SMB Secure

Make Security easier for Small and Medium Business

HOME / COMPARISON / FEATURES

Features

While the primary function of a firewall is to filter packets that enter or leave a network based on a predefined set of rules, some complementary features such as NAT, High Availability and VPN are generally added to provide an in-depth protection of the network boundaries. Depending on the vendor, these additional features may require to purchase an additional licence or module. This part describes the multitude features that can be part of firewalls.

Basic Firewall Features

Basic features are the minimal features required to build a firewall: One or several filtering techniques implemented on a specific support either hardware or software. Any firewall will have this base.

Filtering Techniques

The primary function of a firewall is to filter the traffic that enters and leaves the private network. Differentes techniques exists from the most basic one functioning at the network layer to the most powerful one at the application layer. Most firewalls nowadays will integrate a combination of these techniques rather than a unique filtering technique.

Static Filtering

Packet filter that blocks packets based on their source IP address, destination IP address and TCP/UDP ports. This filter operates only at the Network Layer of the OSI Model and does not maintain the state of sessions.

Static Packet filtering is the most basic feature of a firewall. It gives the ability to analyse packet-per-packet the IP traffic based on the source IP address, destination IP address and TCP/UDP ports contained in the IP packet. Packet filtering technology permits to define simple rules (ex: Deny any external addresses to access an internal server, Allow incoming traffic on port 80 for external user to access the internal web server). Those rules are then applied each time a packet matches the rule.

Dynamic Filtering

Packet Filter that blocks packets on the same basis as static filters with the additional advantage to control the state of the network connections.

Dynamic Packet Filtering also referred as Stateful Filtering, permits to inspect packets as part of an established session. They control the packet header of each packet entering or leaving the network and check if each of them match an existing sessions

Proxy

Filter Agent that inspects specific application traffic.

Proxies also referred as Application Gateways, allow to define tight access rules for applications. Able to inspect the content of packets at the highiest layer, they provide one of the most secure solution.

Deep Inspection

Filter that inspects application traffic and employs a signature-based approach to detect malicious code.

Deep Inspection gives the ability to inspect packets on a multi-layer basis. They analyse packets from the packet layer up to the application layer. This technique uses protocol conformance verification to prevent the use of mal-formed message considered as anomalies and potential attacks. Furthermore, it integrates a database of signatures(attack patterns) to detect malicious code in the content of packets.

DeMilitarized Zones [DMZ]

DeMilitarized Zones represent highly secured domains connected to firewalls which provides services for both the trusted internal network and the un-trusted external internet.

This zone only holds resources that require external access and typically contains servers such as Web Server, DNS Server, SMTP Servers... More than just a public access zone, a DMZ creates a security perimeter where direct communication between the trusted and un-trusted zone is prohibitive. Since the outside world only gets permitted access to the DMZ, the DMZ becomes the main target of attackers. As a result, this part of the Network needs to be highly-secured in addition to the residential security provided by the firewall architecture itself.

Firewall Architecture

Three firewall architectures can be found in the market:
-Software firewalls which are meant to be installed on a computer. Easily configurable and expandable, but slow.
-Hardware firewalls which are devices built on ASIC (Application Specific Integrated Circuit) architecture. Fast, more reliable (no hard disk that could be a potential point of failure), but less configurable and less adaptable to new protocols.
-Hardware-assist Firewalls which are devices whose architecture is similar to a dedicated PCs (with hard disk by contrast with Hardware firewalls) Moderate speed, they have the advantage to be more flexible than Hardware alone.

Firewall Category

This feature specifies the type of firewall relatively to its level of security and management functionalities. Three categories of firewall exists:
-Personal Firewalls: or host-based Firewall: Simple and low-cost, they are aimed to protect a single computer.
-SOHO Firewalls (Small Office/Home Office): Designed to protect up to 50 users.
-Enterprise Firewalls:Designed for organisations with hundreds of people to protect. They provide advanced features such as monitoring and logging facilities as well as the possibility to manage several firewalls with a centralised management. Firewall category is closely related to the target market the product is aimed for.

