The information disclosed in this document, including all designs and related materials, is the valuable property of NEC Technologies, Inc. (NEC) and/or its licensors. NEC and/or its licensors, as appropriate, reserve all patent, copyright, and other proprietary rights to this document, including all design, manufacturing, reproduction, use, and sales rights thereto, except to the extent said rights are expressly granted to others. This document does not constitute a warranty of any kind, express or implied, with respect to the NEC product(s) discussed in this document. Unless expressly provided for in a separate limited warranty statement obtained at the time of sale of the NEC product(s), NEC makes no warranties of any kind or nature concerning the NEC product(s) including (but not limited to) any warranties (express or implied) of merchantability, performance, fitness for a particular purpose or against infringement of intellectual property rights.
As to information on limited warranties or lack thereof concerning all
other product(s) discussed in this document, please contact the
manufacturers of the respective product(s). To allow for design and
specification improvements, the information in this document is subject to
change at any time, without notice. Reproduction of this document or
portions thereof without prior written approval of NEC is prohibited. NEC
is a registered trademark of NEC Corporation. the PrivateNet Server and
SocksPlus are trademarks of NEC Technologies, Inc. Other brands, logos,
and product names are trademarks or registered trademarks of their
GENERAL FIREWALL QUESTIONS
THE PRIVATENET SECURE FIREWALL SERVER
12. What is PrivateNet?
22. What commercial client applications currently support the SOCKS 4.2/SocksPlus proxy?
23. Can the PrivateNet server be connected to any network?
24. What hardware makes up the PrivateNet server?
25. What software makes up the PrivateNet server?
26. Has the PrivateNet server been thoroughly tested?
27. How do I configure the PrivateNet server?
PRIVATENET SERVER PURCHASE AND SUPPORT
OTHER PRIVATENET QUESTIONS
37. Does SocksPlus support UDP?
THE PRIVATENET SECURE FIREWALL SERVER
Q1. What is a firewall?
A. A firewall is a defense mechanism for a network that creates a single narrow security choke point (or gate) through which all traffic must pass both to and from your network. Firewalls enforce a site's security access policies for its network based on access rules or access control list. There are a number of ways to control access, but in general the firewall can be thought of as a mechanism to filter and control traffic.
Traditional firewalls are implemented through a combination of hosts and routers. A router can control (or filter) network traffic at the packet level; packets are allowed or denied based on the source/destination address of the port number. This control technique is called packet filtering.
State-of-the-art firewalls are more than just generalized packet filters and often perform their functions from the circuit-level layer up through the application layer of the Open Systems Interconnect (OSI) model. These high-level firewalls typically do not allow a direct connection between hosts and clients on separate networks (such as your network and the Internet). Instead they use a mechanism called a "proxy" process to prevent traffic from passing directly between networks. These modern firewalls also log all access for tighter security audits.
Q2. Why does my network need a firewall?
A. Being connected to the Internet is like living in a rough neighborhood. Having a firewall can greatly reduce the risk that an Internet connection will compromise the safety of internal networks.
A firewall supplements your existing security mechanisms and protects your network from unauthorized intruders, both external and internal to your organization. Firewalls limit your exposure.
Many organizations use the Internet or are planning to use it as a tool for business. Unfortunately, an increasing number of people on the Internet are unscrupulous and may attack vulnerable electronic servers and networks. This presents a major security risk to your network and organization. A firewall can greatly reduce the risk of network break-in and the destruction or theft of data by creating a security choke point. A firewall allows you to easily manage and control access. The most secure firewalls use proxies to eliminate direct connections between networks.
Q3. What things can a firewall protect?
A. Firewalls can protect a network for both incoming and outgoing network traffic by enforcing your security policies, such as:
Q4. What things can't a firewall protect against?
A. Firewalls can't protect against attacks that don't go through the firewall. An example might be a malicious employee who copies sensitive information to a diskette, removes the diskette from the office, and then releases it to someone outside your organization. Another example might be that of a trusted employee who sets up a "back door" entrance into your network, perhaps by attaching a dial-up modem to his desktop or laptop computer. Unauthorized people may also succeed in extracting information from employees who are trying to be helpful.
Firewalls also cannot easily protect against viruses, and will be unlikely to do so in the foreseeable future. Virus protection should be implemented as part of a virus protection plan, since viruses can be introduced by many means.
Q5. What is a virtual private network?
