Original is at
http://www.tis.com/docs/products/gauntlet/gauntletfaq.html Ў http://www.tis.com/docs/products/gauntlet/gauntletfaq.html
Table of Contents
- Purpose of this document
- What is an Internet firewall?
- What will a firewall do for me?
- What will a firewall not do for me?
- What is a "network security perimeter?"
- What is "defense in depth?"
- What is a "perimeter defense?"
- What are the different types of firewalls?
- What are stateful multilevel inspection firewalls?
- Which is the most secure type of firewall?
- What are application gateways (proxies
- Aren't application gateways and proxies different things?
- Aren't application gateways, or proxies, outmoded, old technology?
- What is the Gauntlet Internet Firewall?
- What services are supported by the Gauntlet Firewall?
- Are Gauntlet proxies easy to use?
- If I use the Gauntlet Firewall, do I have to modify software on inside machines?
- What are the customer needs addressed in version 4.0 of the Gauntlet firewall?
- What new features will I find in version 4.0 of the Gauntlet firewall?
- What are some of the services supported for secure multimedia communications?
- Can I use multiple Gauntlet Firewalls at an Internet gateway?
- Do I need special software or a certain operating system to use the Gauntlet Management GUI?
- What is a Virtual Private Network?
- What's a Virtual Network Perimeter?
- What are the benefits of VPNs and VNPs?
- Are Gauntlet Firewalls with encryption available outside the USA?
- Doesn't the strong encryption require government escrowing of keys?
- Why do you say you are the only firewall vendor to export strong cryptography? Vendor XYZ is doing it.
- Can a Gauntlet Internet Firewall be used in a VPN with a different firewall?
- What is network address translation (NAT)?
- Does the Gauntlet Internet Firewall support NAT?
- Does the Gauntlet Internet Firewall support E-mail and DNS?
- What is meant by the term "strong user authentication?"
- Do Gauntlet products support strong user authentication?
- Can I use reusable passwords for outbound connections?
- What are the qualifications of a firewall administrator?
- Can you guarantee that my Gauntlet Firewall will never crash?
- What kind of logging does the Gauntlet firewall do?
- What firewall activity reports come with Gauntlet firewalls?
- If I have a Gauntlet box, do I still need a router?
- On what operating systems do Gauntlet products run?
- Why is it important to "harden" an operating system for a firewall?
- Does the Gauntlet Internet Firewall support FDDI, Token Ring, or ATM?
- Should user accounts be permitted on a firewall?
- Should general servers, such as WWW servers, be permitted on a firewall?
- Does the Gauntlet Internet Firewall allow UDP or ICMP through?
- Does the Gauntlet Internet Firewall check for viruses?
- Is the Gauntlet Internet Firewall available in my country?
- Isn't the Gauntlet Internet Firewall based on freeware?
- What are the differences between the Gauntlet Internet Firewall and the TIS Internet Firewall Toolkit (FWTK)?
- Does TIS support the FWTK?
- Doesn't the availability of source code make a firewall more vulnerable to attacks?
- Isn't making source code available contrary to good security practices?
- What is an "intranet?"
- What is the Gauntlet Intranet Firewall?
- Isn't the Gauntlet Intranet Firewall just a Gauntlet Internet Firewall with a different name?
- What's the Gauntlet Net Extender?
- What is the Gauntlet PC Extender?
- Does Gauntlet PC Extender run on Windows 95 or Windows NT?
- With what PC network products does the PC Extender work?
- What do we have to do before we install our Gauntlet firewall?
- What is the price of the Gauntlet Internet Firewall?
- How can TIS claim that it has "The Most Secure FirewallsSM"?
- What is your design approach?
- What can you recommend for further reading?
- How is TIS different from other firewall vendors?
- How do I contact TIS for more information?
The purpose of this document is to answer questions
about the Gauntlet Internet Firewall and internetwork firewalls.
A firewall is "a system or combination of systems
that enforces a boundary between two or more networks." (All
definitions in quotes are from the National Computer Security
Association's standard Firewall Functional Summary template.)
It is a controlled gateway between one network and another. Typically,
people discuss putting a firewall between a private, trusted network
and the public Internet. It is analogous to a guard post in the
lobby of a building, or at the gatehouse of an enclosed installation.
For more detail, see what we recommend for further reading near
the end of this document.
Connecting your private, internal network to an outside,
untrusted network can be both a blessing and a curse. A blessing
in that the exchange of computerized information (the lifeblood
of modern commerce) is greatly facilitated. A curse in that you
may be exposing your valuable network resources and the reputation
of your organization to the whims of Internet hackers or industrial
spies. These problems have been extensively documented in the
technical media (see TIS's web page at www.tis.com). To minimize
the risk while maximizing the benefit requires that an organization
develop a comprehensive Network Security Plan. This should include
user security awareness training, qualified network security system
administrators, and a network architecture that promotes structured
security and the use of appropriate network security components.