Target Market

This feature specifies the "public" the product is aimed for. Four target markets are usually defined:
-individual: 0 to 10 employee
-small: 11 to 150
-medium:151 to 999
-large:>1000

UP

Advanced Firewall Features

Advanced features are not necessarily implemented in the base product. Although some of them are nearly part of the basic feature of firewalls (like NAT), some others are optional or requiring a license or even not implemented at all depending on the targetted market. These features are not essential for the firewall to work, however they provide additional security or improve greatly the performance of the firewall.

Network Address Translation [NAT]

Protocol that converts IP addresses from one range to another.

NAT is a network layer protocol which permits to convert IP addresses on the packet header from one range to another. Implemented on servers, routers, firewalls, this functionality is useful in many scenarios: allowing a non-routable IP address (or private address) to be transformed in a public address routable on the internet, merging private networks with duplicate IP addresses, migrating from one ISP to another without changing the initial addressing, spreading the load on servers, creating virtual servers (Lammle 2007).

From the border firewall standpoint, NAT is the ability to transform a private address in a public address. As an aside, NAT achieves IP masquerade which has the great advantage to hide the topology of the private network. Since NAT modifies the source IP address of outgoing packet with a public address, the outside is not able to discover the range of IP addresses used within the private network. In order to answer back or reach a host from the outside, NAT maintains loopback tables (statically or dynamically) to modify incoming packets with the appropriate destination address. If an incoming packet does not correspond to any mapping in the loopback table, the packet will be dropped.

NAT has two modes, static and dynamic. Both can be used independently or conjointly depending on the objectives.

Static NAT allows a fixed one-to-one mapping between a private address and a public address. That is a private address is always associated to the same public address. This mapping is bidirectional with both the possibility for a private user to access internet and the possibility for an external user to access the private machine. Static Nat is generally used with one unique goal in mind: permit a permanent external access to a private resource (web server, ftp server). Static NAT is never used in the objective to provide internet access to internal users, because it would not be worth buying as many public addresses as there are private addresses while better alternatives exist. 

static NAT illustration

Dynamic NAT permits to map a private address to the next available public address picked from a pool of possible addresses. Public addresses are automatically allocated to private hosts needing internet and reusable once the connection terminates. Thanks to this re-usability, the number of public addresses can be inferior to the number of private addresses as long as all the internal machines don’t use internet simultaneously. Indeed, the mapping is still on a one-to-one basis, what limits the number of simultaneous connections to the number of public addresses).Contrary to static NAT, a private machine can’t be reachable from the internet since the mapping public-private address always changes; this must be seen as an additional layer of security.

 

 

NAT has voluntarily been restricted to its basic and simplest definition which consists to say that NAT only translates IP addresses on a one-to-one basis. Although two modes (static and dynamic) match this definition, multiple variants come to complete the definition in such a way that NAT becomes a more general term:

 

NAT Overloading
NAT Overloading refers to the ability to map multiple private addresses on a unique public address. It is accomplished by combining Network Address Translation and Port Translation, more commonly called with the diminutive Network Port Address Translation [NAPT] or simply Port Address Translation [PAT]. NAPT gives the ability to map multiple private addresses on a single public address. Every host willing to access internet are assigned the same public address, but with different source port so that the association public address/port is unique in the loopback table. A unique public address is enough to connect (theoretically) up to 65000 users, which permits to save public addresses and money. (Lammle 2007

NAPT illustration

 

NAT Load Balancing
NAT Load Balancing refers to the ability to spread the traffic willing to reach the same destination to several identical destinations. This is particularly useful if you host identical web servers.