A. Recently, there has been a great deal of discussion about virtual private networks. A virtual private network is just another name for an encrypted IP tunnel, typically crossing the Internet. Encryption ensures a high level of privacy in the data that is exchanged, allowing a secure and cost-effective alternative to privately leased lines. Most connections across the Internet are not encrypted and most data is exchanged in clear text, making the data vulnerable to snoopers. The use of encrypted tunnels prevents third parties from listening in on these connections.
PROXIES AND OPERATING SYSTEMS
Q6. What is a proxy?
A. A proxy is a software mechanism that eliminates direct communication between client applications and their servers across separate networks or subnets. The proxies communicate between themselves. Typically, proxies:
Q7. Why do I need proxies?
A. You need proxies to:
Q8. Are all proxy technologies equal?
A. No. Different levels of security require different types of proxies. Two proxy technologies are used in modern firewalls:
Q9. Is there a good alternative to SOCKS 4.2 ?
A. The SocksPlusTM proxy is a great alternative to SOCKS 4.2 . The SocksPlus proxy is an advanced and secure circuit-level technology. The SocksPlus proxy was written from scratch by NEC to provide a commercial circuit-level proxy for the PrivateNet Secure Firewall Server and to avoid any intellectual property issues attached to SOCKS 4.2 . The SocksPlus proxy is more secure and commercially robust than the original SOCKS 4.2 protocol.
SocksPlus has been improved from the original SOCKS 4.2 implementation in many ways.
The SocksPlus proxy:
The SocksPlus proxy uses its own improved protocol when communicating with SocksPlus proxy clients and other SocksPlus proxy servers, but it is fully backward-compatible with existing SOCKS 4.2 servers and clients. If a site is already using SOCKS 4.2, deploying the SocksPlus proxy will not pose major problems. However, such sites are encouraged to convert to the SocksPlus proxy over time to take full advantage of NEC's improvements.
Q10. Why is BSD/OS a good choice for a firewall operating system?
A. The BSD operating system developed by Berkeley Software Design Inc. is based on the original system developed at the University of California at Berkeley. It has been carefully scrutinized for security holes by many people from various organizations. This is not true of proprietary operating systems. The base code for BSD has been running on thousands of computer systems for many years, proving the code is stable, reliable, and effective for network access. This may not be the case for more recently-developed operating systems.
A. A "C2" rating only refers to the system's security when not connected to a network. This rating says nothing about how secure the system is on a network. Also, C2 is a low security rating level.
THE PRIVATENET SECURE FIREWALL SERVER
Q12. What is PrivateNet?
A. The PrivateNet Secure Firewall Server is a network firewall product developed by NEC Technologies' Internet Business Unit and comes complete as an off-the-shelf server including hardware and CD-ROM software. The PrivateNet server is scaleable, user-transparent, highly secure and easily configurable. It provides a high level of security for both internal networks (including subnets) and external network connections using a proxy server architecture. The PrivateNet server also logs all transactions, providing detailed audit trails for corporate security analysts.
The PrivateNet server solves several crucial problems for corporate and departmental TCP/IP networks:
Q13. Could you explain the PrivateNet server's architecture?
A. The PrivateNet server is designed around a proxy server architecture consisting of a hybrid of two technologies (see Question 8):
Q14. Do my client applications have to be changed if I decide to use the PrivateNet server?
Sites already using SOCKS 4.2 will be able to switch to PrivateNet without any change. Over the longer term, they may choose to use SocksPlus clients to take full advantage of the improvements in the SocksPlus protocol.
At new sites, it depends on what is currently being used. In many cases, the SOCKS 4.2 or SocksPlus proxy is already part of the client application and can communicate with the PrivateNet server without any modifications. Examples of vendors providing such clients are Netscape, FTP Software, Inc., NetManage, Hummingbird, and Spry/CompuServe.
For UNIX client applications that do not contain SOCKS 4.2 or SocksPlus, it is necessary to recompile and relink the client with NEC's SocksPlus proxy library. This library contains the necessary wrappers for network-related system calls, so that the client can use SocksPlus to connect.
NEC, through its Client Applications Program (CAP), continues to work with TCP/IP software vendors to further increase the availability of client applications that support SocksPlus.
Q15. What additional security features are provided?
A. Unlike packet filtering routers which authorize (permit or deny) each packet, the PrivateNet server uses a "connection filtering" authorization mechanism to determine if a connection should be made. Connection filtering determines authorization only when the connection is initially established and provides a more thorough connection authorization process than traditional packet filtering. When a request for a connection is received by the application-level proxy, the connection is verified based on the traditional source/destination address and port number. In addition, the arrival of all connections on the expected interface is verified.