The Gauntlet Internet Firewall is one of the important components
of a well-designed network security architecture.
The Gauntlet Internet Firewall is designed to be
the single point in your network through which all communications
between your internal network and all outside, untrusted networks
must pass. This is also the point at which the Network Security
Administrator may monitor and control the flow of information
between the networks. The Gauntlet Internet Firewall supports
strong authentication mechanisms to insure that only authorized
users can enter your protected network. The Gauntlet Internet
Firewall is capable of preventing unauthorized communications
in either direction, and provides a log of all connections across
the firewall in either direction. Properly configured, the Gauntlet
firewall presents an impenetrable barrier to even the most persistent
hackers seeking to access your network.
See our further reading list for more detailed information.
An Internet firewall is a controlled gateway. It
cannot stop attacks from malicious insiders, nor can it take the
place of education and security policies and procedures. It is
part of an overall security plan.
A network security perimeter is established by the
methods and mechanisms used to secure the network against outside
Defense in depth, also called host-based security,
is "the security approach whereby each system on the network
is secured to the greatest possible degree. [It] may be used in
conjunction with firewalls."
Also known as perimeter-based security, it is "the
technique of securing a network by controlling access to all entry
and exit points of the network."
Before launching into a description of different
types of firewalls, the concept of a perimeter defense should
be understood because of its importance to the proper function
of a firewall. To a site administrator, establishing a perimeter
defense means that all communications between the internal network
and external, untrusted networks must pass through the firewall(s)
in order to monitor and control the traffic. The organization's
Network Security Plan should specify that any form of connection
to or from machines outside the internal network is strictly forbidden
without review and authorization from the security administrator.
This should include modems, leased lines to other networks, etc.
Users should be aware that connections between their secure internal
network and any outside network, including that of a trading partner
or client, may expose the internal network to attackers that have
broken into the other network. It makes little sense to have a
strong, well-protected front door (the firewall) if the back door
and all the windows are left open.
There are four types of firewalls: filtering gateways,
circuit gateways, application gateways, and hybrid or complex
Filtering firewalls use routers and packet filtering rules to
grant or deny access from one source address (host) and port (service)
to a second destination address and port. Also called a screening
router, it is "a router configured to permit or deny traffic
based on a set of permission rules installed by the administrator."
For example, the administrator can use the router rules to permit
a particular machine on the external network to FTP to a specific
machine on the internal network, but deny that same machine the
ability to TELNET to the internal machine. Similarly, one specific
address on the external network can be permitted to FTP to a specific
address on the internal network while all other addresses
are denied permission to FTP to that address on the internal network.
The advantages of a packet filtering firewall are that they are
fast, generally inexpensive, very flexible, and transparent. Also,
they can be implemented on routers, and most organizations already
have routers. Routers support static (unchanging) filtering.
Another type of filtering, dynamic filtering, tries to make sense
out of higher-level protocols and adapt filtering rules to accommodate
protocol-specific needs (e.g., simulated connections for connectionless
protocols such as NFS and RPC services).
A disadvantage of a filtering gateway is once access has been
granted by the router to a host on the internal network, the attacker
has direct access to any exploitable weaknesses in either the
software or the configuration of that host.
Another disadvantage of a packet filter is the source and destination
addresses and ports contained in the IP packet header are the
only information available to the router for making the decision
to grant or deny access to the internal network. Unfortunately,
source destinations and ports can be spoofed so that you cannot
be sure who is really making the request for access. This
is a critically important concept to understand. In reality
it means that if you permit anyone to come through your
router and access software on one of your internal host machines,
everyone can access that software on that host. And if
the software being accessed cannot do strong authentication, or
has a hole in it, the intruder has gained access to your network.
Also, routers do not generally provide robust (if any) logging
facilities, making it difficult to know when your network is under
attack, or how to recover from a successful attack.
Further, packet filtering firewalls do not support the concept
of strong user authentication, and access from untrusted networks
should not be granted without strong authentication (see the question
on strong user authentication).
Another problem is that both the hardware and software of routers
may contain exploitable weaknesses. Routers are generally designed
for performance, not security.
Finally, router rules are complex and are very difficult to "get
right." Even highly qualified network professionals will
occasionally add or modify a rule in the router's rule-base, and
in so doing, accidentally open a hole through the router.
A circuit level firewall is a means of handing an outgoing connection
request from a client on the internal network to a single machine
acting as a firewall, such that it will appear to the remote site
that the connection request actually came from the firewall.
The principal advantage of a circuit level firewall is that it
prevents direct connection between internal and external machines.