NAT load balancing illustration

 

Port Forwarding and Port Mapping
Port Forwarding and Port Mapping are not properly speaking NAT variants, but can be considered as translation protocols. Port Forwarding consists in redirecting a packet to a specific destination depending on its destination port. It permits to make an internal server available from the internet without allocating it a dedicated public address. Port Mapping consists in redirecting a packet to a different port. This is useful when internal servers are running on non-conventional port. If port 8080 is used on the internal web server, Port Mapping permits to redirect every port 80 request to the port 8080. (Lalitte 2002)

NAT Constraints
NAT can cause some problems when used with protocols such as IPSec or VOIP applications. NAT-Traversal or NAT-T nevertheless permits to counteract this problem.

 

  • Commercial Specification
    Definition
    Application
    1:1
    		 One public address to one private address at a time
  • Static
  • Dynamic
    • 1:Many
    		 One public address to many private addresses

  • NAPT

  • Port Forwarding
  • Load balancing Static

    • Many:Many
    		 Many public addresses to many private addresses
  • Dynamic
  • NAPT
  • Static

    		•
    Many:1
    		 Many public addresses to one private address
  • A non-sense
    		•

    High Availability [HA]

    High Availability is a general concept to describe the ability to maintain a system “uptime” and thus ensure the continuity of a service during a given period of time.

    No one can rely on hardware or software components; they are subjected to failures that can drastically affect the business strategy. If the firewall goes down, your internet connectivity will mostly be cut off as a result. If your business highly relies on internet (for instance, you are running an e-commerce website), High Availability is a solution to mitigate the risks of such failures. Its objective is to reduce or eliminate the downtime of a critical service in order to recover more quickly. There are many ways to achieve High Availability (HA), notably by implementing the Seven R’s principles of HA: Redundancy, Reputation, Reliability, Repairability, Recoverability, Responsiveness, and Robustness. (Schiesser 2002)

    Hardware Failover (/ Device Redundancy)

    Hardware Failover is the ability to detect firewall device failure and then activate a backup firewall to ensure the continuity of the services. Hardware Failover is implemented through an additional and identical firewall.

    The pair of firewalls can operate in two distinctive modes known as active-passive and active-active. Active-passive mode (or Hot stand-by) consists in one active firewall ensuring the security of the network and a stand-by unit ready to relay in case the active one fails. Active-active mode (or always-on) relies on two active firewalls sharing the load of the traffic between them. If one of them fails, the other one continues; it only affects the efficiency. The advantage of this configuration over the Hot-standby is that it takes advantage of both firewall for load balancing and in the meantime reduces the transition time of the failover.(Edholm 2007) Hardware Failover Picture

    Link Failover (or WAN/ISP Link Redundancy)

    Link Failover is the mechanism used to detect internet interruptions and permits to move the traffic to another ISP/WAN link either configured in a Hot stand-by mode (passive mode) or always-on mode(active mode). For obvious reasons both internet links will be from different ISPs.

    Firewalls implementing ISP Link redundancy integrate failover mechanisms able to detect such failures as inoperable physical links, Virtual Private Network [VPN] failures and unavailable IP addresses. In the event that the WAN or ISP link goes down, the firewall automatically detects the failure and activate the backup line in case of Hot stand-by mode or moves the traffic to the other active link in case of always-on mode.

    Virtualisation

    Virtual Private Network [VPN]

    Virtual Private Network Feature gives you the ability to initiate, terminate or manage secure tunnels over the internet.