If a connection request claims to originate from the internal network but arrives on the interface connected to the outside network, it is recognized as a spoofing attempt. Once the PrivateNet server makes the decision to connect, it forwards all packets for that connection.
For even greater security, the PrivateNet server comes with all its software, including the security-hardened BSDI UNIX operating system, on CD-ROM. This is highly secure because CD-ROM cannot be changed or erased. CD-ROM is used for initial installation, as well as normal operations. Initial installation is as simple. You connect the PrivateNet server to your network, insert the CD-ROM into the CD drive, turn on the machine, and answer some initial configuration questions about your network. The CD-ROM will be used for normal operations and server boot-up thereafter.
Q16. What kind of user authentication is provided?
A. The PrivateNet server provides security authentication for remote users who need incoming access to your internal network. Authentication is currently accomplished by a method known as secure network key (SNK) from Digital Pathways, Inc.
SNK uses a calculator-based challenge/response mechanism for user authentication. A calculator must be provided to each authorized user. The PrivateNet server will issue an SNK password "challenge" and the user must enter this challenge into the calculator. The calculator then issues a one-time-only password "response" and the user must type the response back to the PrivateNet server. Assuming the one-time response is correct, the user gains access to your internal network. NEC is also looking at other authentication schemes.
Q17. Can PrivateNet provide a VPN facility?
A. The PrivateNet server provides a "Virtual Private Network" (VPN) facility by performing data encryption based on the DES or Triple-DES military encryption standards and employing the SocksPlus proxy protocol as transport. This enables a highly secure connection between multiple PrivateNet server devices and allows public networks, such as the Internet, to be used for secure communications.
Performance is very good because data encryption/decryption only occurs at the first and last network hops. DES encryption uses a DES key to encrypt/decrypt communications sessions. Users should be cautioned to protect any random key(s) created and any floppy disks used to store these keys.
A. Yes. The PrivateNet server can be configured to filter out unauthorized network traffic packets between subnets. Via the "listen" instruction in the PrivateNet server configuration file, a subnet IP address may be defined to show on which interface and subnet client requests will arrive. Requests arriving on other network interfaces are not served.
A. The PrivateNet server's proxies perform the same way for a subnet as they do for an internal network protected from the outside world. The PrivateNet server's proxies hide subnet IP addresses from other subnets like they hide addresses from the Internet, they authenticate connections via the "connection filtering" architecture previously described. The proxies disarm all dangerous commands for the protected subnet.
A. The PrivateNet Server can be configured to allow or disallow network services for specific client users on your network. This is accomplished via "client" instructions in a the PrivateNet server configuration file. These client instructions can be set to allow or disallow services for single or multiple client IP addresses.
Q21. Do my client applications have to be changed if I decide to use the PrivateNet server?
A. No. In many cases, SOCKS 4.2 or SocksPlus proxy is already part of your client application and can communicate with the PrivateNet server. These are clients provided by such vendors as Netscape, NetManage, FTP, SPRY, etc. For those MS Windows client applications which do not utilize SOCKS 4.2 or SocksPlus proxy, you will need to install NEC's dynamic load library and executable(s); e.g. for Microsoft Windows (SOCKSpls.dll and SOCKSpls.exe). For UNIX client applications which do not utilize SOCKS 4.2 or SocksPlus proxy, you will need to link NEC's SocksPlus proxy libraries to your UNIX client applications.
Q22. What commercial client applications currently support the SOCKS 4.2/SocksPlus proxy?
A. Netscape provides SOCKS 4.2 support on all of its platforms, and will therefore work with PrivateNet. In addition, SOCKS 4.2 is supported by FTP Software, Inc., NetManage and Mosaic from the Spry/CompuServe Internet Division.
Q23. Can the PrivateNet server be connected to any network?
A. Yes. The PrivateNet Server can be configured to work with any TCP/IP network. However, the PrivateNet server currently only supports Ethernet 10Base-T physical connections. NEC is in discussion with BSDI, DEC and other vendors to provide support for FDDI as well as other major network communications technologies. NEC plans to support other communications media such as Token Ring, Fast Ethernet, and T1.
Q24. What hardware makes up the PrivateNet server?
A. The PrivateNet server includes:
Q25. What software makes up the PrivateNet server?