All incoming requests are blocked. If a user on an internal machine
writes code that listens on some non-standard port, users on external
hosts have no way to reach that port. This gives the Security
Administrator a single point at which to control incoming connection
A disadvantage, or limitation of a circuit level gateway, is client
software on the internal network may have to be modified to do
the necessary "handshake" with the circuit level gateway
software (for example SOCKS), and source code for the client software
may be unavailable.
Application Level Gateway
An application gateway is "a firewall system in which service
is provided by processes that maintain complete TCP connection
state and sequencing. Application level firewalls often re-address
traffic so that outgoing traffic appears to have originated from
the firewall, rather than the internal host."
An application level firewall is generally considered to be the
most secure type firewall. The Gauntlet Internet Firewall is an
application level firewall. Like the circuit level firewall, the
Gauntlet firewall is configured to be the only host address visible
to the outside network, requiring all connections to the internal
network to go through the firewall. An application level firewall
is distinguished by the use of proxies (application gateways)
for services such as FTP, TELNET, etc., which prevent direct access
to services on the internal network.
One advantage of this type of firewall, is that proxies prevent
direct connection between internal hosts and external, untrusted
hosts. All incoming requests for services such as HTTP, FTP, TELNET,
RLOGIN, etc., regardless of which host on the internal network
will be the final destination, must first go through the appropriate
proxy software on the firewall.
For example, consider a host on the external network requesting
a connection to port 25 on any one of the many hosts on a network
not protected by the Gauntlet Internet Firewall. Every
host on the internal network could be running a different implementation
of Sendmail, or different versions of the same implementation,
each with known security problems. Because an attacker has direct
access to every host on your internal network, he can try port
25 on every host on the internal network until he finds one running
an implementation of Sendmail with an exploitable hole. From there
he can gain access to the machine, and then to your entire internal
To protect against this type of attack, you can either secure
every computer in your organization (usually impossible to enforce),
or require that all connections go through a control point on
which you have already made the security adjustments.
Strong user authentication (see below) should be required for
all incoming connection requests before granting access to the
requested service on the internal host when the protocol supports
it. Application gateways, or proxies, allow enforcement of user
Comprehensive logging at the application level can be performed
Since all communications between the internal and external networks
are required to go through one of the application proxies, the
proxies can restrict those communications to transactions appropriate
to the specific service being used. They are also in position
to do content-type filtering, such as blocking Java code from
coming in from the outside.
The principal limitation of application gateway firewalls is that
in some environments, there may be a requirement for data transfer
rates in excess of the capacity of the firewall. The capacity
of the Gauntlet Internet Firewall has not been determined, but
it has demonstrated throughput of 10 Megabits/second (Ethernet
speed), exceeding the capacity of a T1 link (about 1.5 Megabits/second).
Hybrid or Complex Gateways
Hybrid gateways, combine two or more of the above methods. If
these methods are added in parallel, the network security perimeter
will be only as secure as the least secure of all methods used.
If they are added in series, the overall security is enhanced.
All commercial firewalls that are hybrid systems, have the mechanisms
A vendor who claims that a hybrid firewall is more secure by virtue
of being more complex does not understand security. A useful truism
of security to keep in mind is "complexity and security are
often inversely proportional."
Stateful inspection can also be called stateful filtering,
as it is basically a filtering type of firewall (see above) with
additional granularity. Stateful filters parse IP packets and
keeps state about connections in the operating system kernel.
They may be faster than proxies - the proxy mechanism is at a
lower level - but are also more complex.
If an interface for a particular service has protocol
specific knowledge, a SMLI firewall will have more security for
that particular service than a more simpler packet filter would.
(And so, to add new services requires additional code, just like
for a proxy-based firewall.) If it does not have protocol specific
knowledge, then there is no added security - it has the same level
of security as a filtering gateway.
Experts agree that the most permissive, and least
secure, type of firewall is the filtering gateway, and the most
secure is the application gateway. Experts, such as Cheswick and
Bellovin -- see reference in the "further reading" area
of this document, Ted Julian in IDC's Firewall Marketing report
dated February 1996, and Rik Farrow, for example in the May 1996
issue of UniForum's "IT Solutions" magazine.
Bill Cheswick, well known firewall and Internet security
expert, pointed out (in the June 17, 1996 issue of LAN TIMES),
"Packet filters can protect your [network] quite adequately
if they are properly designed. The hard part is getting the rules
right and testing the filter to see if it is truly secure."
Winn Schwartau, president of InterPact, Inc., a security
consulting company added, in the same article, "Don't bother
[with packet filters]. They are a waste of money. ... if you are
going to have no control over user activities, why bother?"
The terms "application gateways" and "proxies"
mean the same thing. A proxy in a firewall is a software mechanism
that acts on behalf of another. It will sit between a client on
one side of the firewall and a server on the other. To the client
it looks and acts like a server; to the server it looks like client
software. It acts as a proxy for both sides.