    VPN technologies create a secure, private tunnel between two distant sites or between a remote client and the network. These tunnels employs sophisticated encryption algorithms as well as authentication means to ensure the integrity and confidentiality of the information going through. Several standard-based protocols can be used for this purpose:
    PPTP (Point-to-Point Tunneling Protocol), a layer 2 protocol developed by Microsoft, 3Com, Ascend, US Robotics and ECI Telematics. It is generally referred as a Microsoft protocol since the protocol is widely implemented on Windows Systems.
    L2F (Layer Two Forwarding) a layer 2 protocol developed by Cisco, Northern Telecom and Shiva. It is almost obsolete.
    L2TP (Layer Two Tunneling Protocol) is the outcome of the work of IETF (RFC 2661) to converge the advantages of both PPTP and L2F. It is a Layer 2 protocol that relies on PPP (Point-to-Point).
    IPSec is a collection of layer 3 protocols that can be used as a complete VPN protocol solution, or simply as the encryption scheme within L2TP or PPTP.
    SSL (Secure Socket Layer) and TLS (Transport Layer Security) are Layer 4 tunnel protocols generally used to secure web browsing (HTTPS), but that are more and more used to create VPN tunnels.

    Virtualisation

    Virtualisation is the ability to define multiple logical firewalls running on a single physical device.

    The interest can be to replace several physical firewalls into one physical firewall with multiple logical firewalls which permits to reduce the expenses and the complexity of the system. It can also be used to replace a physical firewall running complex rules into a physical firewall running simpler rules on each virtual firewall.Doing this way permits to reduce the risk of mistakes as well as facilitate the audit and maintenance of the security. In addition, it virtually segments the network into zones with more possibilities to define tight rules between zones (default deny between each zone) and thus implement a defense-in-depth security architecture and hence can contribute to reduce the risk of malware propagation. Despite all the benefits of virtualisation, several considerations need to be taken into account before opting for virtualisation. Indeed, virtualisation in itself can be a complex feature to implement with possible performance issues. Furthermore it is an expensive feature. Virtualisation

    UP

    Network Features

    Interface Bridging

    Interface Bridging means that the firewall can operate at the data link Layer and monitor the traffic from upper layers. This allows for total transparency that is the firewall will appear invisible to the end user.

    Transparent interface bridging is beneficial for three main reasons:
    Zero configuration: In Layer 2 operation mode, the device acts as a simple bridge, which means that there is no need to make any changes to the existing network (just plug it in-line with the network it protects). No IP changes is required, no subnetting or configuration updates to perform.
    Performance: Working at Layer 2 has the other advantage of less processing overhead. The firewall does not have to work with packets with all the processing involved (inspection, modification, routing decision).This saves processing power or permits deeper examination of the data.
    Stealth: Since the device has no IP address assigned, it makes it unreachable and invisible to the outside world. This protects against many types of attacks such as network probes, denial of service floods or firewalking on this machine. Transparent for the user, it will be also transparent for the attacker who won't even know it's in place.
    References:
    Useful Article on securityfocus.

    Routing Protocols

    As a layer 3 device, a firewall can support various routing protocols such as RIP, OSPF, BGP...

    VLAN Tagging

    VLAN Tagging is the ability for the firewall to support VLAN trunking and thus recognise which VLAN packets are destined for.

    VLAN which stands for Virtual LAN. Also know as IEEE 802.1Q standard, it provides the possibility to create virtual networks independently of the location. This means that several users physically belonging to different networks can belong to the same VLAN and thus be associated to the same group. VLAN works with special tags destined to identify the VLAN each frames is destined to. This technology represents a cost effective and performing solution to segment the network. Firewalls supporting this standard offers advance inspection possibilities.
    References:
    Using Virtual LANs to Get More from Your Firewall by Lisa Phifer, Vice President, Core Competence, Inc. (2002)

    Multi-WAN Load Balacing

    WAN Load Balacing is the ability to spread the traffic evenly and dynamically amongst multiple internet lines in order to achieve higher performance and throughput. This replaces the need to have External load balancers.

    Load balancing permits to avoid link congestion and saturation. This can be done in a packet-by-packet basis or per destination in a round-robin fashion.

    Multi-WAN Load Sharing

    WAN Load Sharing is the ability to split the traffic amongst multiple internet lines based on static rules.