A. The PrivateNet server includes the following software, all on CD-ROM:
Q26. Has the PrivateNet server been thoroughly tested?
A. Yes. In addition to normal development testing, the PrivateNet server has been tested at a number of Beta sites for several months. Beta sites include clients both internal and external to NEC.
Q27. How do I configure the PrivateNet server?
A. Provide TCP/IP information such as IP addresses, domain name, etc., requested by the PrivateNet server's automatic "Configure" script. Configure is run automatically just after boot time during installation. If necessary, Configure can be run again to reinitialize all configuration data by removing the Configure file and rebooting. A security administrator can completely reload and reconfigure the PrivateNet server in a matter of minutes using this procedure, thus ensuring that the server maintains its planned security functions with authorized configuration data and NEC-provided proxies.
Q28. How do I administer the PrivateNet server?
A. Update the PrivateNet server configuration data found in the SocksPlus.conf and authorize.conf files. The SocksPlus.conf file contains all rules necessary for access control and server-to-server connections. The rules are fairly traditional, using source and destination addresses and port numbers to determine if a given client should be allowed to connect through the server. The SocksPlus.conf file is also used to determine the behavior for server connections. Configuration statements determine which of the PrivateNet servers will be allowed to connect to other PrivateNet servers. These statements will also allow departmental servers to be administered separately from other PrivateNet servers at the corporate firewall level. The SocksPlus.conf file also provides for time-outs and limitation rules of connection types.
The authorize.conf file contains the rules for how users can connect through a PrivateNet server. These rules determine which users can Telnet in from the Internet, what type of authentication should be used, and the kind of access each user will be allowed.
PRIVATENET SERVER INSTALLATION
Q29. Who installs the PrivateNet server?
A. Typically, an NEC-authorized VAR will install the server, thus assuring a customer of a turnkey installation. Customers with a high level of networking and security expertise may choose to install the server themselves. NEC trains its VARs in basic installation and in various networking configurations with the PrivateNet server. NEC will assist with installation as needed.
When the server is installed at complex sites, or sites with general security issues, the NEC Security Expert Referral Program (S.E.R.P.) will provide a source of security expertise. This network is made up of independent consultants who can assist the VAR and customers as needed.
Q30. Will NEC provide me with documentation and an installation plan?
A. In addition to technical, user, and installation manuals, NEC provides a configuration questionnaire with several example network configurations for each PrivateNet server. The VAR will give the questionnaire and network configuration to you before your installation. You should complete the questionnaire and work with the VAR to create a network design for the PrivateNet server. The server can then be installed either for new or existing networks. NEC will assist as needed with planning and installation.
Q31. How long does it take to install a PrivateNet server?
A. It takes 45 minutes to a few hours, depending on network hardware and software configuration and availability of the network for reconfiguration and physical cabling.
Q32. What must I have to install a PrivateNet server?
A. The following are needed:
You must complete the Software License Agreement and send it back to the Internet Business Unit before installation. Typically the VAR will ensure that this is complete before installation. NEC will then provide a license key for activation of the CD-ROM-based software being installed on the PrivateNet server. The license number must be typed into the PrivateNet server during initial installation to activate the software.
You need an ASCII terminal, PC or laptop computer that is capable of an industry-standard emulation such as VT-100 as well as a serial RS-232C cable (and possibly a null modem adapter). This is attached to the COM-1 console port on the PrivateNet server. The ASCII terminal will be used to configure the server initially . You will need one or two 10Base-T (RJ45) cables for attachment to your Ethernet network.
You will also need a revised network design for your new PrivateNet server(s). Specific information needed: a new host name(s), internal IP address(es), internal network mask for your PrivateNet server(s), a physical network interface to the PrivateNet server (10Base-T), new external network IP address(es), external network mask, a fully qualified Internet domain name, IP address(es) of your internal name server(s), a fully qualified upstream DNS authoritative host name for your Internet domain, an IP address of the default route, and the fully qualified host name of the internal mail hub. Your VAR will help you.
PRIVATENET SERVER PURCHASE AND SUPPORT
Q33. How do I buy the PrivateNet server and what does it cost?
A. You can buy the PrivateNet server from any VAR authorized by the Internet Business Unit. The list price is approximately $14,950, including hardware and CD-ROM software.
Q34. How do I get PrivateNet server upgrades?
A. The PrivateNet server software may be upgraded by simply removing the old CD-ROM, replacing it with the new CD-ROM upgrade, which is a complete package, and then rebooting the PrivateNet server.