All application data flows through the proxy. Because
of this the proxy is in a unique position to log information (time
of connection, number of bytes transferred, etc.) and enforce
access rules (who can connect to what for which service at what
No, they are different technical terms for the same
mechanism.. It is possible that some people use them to mean different
things in their marketing literature, but they are synonymous
Of course not. Application gateways have been around
only a few years. As discussed above, they are the most secure
kind of firewall mechanisms. Anyone who says otherwise disagrees
with the experts, and is probably blowing marketing smoke.
Applications gateways are much more secure than any
other kind of firewall mechanism, certainly more so that any filter-based
solution. At a CSI conference during the Meet the Enemy session,
hackers fingered a stateful inspection firewall as their "favorite
firewalls" to come up against. Hackers would rather not find
an application gateway firewall such as the Gauntlet Internet
The Gauntlet Internet Firewall is an application-based
firewall featuring the most secure firewall design in the industry.
The Gauntlet product features:
- Complete firewall transparency through the proxies
(so, without sacrificing security)
- Industry standard firewall-to-firewall encryption
(strong encryption that is exportable)
- The only "Crystal Box" firewall --
source code can be inspected
- Support for more strong user authentication devices
than any other firewall
- Secure, integrated graphical user interface (GUI)
management tools (via any web browser)
- A cryptographic system integrity checker
- Built in "smoke alarms" -- allowing
real-time notification of unauthorized activities
- Secure information gateway allowing safe deployment
of web or FTP server on firewall system
- And a set of application gateways (proxies)
The Gauntlet Internet Firewall
includes proxies for the following services:
- Terminal Services (TELNET, Rlogin)
- File Transfer (FTP)
- Electronic Mail (SMTP, POP3)
- World Wide Web (HTTP, SHTTP, AHTTP, SSL)
- X Window System (X11)
- Remote Execution (Rsh)
- Sybase SQL
- Oracle SQL*Net
- RealAudio and RealVideo
There is also a proxy that acts as a "patch
panel" for simple services in a one-to-one or one-to-many
configuration, called the "plug gateway." Through this
gateway, the Gauntlet Internet Firewall supports
- USENET News (NNTP)
- Lotus Notes
An authenticated circuit gateway allows the firewall
manager to configure certain "plug gateway" services
to be available on a per user basis after users authenticate themselves
to the firewall.
An authentication server supports the use of strong
user authentication (identification) via security tokens or one-time
Additionally, the Gauntlet Internet Firewall provides
optional support for extended content security;
- Virus scanning of file transfers, web access,
and electronic mail
- URL Screening
All proxies supplied with the Gauntlet Internet Firewall
can be installed for "transparent mode" operation. In
transparent mode, the user just issues the command to connect
to a machine on the other side of the firewall, and the connection
is made. All communication goes through the appropriate application
gateway. It just seems like a direct connection to the user.
None of the Gauntlet Internet Firewall proxies require
modification of the software on the internal network.
The Gauntlet Internet Firewall Version 4.0 addresses
the following customer needs:
Secure Multimedia Communications
Extended Content Security
Support for Enterprise Network Management
Extended DBMS Security
Enhanced Native Management
Streaming Multimedia Support For Most Popular Real-Time
Support For Virus Scanning of Mail, FTP, and HTTP
HP Network Management Support (OpenView)
New JAVA-Based GUI for Local and Remote Management
Extended DBMS Security with Oracle SQL*NET proxy
ReadAudio/RealVideo, Xing, NetShow, VDOLive, are
all supported through specialized proxies.
Many of our customers install multiple Gauntlet units
in parallel at gateways for load balancing and redundancy. This
configuration works very well.
The management system can be accessed using any "Web
browser" program (e.g., Microsoft Internet Explorer, Netscape
Navigator) from any platform that supports them. No special software
A virtual private network, or VPN, through encryption,
provides privacy for all allowed network traffic between two gateways.
In a VPN, no level of trust between the networks need be assumed.
A VPN provides privacy only. A VPN is not necessarily a Virtual
This term was coined by TIS in a technical paper
(#1 in the reading list later in this document). A VNP is a Virtual
Network security Perimeter: network that appears to be a single
protected network behind firewalls, which actually encompasses
encrypted virtual links over untrusted networks. The use of firewalls,
encryption, and standard administration, control, and policies
that allows an organization to extend a network to include multiple
locations that may be connected over an untrusted network, such
as the Internet. In a VNP, all network services may be opened
up between the trusted networks, allowing even "insecure"
network services, by virtue of the protection allowed by the
network security perimeter. A VNP is also a Virtual Private Network.
For sake of example, envision a corporate headquarters
in Maryland with a branch office in California. Each site has
a private local area network protected by a Gauntlet Internet
Firewall. Without encryption, all of the traffic passing between
the two sites would go across the Internet "in the clear,"
meaning that anyone with a "sniffer" attached to one
of the many network links between Maryland and California could
read and understand the traffic. If I were sending e-mail, they
could read my e-mail. If I were sending a proposal via FTP, they
could read the proposal.