    Server Load Balancing

    Server Load Balacing is the ability to spread the traffic amongst several copy of the same server in order to achieve higher performance and throughput. This replaces the need to have External load balancers.

    UP

    UTM Features

    URL & Content Filtering

    URL filtering is the ability to control the internet access based on the URL or internet address. It gives the possibility to prevent users from accessing inappropriate web-sites prejudicial to the company business. Content filtering gives the possibility filter outgoing urls based on their content. It is useful to improve the productivity of employees and reduce the bandwidth utilisation.

    While URL filtering is the ability to filter website based on their URLs, content filtering solutions provide a deeper inspection of websites based on their page contents. Content filters give the possibility to filter from predefined keywords considered out of the scope of the business of the company. Some advanced solutions provide content filtering based on the time of the day, the profile of the user, the file types such as cookies, JAVA and ActiveX. Depending on the vendors, content filtering features can provide screening and logging capabilities.

    Technical characteristics:
    URL Blocking is a process by which access to a website is controlled by URL address. The method consists in maintaining exempt lists either known as Blacklist or Whitelist.
    Whitelist (or Inclusive list), permits to define all the appropriate websites that are authorized by the system; any other website is blocked. This method provides the best mean of security, but is somewhat over-restrictive with the difficulty to define what kind of website must be authorized and how many.
    Blacklist (or Exclusive list), keeps a list of forbidden websites; any other website is allowed. Less restrictive than the Whitelist, it has serious limitations such as the impossibility to maintain the blacklist up-to-date while thousands of new websites are created every day, or move IP addresses to avoid being blocked.
    Keyword Blocking: If the webpage content contains one of the keywords defined, it will automatically be blocked. This method has nevertheless some limitations because it works only on text and without any regard to context (e.g. it will block access to a form page that asks for the "sex" of a user, or any medical information). Moreover, website tends to be more images based, which limit the performance of text-based scanning methods.
    Image Blocking can resolve many of these problems. The method consists of examining the image itself for patterns, detecting objectionable material and blocking the offending site. Active Content Blocking: Some solutions give the possibility to block some active contents such as ActiveX, JAVA Applets, Flash, VBScript and cookies.
    Profile-based: This feature permits to define different rules depending on the user profile or group.
    Logging/Reporting: keep track of the websites visited and provide some useful information about those that have been blocked.

    Anti-Virus

    Anti-Virus capabilities incorporated to firewalls give the ability to scan traffic against known viruses to block any suspicious traffic before it enters the network.

    Single point of control, it makes it easier for the administrator to keep anti-virus updates and patches up-to-date directly on the firewall gateway. Although performing, this embedded solution does not exempt from implementing desktop anti-virus on each station of the private network. Since it only scans the traffic that goes through the firewall, it won’t protect internal machines against viruses transmitted by USB sticks, PDAs and other mobile devices. This feature must be seen as an additional layer of protection and not as a bullet proof.

    Technical characteristics:
    Scanning technique: The scanning technique is the way the AV engine perform the scan. Batch-based scanning waits for the file to be received entirely before starting its scan, which leads to some additional latency. Streaming-based scanning use a real time approach and commences its scan as the streams enter the network, which reduces the latency.(Develcon 2007)
    Protocols scanned: AV gateways are designed to scan objects transferred by specific protocols which list can include HTTP, FTP, SMTP, POP3, IMAP4, IM and encrypted VPN Tunnels.
    AV Database: The antivirus database gives the number of virus pattern detected by the AV gateway.
    Signature Updates: Updates of the AV database is the one thing not to forget in order to stay safe on the internet. These updates can be either at the charge of the administrator or done automatically by the device itself.
    File Size Limitation: This indicates the maximum file size that can be scanned by the AV gateway.
    Exempt List: It is the way to filter files based on their reputation. Two approaches are employed: blacklisting and more recently whitelisting. Blacklists maintain known bad files, while authorising any others; and Whitelists maintain known good files and deny any others. About.com 2007
    Authority/Certification: The Authority/Certification refers to the name of the AV partner that has been chosen to test or implement this function (Kaspersky, Symantec, ICSA Labs Certified(Gateway Antivirus))

    Anti-Spyware

    Anti-Spyware feature allows to detect and discard the download of a spyware.

