Solstice FireWall-1 Version 3.0b
Release Notes
Overview
Thank you for using Solstice FireWall-1 Version 3.0b.
This document contains important information not included in the FireWall-1 User Guide. Please review this information before installing or using FireWall-1.
Product Description
Solstice FireWall-1 Version 3.0b is a comprehensive security tool that allows an organization to access the Internet's vast worldwide resources without compromising internal network security.
Documentation
This documentation assumes that you have already purchased Solstice FireWall-1 Version 3.0 CD-ROM. FireWall-1 Version 3.0 CD-ROM includes a copy of the FireWall-1 User Guide in Adobe Acrobat Portable Document Format (PDF), as well as Acrobat readers for most supported platforms. Updated versions of these readers can be downloaded from Adobe (www.adobe.com). The CD-ROM does not contain an Acrobat reader for Solaris2-x86.
New Features
- 1. FireWall-1 for IBM/AIX 4.1.5 & 4.2.1
- 2. FireWall-1 support for Solaris 2.6
- 3. SecuRemote Version 3.0 including:
- 4. Support for Cisco 11.2 routers management
- 5. New Services Support: Connected OnLine Backup, AOL, OnTime
- 6. Session Authentication Agent for Windows 3.11
Known Bugs and Restrictions
Solaris 2.6
- 1. FireWall-1 3.0b supports Solaris 2.6. Since previous FireWall-1 versions cannot be installed on Solaris 2.6, you must upgrade your FireWall-1 software to 3.0b before upgrading the Operating System to Solaris 2.6.
- 2. The X/Motif Log Viewer cannot run on Solaris 2.6. Contact your FireWall-1 re-seller to get a patch for supporting it when it is available.
- 3. If if there is no dumb terminal installed, the FireWall-1 installation may fail.
- 4. When setting the boot security on Solaris 2.6, the file
/etc/rcS.d/S30rootusr.sh gets corrupted, and the system fails to reboot. Before installing the software, please contact your FireWall-1 reseller for a patch that solves this problem.
Solaris 2.x
When using encryption on Solaris 2.x machines, you must create certificate keys when defining network objects (you are not prompted to do so during installation).
IBM/AIX
The IBM/AIX version does not support multiprocessor machines. Please contact you re-seller for a special patch for supporting it.
Windows NT 4.0
FireWall-1 on Windows NT 4.0 with Service Pack 3 does not work properly with RAS.
Windows 95
SecuRemote installation fails on some portable machines.
All Platforms
The SMTP Security Server sends an LF symbol rather then a CR-LF for each line. This causes compatibility problems with some SMTP Servers. Contact your re-seller for a patch that solves this problem.
FireWall-1 3.0b Management station cannot properly manage 3.0 FireWall Modules. You need to upgrade the FireWall Module to 3.0b as well.
Using FireWall-1 Synchronization under a heavy load may crash the machine under the heavy load. Contact your re-seller for a patch that solves this problem.
User Guide Clarifications
The following material clarifies subjects discussed in the FireWall-1 User Guide.
Getting Started
Installing FireWall-1
Operating Systems
In Table 3-8 on page 87, the list of Solaris versions under Operating Systems should read "Solaris 2.3, 2.4, 2.5 and 2.6".
Licenses
On page 105, any references to "serial number" should read "Certificate Key."
Architecture and Administration
Security Servers
FTP Resources
When an FTP connection is mediated by the FireWall-1 FTP Security Server, then the user's requested FTP commands and file names are matched against the FTP Resource defined in the relevant rule.
The FTP Security Server is invoked when a rule specifies an FTP Resource in the Service field and/or User Authentication in the Action field. If no FTP Resource is specified in the rule (that is, if the Security Server is invoked because the Action is User Authentication), then an FTP Resource of GET and PUT allowed for all files is applied.
FTP Resource Matching
FTP Resource matching consists of matching methods and file names.
Methods
Table 1-1 on page 7 lists the FTP commands that correspond to the methods specified in the FTP Resource definition.
The FireWall-1 FTP Security Server passes all other FTP commands to the FTP server for execution.