Now let's assume that we turn on encryption between
the two firewalls. As traffic leaves the site in Maryland, the
firewall uses a secret key known only to the firewall in California
to scramble the traffic in such a way that it cannot be read or
understood by anyone as it passes across the Internet. Your e-mail,
or proposal, would look like unintelligible garbage to anyone
using a sniffer.
There are two main benefits to using firewall-to-firewall
encryption. The obvious benefit is that traffic cannot be "seen"
by others (including intruders) as it passes across the Internet
between the two firewalls. This prevents sensitive information
from falling into the wrong hands, and denies intruders access
to information they might use to attack your network. The less
obvious benefit of such encryption is that traffic between the
two firewalls is no longer restricted to the services provided
by the firewall proxies. Now any application can safely be used.
Client/server database or financial applications can be used.
TELNET logins can be permitted without the need for strong authentication.
The encrypted link between the firewalls turn the two protected
networks into a single trusted environment.
Yes, Gauntlet Global Virtual Private Networks (GVPNs)
are available worldwide. Strong cryptography (56 bit DES and Triple
DES) are available. Gauntlet firewalls are the only firewalls
available worldwide with strong, standard cryptography.
No, not at all. TIS can export 56 bit DES free and
clear. Triple DES can be exported in conjunction with TIS's RecoverKey
technology. This patented technology requires no escrowing of
keys, and has been available on the Gauntlet firewall since January
We say it because it is true. If you look closely,
vendor XYZ supports DES only the in the US. They cannot export
DES from their home (non-US) country. They use a proprietary encryption
algorithm that has been approved by their government for export.
They are not exporting DES worldwide. They may not export DES
from the US nor from their home country. Also, they do not suport
Triple DES at all.
While we cannot understand why anyone would use any
other firewall, the answer is "yes." Gauntlet firewalls
can communicate over a VPN with any product supporting IPSEC and
Devices that support NAT, allow networks to use unregistered
or "illegal" (unsupported or unassigned) IP address
on a network on one side of the NAT device, while being connected
on the other side to the Internet. The NAT device translates the
illegal address into a legal address for outside use.
Does the Gauntlet Internet Firewall
Yes, because the firewall is your only connection
to the outside world, the outside network has no knowledge of
IP addresses on the inside network. The Gauntlet Internet Firewall,
by nature of its design as an application gateway-based firewall,
translates all internal addresses to the firewall's address, and
is designed to hide internal addresses from the "untrusted"
Yes, since a firewall often acts as an internetwork
gateway to an organization, the Gauntlet Internet Firewall includes
an e-mail gateway and DNS set-up. Both the e-mail gateway and
the name server hide internal addresses from the outside.
This discussion of strong user authentication is
from our paper "A Network Perimeter With Secure External
"We use 'authentication' as defined by the National
Computer Security Center's 'Red Book'  as '(1) to establish
the validity of a claimed identity or (2) to provide protection
against fraudulent transactions by establishing the validity of
... the individual ....' Identification of a user is often accomplished
on computers through the use of a user name and password pair.
The password is kept secret and must be difficult to guess; only
the user knows the proper name and password pair to use. In reality,
passwords are often weak (guessable). Further, in the case of
identifying users over outside communication links, there exist
opportunities for capture of the user name and password information
(although the password is usually not echoed, it is transmitted
over the communications link 'in the clear'). Consequently, while
it would seem that a user name and password pair constitute good
identification criteria, the password is too easily guessed or
captured. [With strong user authentication], authentication of
a user is done in such a fashion that we can apply a high degree
of trust to the identification. This can be accomplished with
one-time passwords, or authentication devices ..."
The network authentication server provides a generic
authentication service for firewall proxies. Its use is optional,
required only if the firewall interactive proxies are configured
to require authentication. It acts as a piece of "middleware"
that integrates multiple forms of authentication, permitting an
administrator to associate a preferred form of authentication
with an individual user. This permits organizations that already
provide users with authentication tokens to enable the same token
for authenticating users to the firewall. Several forms of challenge/response
cards are supported, along with software-based one-time password
systems, and plaintext passwords. Use of plaintext passwords over
the Internet is strongly discouraged, due to the threat of password
The Gauntlet Internet Firewall supports may third
party authentication devices. Please contact TIS for an up-to-date
Many sites would like to be able (usually for accounting
purposes) to have users on the internal network use a password
for outbound TELNET or FTP connections. However, since they do
not want to go to the expense of providing all of their internal
users strong authentication tokens, the question becomes "Can
I require them to use the normal username and reusable passwords
like the ones they use for logging into the internal network in
the first place?" In general, the answer is a guarded "yes."