    Anti-SPAM

    Anti-SPAM feature allows to inspect mails and drop junk mails.

    Anti-Phishing

    Anti-Phishing feature allows to detect phishing attacks.

    Instant message/Peer-to-Peer Access Control

    IM and P2P features permits to control the access to Instant Messaging and Peer-to-Peer applications.

    UP

    Performance

    Maximum Throughput

    represent the maximum forwarding speed in Mbps that can achieve the firewall/UTM while functioning without any encryption or Deep Inspection features

    Maximum Throughput with encryption

    represent the maximum forwarding speed in Mbps that can achieve the firewall/UTM while functioning with encryption.

    Maximum Throughput with Deep Inspection

    represent the maximum forwarding speed in Mbps that can achieve the firewall/UTM while functioning with Deep Inspection features.

    Concurrent Firewall connections/sessions

    represent the Maximum number of simultaneous connection the firewall can support (generally limited by the CPU and memory of the system).

    Firewall connections per second

    represent the maximum number of new session per second that can handle the firewall.

    Policy Capacity

    represent the maximum number of policies that can be defined within the firewall

    Users supported

    represent the maximum number of internal users supported by the platform.

    Memory

    Memory refers to the amount of volatile memory available on the firewall (if hardware-based)

    Flash Memory

    Flash memory is the amount of non-volatile memory available on the firewall (if hardware-based).

    UP

    Management

    WebUI (HTTP & HTTPS)

    Management of the firewall via web interface.

    Command Line Interface

    Management of the firewall via a command line interface.

    Centralized Management

    The firewall plaftform offers the possibility to manage several firewalls and permit to reduce the administrative burden.

    SNMP Management

    Management via the Simple Network Management Protocol.

    Bandwidth Monitoring

    Possibility to follow the bandwidth consumption of the traffic.

    Syslog

    Possibility to follow the bandwidth consumption of the traffic.

    Email Alert

    Possibility to configure email alert depending on the type of attack/intrusion detected.

    Graphical & Statistical reports

    Possibility to view statistics of the attacks detected.

    OS Support

    OS support refers to the operating system that the remote management software will operate under.

    Object-based Management

    Provides easy point-and-click configuration of tiered user groups, servers or network resources using ‘Objects’ instead of traditional IP addresses. This visual approach ensures easy manageability.

    UP

    Hardware

    Interface (Types & quantity)

    List of all the physical interfaces available on the product.

    Redundant power supplies

    Additional power supply to replace the fist one in the case of power failure.

    Rack Mountable

    Give the possibility to add extension cards.

    Hardware Upgrades

    Permit to know if the device can be upgradable.

    NEBS Compliance

    Quality Assurance label that ensure that the product meets the applicable Network Equipment-Building System (NEBS) requirements.

    Product Warranty

    Specify how long the product is guaranteed against hardware defects.

    Certifications & rewards

    Some Firewalls may have obtain known certifications or rewards. They possibly may have been tested by independant web-sites. This information must not appear as a decisive criteria, but this can decide between two similar devices.

    UP

    Pricing

    Hardware Price

    Cost of the hardware alone in its default package.

    Adds-on Hardware Price

    Cost of additional hardware components - extension cards, hardware accelerator.

    Software License Price

    Cost of the software licenses per year (per user if applicable)

    Customer & Technical Support

    Information to contact the customer & technical support and related cost.

    Support & Maintenance

    Cost of 24/7 service support and maintenance. Terms of the contract.

    Installation Price

    Cost of the installation if accomplished by one of the vendor technician.

    Training Price

    Cost of the training if available

    UP