File Names
File name matching is based on the concatenation of the file name in the command and the current working directory (unless the file name is already a full path name) and comparing the result to the path specified in the FTP Resource definition.
When specifying the path name in the FTP Resource definition, only lower case characters and a directory separator character / can be used.
The Security Server modifies the file name in the command as follows:
In some cases, the Security Server is unable to resolve the file name, that is, it is unable to determine whether the file name in the command matches the file name in the resource.
Example - DOS
Suppose the current directory is d:\temp and the file name in the resource is c:x. Then the Security Server is unable to determine the absolute path of the file name in the command because the current directory known to the Security Server is on disk D: and the file is on disk c:, which may have a different current directory.
Example - Unix
If the file name in the command contains .. references which refer to symbolic links, then it's possible that the file name in the command matches the resource's path, but that the two in fact refer to different files.
When the Security Server cannot resolve a file name, the action it takes depends on the Action specified in the rule being applied:
- If the resource path is * or there is no resource, the rule is applied.
- Otherwise, the rule is not applied. Instead, FireWall-1 scans the Rule Base and applies the next matching rule (which may be the default rule that drops everything). In this case, a potential problem is that the rules may specify different entries in their Track fields. For example, it may happen that the original rule specifies Accounting in the Track field while the rule that is applied does not.
Outgoing Connections
User Authentication and Resource rules are applied only to connections incoming to a FireWalled machine. An outgoing connection originating on a FireWalled machine will not be folded into a Security Server on that machine, but will be dropped.
Authentication
ACE (SecurID)
On Windows NT, the sdconf.rec file is in the SYSTEM32 directory under the directory in which Windows NT is installed.
Miscellaneous Security Issues
Verifying the Default Policy
You can verify that the default Security Policy is indeed loaded as follows:
- 1. Boot the system.
- 2. Before installing another Security Policy, type the following command:
- The command's output should show that defaultfilter is installed.
SYNDefender
The following text should be added at the end of the "The TCP SYN Flooding Attack" section.
Choosing an Appropriate SYNDefender Method
As a first step, you should consider whether you need SYNDefender at all. Since the SYN flooding attack is a "denial of service" attack rather than a security breach, it may be more effective to deploy SYNDefender only after a SYN attack actually occurs.
Another "low cost" alternative is to deploy SYNDefender Gateway, and if a SYN attack occurs, to deploy SYNDefender Relay.
SYNDefender Gateway vs. SYNDefender Relay
SYNDefender Gateway is an effective defense method which divides the cost of the defense between the FireWalled gateway and the server under attack. The overhead for the server is similar to that of an established non-active connection, of which a server can typically handle thousands. This non-active connection only exists for the short timeout period (configured with the GUI).
In SYNDefender Relay, the FireWalled gateway completely isolates the server from SYN flooding attacks, that is, the connection is not passed to the server until after its validity is verified. The cost is that the FireWalled gateway must relay (with some overhead) every single TCP packet for the lifetime of the connection. In contrast, with SYNDefender Gateway, the gateway "forgets" about the connection after a short timeout period or after the connection has been established.
In addition, problems may arise when a FireWall's Security Policy is uninstalled, or when a FireWall is rebooted. Since every connection was relayed by the FireWall, these connections become "confused," and the network may be overloaded by the servers' futile attempts to resolve this confusion.
In summary, if SYNDefender is required, start with SYNDefender Gateway. If you find that your servers are coming under frequent SYN flooding attacks (as apparent from the Log Files), and that your server performance deteriorates as a result of the non-active (short timeout) connections created for each attack attempt, then you should consider the SYNDefender Relay method.
Passive SYNDefender Gateway is an inferior method to both SYNDefender Gateway and SYNDefender Relay. The guidelines above refer to SYNDefender Gateway rather than to Passive SYNDefender Gateway.
Getting Help
If you have problems installing or using this product, call the appropriate number listed in Table 3-13 on page 110 of Getting Started with FireWall-1. If you cannot locate the number for your location, call 1-800-SUNSOFT (1-800-786-7638) from anywhere in North America. From other countries, call your Authorized Semisoft Distributor or Reseller.
Please have the following information ready when you call:
Copyright © 1997,Sun Microsystems, Inc. All rights
reserved.