The firewall administrator should be a qualified
TCP/IP network administrator. This is not because others cannot
easily learn to make necessary changes to the firewall using the
firewall maintenance interface, but rather because the peripheral
TCP/IP issues (such as DNS configuration, etc.) are important
to understanding how the firewall will function in a network environment.
The firewall is only one component in a complex architecture of
interdependent components, and the firewall administrator should
understand how changes to the firewall will affect the rest of
No, firewalls run on computers, and computers occasionally
fail. Since the firewall is the only link to networks outside
the private network, if the firewall fails you lose your connection
to those outside networks until the firewall machine can be repaired.
Because some sites have a critical need for continuous access
to and from the Internet or other private networks, TIS permits
clients of the Gauntlet Internet Firewall to maintain a cold backup
capability. A cold backup refers to a machine identical to the
firewall, with all of the Gauntlet Internet Firewall software,
the operating system, system files, etc., sitting on a shelf ready
to replace a failed machine. The only restriction is that the
primary firewall machine and the backup machine cannot be actively
operating as a firewall at the same time. If your organization
feels a backup unit is necessary, ask your TIS sales representative
about the current cost of a backup unit.
The Gauntlet Internet Firewall provides detailed
audit logs of sessions. All services accessed through the firewall
are logged to the security log system. This is turned "on"
by default at the highest level of logging. The following events
are logged by default:
All operating system kernel warnings and errors
All file system warnings and errors
All attempted accesses to network services, whether
successful, whether a supported service, including rejected source
routed addresses and ICMP redirects.
All successful network accesses, logging source and
destination addresses, service, time of day, disconnection time
of day, number of bytes transferred (if applicable), commands
accessed (FTP), and URLs accessed (HTTP)
All interactions with the user authentication server
The Gauntlet Internet Firewall is supplied with two
log reduction reports. The first is a Summary Report in which
the use of each service (such as FTP) is summarized by user and
usage. For example, the firewall administrator might choose to
have the report show him who the top 20 users of TELNET were (how
many times they connected to that service, what address they connected
to, and how many bytes of data they transferred, etc.)
The second report is the Exception Report. To produce
this report, the firewall administrator specifies the information
he is not interested in seeing, and everything else is
included in the report. As a rule, administrators will quickly
develop a feel for the normal activity of the firewall usage at
their site. The exception report can then be used to examine closely
any "unusual" activity.
In addition, because the firewall logs are human-readable
UNIX syslogs, each site can have simple UNIX scripts written that
look for specific events that are of special interest, and have
the script perform such actions as send a message to the administrator's
console if the event should occur.
More extensive logging, intrusion detection, etc.
will be available through third party products in mid-1997.
The Gauntlet Internet Firewall does not require
the use of a router, but routers may be employed to enable certain
configurations and architectural options. While most customers
employ routers when connecting to a WAN, filtering rules installed
in the router are only used as a way to reduce network "noise,"
rather than protect the Gauntlet Firewall. The Gauntlet Internet
Firewall is designed to be a self-contained security system,
not relying on other network components for its own or the internal
network's security. TIS will assist Gauntlet Internet Firewall
clients in determining the need for routers.
The Gauntlet Firewall Software is available for the
following operating system platforms:
BSD/OS operating system from Berkeley Software Design,
HP-UX from Hewlett-Packard
Solaris from Sun Microsystems
Windows NT from Microsoft
TIS has hardened these operating systems for use
with the Gauntlet firewall.
Additionally, Gauntlet Firewall Software for IRIX
is available from Silicon Graphics.
The operating system is the base platform for firewall
software. Most commercial operating systems are created to allow
general use and access and provide many services useful for multiuser,
server systems (services such as NFS), but too insecure to allow
on a firewall. The base operating system must be "tightened"
to disallow insecure services and to apply security patches. Unfortunately,
most firewall vendors do not bother to do this. Consequently,
their firewalls may be installed on insecure systems, devaluing
the firewall's security.
Gauntlet Firewall Software supports all network interfaces
supported by the operating systems. The turnkey version of the
Gauntlet Internet Firewall supports only Ethernet connections
at this time.
No! The only account on the firewall is that of the
Firewall Administrator, and he should either be required to use
strong authentication, or be restricted to logging in from the
Only if you are using the secure servers available
with the Gauntlet Internet Firewall, version 3.1 and later. Every
application that is in any way directly accessible to attack from
untrusted networks runs the risk of opening holes into the protected
network. Only software specifically written to be secure, and
rigorously reviewed for security relevant flaws (such as the proxies),
should be placed on the firewall.
The Gauntlet Internet Firewall does not standardly
permit any connectionless protocols such as UDP or ICMP across
the firewall. Because their connectionless nature makes it impossible
to determine their actual source, all such applications must be
considered inherently insecure and inconsistent with conservative
firewall security. These services may be run through a VNP. Select
services - SNMP, RealAudio, and Finger, for example - are supported
securely through Gauntlet firewalls.
