, it's missing attacks against browsers, it's missing attacks from inside (if there is already a trojan inside)...

    In this environment you don't really care about syn-floods because it's mainly outgoing connections.

    And I really doubt the security related competence of the authors if they recommand to use wireshark to capture the traffic. Given the security record if this (otherwise really good) application I would never let it capture the traffic, because this requires root privileges. I would instead use tcpdump to capture and then run wireshark as an unpriviledged user to read and display the dump.