If anyone tries to sell you a firewall that allows
generic UDP services through, ask to see their security assessment
paper on the service, so you can understand why they think they
can secure such services.
Virus scanning software is supported by the Gauntlet
Internet Firewall. Check with your sales representative for products
and support options.
Yes. The Gauntlet Internet Firewall may be purchased
from a growing list of resellers throughout the world, including
Africa, Asia, Australia, Europe, and North and South America.
Please contact TIS for a list of resellers.
The Gauntlet Internet Firewall was originally based
on the TIS Internet Firewall Toolkit, but is no longer. The TIS
Internet Firewall Toolkit is licensed and freely available, but
it is not "freeware," "public domain," nor
"shareware." The FWTK has been downloaded by more than
The FWTK is a licensed, freely available set of tools
for building internetwork firewalls. It is made to be used by
experts. The Gauntlet Internet Firewall is a complete, fully functional,
fully supported product. This table provides a comparison:
|Gauntlet Internet Firewall||TIS Internet Firewall Toolkit|
|Source Code||Source Code|
|TELNET Proxy||TELNET Proxy|
|Rlogin Proxy||Rlogin Proxy|
|FTP Proxy||FTP Proxy|
|HTTP Proxy (WWW)||HTTP Proxy (WWW)|
|Gopher Proxy||Gopher Proxy|
|SMTP Proxy||SMTP Proxy|
|NNTP Proxy||NNTP Proxy|
|X11 Gateway||X11 Gateway|
|Authentication Server||Authentication Server|
|Java and ActiveX blocking||Java blocking (contributed)|
|URL Screening (to control WWW access)|
|Secure Server (FTP and HTTP)|
|Graphical Management Interface|
|Hardened Operating System|
|Smoke Alarms (intrusion probing alarms)|
|IP Spoof Protection|
|Routing Attack Protection|
|Integrated Hardware Platform|
|Fully Integrated Software Components|
TIS engineers will monitor the FWTK mailing lists,
but no direct support is available. The fwtk-support list is used
for support questions and answers; the user community provides
its own support for the FWTK.
TIS distributes the FWTK, provides an FTP area for
contributed software, and will package a new version, containing
contributed code and bug fixes, at least every 12 months.
All firewalls are under the threat of attack. Vulnerability
is a measure of whether a weakness exists that someone can exploit.
We do not believe in security through obscurity. Our software
has been developed using strong testing methods with the knowledge
that it would be available in source code. We are depending on
our design criteria and strong methods of development and testing
rather than depending on the secrecy of our code. When ("when,"
not "if") someone's secret algorithm is reverse engineered,
if they do not know it, they end up being vulnerable to attack,
while still believing that they are safe.
On the contrary, formal security mechanisms are often
based on open (well known) mechanisms. One example, is the Data
Encryption Standard (DES). A characteristic of good security is
that knowing the algorithm does not get you any closer to breaking
the security, as with DES, knowing the input, the output, and
the algorithm, does not get you the secret key.
According to the "Internet Marketing and Technology
Report," Volume 2, Number 3, dated March 1996, "the
term Intranet refers to an internal network that uses Internet
technology and protocols (TCP/IP) to distribute informational
resources to individuals within an organization." Think of
it as internetworking within a trusted network. Even within a
trusted network's security perimeter, an organization might want
to compartmentalize systems and networks within networks. Firewalls
within an organization's security perimeter can accomplish this.
It is a firewall meant to be deployed within an organization's
network security perimeter. It's used on the enterprise intranet.
It is an add-on to an existing Gauntlet Internet Firewall, that
allows you to place additional network strongholds within your
network security perimeter.
It has most all the features of the Gauntlet Internet
Firewall, at a lower price, but the main difference is that it
is configured in conjunction with, and managed through an existing
Gauntlet Internet Firewall. Operating within an organization's
network security perimeter, the Gauntlet Intranet Firewall protects
an enclave within an enclave. It's general access rules come
from the controlling Gauntlet Internet Firewall. Additional access
rules may be added. All logging is done via the logging rules
defined by the master Gauntlet Internet Firewall. Encryption may
be added. Additional services, normally considered insecure through
an outer firewall, may be permitted through a Gauntlet Intranet
Firewall. Also, because it is deployed within an organization's
"trusted" network, firewall-to-firewall encryption is
The Gauntlet Net Extender is a firewall for a remote
office. It is an add-on to an existing Gauntlet Internet Firewall
and has all the functionality of the Gauntlet Internet Firewall.
Like the Gauntlet Intranet Firewall, it is managed through a master
Gauntlet Internet Firewall and logging is done through the master
firewall. The Gauntlet Net Extender must have an encrypted link
to the master Gauntlet Internet Firewall. This can be used to
set up a VPN or a VNP (see above). The Gauntlet net Extender "extends"
the network security perimeter (see above discussion) to include
other, remote offices.
The Gauntlet PC Extender is an add on to an existing
Gauntlet Internet Firewall, extending the network security perimeter
to include remote or mobile users. It allows for private and secure
connections from home, hotel room, or remote Internet site, through
your firewall into your private network. This means that a traveling
user can use his or her PC in the same way and for the same services
available when in the office, even services normally considered
insecure (such as PC-NFS). Strong authentication and encryption
provide the security needed.
The Gauntlet PC Extender runs on Windows 3.1.
Contact your Gauntlet sales representative for the
latest list of tested products, which includes Chameleon, Beame
& Whiteside TCP, and Trumpet Winsock.
TIS will send you a document explaining the questions
that need answering and all preparations you need to make. This
is a summary or key preparations:
If the installation is intended to connect the site
to the Internet, an Internet connection available configured to
the address of the Internet side of the firewall. This is to permit
testing of the installed firewall.
A properly implemented firewall should be consistent
with the goals of the site's Network Security Plan. The Network
Security Plan should be made available to the firewall installer
prior to installation.
The site should have a UNIX system administrator
who is familiar with the site's various system files and network
configuration available to work with the TIS installation personnel.
Prior to installation, a questionnaire is sent to
the client's system administrator eliciting information concerning
internal address schemes, DNS requirements, E-mail configuration
requirements, etc. This questionnaire should be returned at least
one week prior to installation.
Contact TIS or your Authorized Gauntlet Reseller
for current pricing and configurations.
TIS bases its claim on the years of experience we
have in formal computer, communications, and network security,
and on building our firewall products using the most secure design
approach in the industry.
Since an application gateway is the most secure type
of internetwork firewall, TIS has designed the Gauntlet Internet
Firewall to rely on proxies to provide services. Firewalls that
combine application, circuit, and filtering gateway technology
are only as secure as the weakest link of the three. In the Gauntlet
Internet Firewall, all communication between one network and another
is turned off. Network services are individually enabled through
the application data bridges, called proxy software or proxies.
Network packets are never passed between the networks, only application
data. No direct connection is ever made between machines on opposite
sides of the firewall.
The design approach, expanded in our functional summary
document, combines the following seven tenets:
Simplicity in services provided and mechanisms
Simplicity in software design, development, and implementation
A "Crystal Box" approach, in which source
code is distributed to allow for assurance reviews by our customers,
our resellers, and other experts
No users are allowed on the firewall system itself
Anything that can be logged, should be logged, for
a complete security audit trail
Strong user authentication methods and mechanisms
must be supported and encouraged
A firewall should enforce an organization's network
security policy, not impose one of its own
- Frederick M. Avolio and Marcus J. Ranum, "A
Network Perimeter with Secure External Access", TIS Report.
- Frederick M. Avolio, "Building Internetwork
Firewalls," Business Communications Review, January, 1994.
- William Cheswick and Stephen M. Bellovin, Firewalls
and Internet Security: Repelling the Wily Hacker, Addison-Wesley,
- Steven B. Lipner, "Barbarians at the Gateway,"
Business Communications Review, January, 1995.
- Marcus J. Ranum, "Thinking About Firewalls,"
Proceedings of Second International Conference on Systems and
Network Security and Management (SANS-II), April, 1993.
- http://www.tis.com/ has white papers on firewalls
and network security.
- http://www.gocsi.com/firewall.htm has information
TIS is not a new, one-product company. Since its
founding in 1983, TIS's business has been computer, communications,
and network security associated with today's local and wide area
networking environment. The TIS staff has experience in computer
and communication security evaluation; development of computer
security systems; development and use of formal security methodologies
and tools; and security evaluation, certification, and accreditation
of systems and networks. The focus of TIS's corporate organization
is in providing systems security engineering support.
Trusted Information Systems, Inc. (TIS) specializes
in advancing the state of information security technology and
in reconciling system security requirements with the functional
and mission requirements of operational systems. TIS is internationally
known and respected for its research and applications solutions.
TIS provides security products, such as the Gauntlet Firewall
Family of products. TIS's consulting services are well known for
excellence, completeness, and integrity.
TIS is publicly traded on the NASDAQ, symbol TISX.
TIS has offices located in the Washington, DC area,
with its headquarters in Glenwood, Maryland, and the headquarters
of its Commercial Division in Rockville, MD. TIS also has offices
in McLean, Virginia, Los Angeles, San Francisco, London, and Munich.
For further information please send electronic mail
firstname.lastname@example.org, call us toll-free at 888-FIREWALL,
or (301) 527-9500, send a fax to (301) 527-0482, or write to us
Trusted Information Systems, Inc.
Gauntlet Sales Department
15204 Omega Drive
Rockille, MD 20850
Войти под своим именем