Upgrades will be announced by NEC and provided to our distributor, Ingram Micro. They will provide all upgrade replacement CDs to their NEC-approved VARs. The VARs will provide the upgrade to their customers.
Q35. What are your warranty and service options?
A. Warranty, service, and support requests are handled via a toll-free number (800-325-5500) on a seven-day, 24-hour basis. Maintenance is performed during normal business hours unless a customer purchases the 7 x 24 option, for which server maintenance is performed within an eight-hour time period in most major metropolitan areas.
Hardware and software support include:
Q36. How are upgrades handled?
A. The PrivateNet server software is upgraded by simply replacing the old CD-ROM with a new one. Upgrades will be announced by NEC and provided automatically to authorized VARs. The VARs will supply the upgrade to their customers.
OTHER PRIVATENET QUESTIONS
Q37. Does SocksPlus support UDP?
A. Yes. SocksPlus supports UDP but for security reasons it is implemented as UDP over TCP. While filtering TCP circuits is difficult at best, securely filtering UDP connections is almost impossible. The difficulty is in the difference between the two types of connections. The TCP protocol implements a virtual circuit and keeps a context for the connection, whereas a UDP connection is a datagram protocol where each packet is an independent message.
Providing UDP over TCP simplifies the implementation of the UDP relays significantly, and removes most of the problems normally experienced in providing UDP support through a firewall.
While this strategy may be less efficient than a native UDP implementation, its simplicity and ease of security management by far justify the additional overhead. NEC believes the difference in performance for a reliable and safe native UDP solution would be negligible.
Q38. Will SocksPlus clients connect from the Internet?
A. The server provides a simple and very secure method to determine which interfaces will support client connections, and is one of the many places where a “belt and suspenders” design philosophy has been used for the PrivateNet server.
In its recommended configuration the server will allow only client connections from the internal network, while outside connections will be rejected. The configuration provides a simple mechanism that allows the server administrator to specify which interfaces should accept SOCKS 4.2 and SocksPlus client connections. If a client attempts to connect to an interface that is not configured to accept clients connections, the server will reject the connection, and log the connection attempt.
Q39. What is the Telnet proxy?
A. The Telnet proxy provides a secure means to allow users to log into internal hosts from the Internet. When a user Telnets to the PrivateNet server, he is required to authenticate himself before he is allowed to connect to an internal host. The Telnet proxy has been designed to ensure good user authentication, which is based on a challenge/response server. SNK from Digital Pathways is available in PrivateNet Server Release 1.0, and other mechanisms will be added in future releases.
Q40. What is the HTTP proxy?
A. The HTTP proxy is primarily intended to export internal servers to the outside network. User access to external HTTP servers is better provided through SocksPlus proxy.
Q41. What is the NNTP proxy?
A. The NNTP proxy allows an internal Usenet News server to be connected to outside servers.
Q42. How does the SMTP (e-mail) proxy work?
A. The PrivateNet server provides a simple SMTP mail exchanger for e-mail connectivity between internal and external hosts. All mail passes through the PrivateNet server in three steps:
The advantage of this strategy is that it isolates Sendmail, a common source of security problems, from the network while still using it as a mail delivery agent. It keeps the SMTP proxy mechanism simple and does not require reimplementation of the address rewrite and delivery mechanisms.
This implementation has the following advantages:
Q43. How does the domain name server work?
A. The domain name server on the PrivateNet firewall is configured as a split-name server. In this configuration, two tightly-coupled primary name servers are used with an appropriate number of secondaries. The software for both name servers is the unmodified standard UNIX name server. The PrivateNet server uses BIND version 4.9.3, which has many security improvements over the older versions of the software.
The name server is configured as a traditional name server with the exception that it has information only about the servers connected to the public networks. (Typically this is the PrivateNet server alone). This allows sites on the Internet to obtain the information necessary to connect to the services offered by that site.
Resolution of host name and addresses for the internal hosts is handled by an internal name server, which has all information about the internal hosts. Because the PrivateNet server does not perform any kind of packet forwarding, there is no way for the internal name server to connect to any name server on the outside. Instead, resolution of such inquiries is handled through the name server's "forwarder" mechanism, where the inquiry is forwarded to the external name server for resolution. Because the external name server can connect to other name servers across the Internet, it can resolve the inquiry in its usual manner and return the result to the internal name server.
Special consideration should be given the PrivateNet server itself since it needs to resolve internal host names and addresses while keeping the name server cache uncontaminated with this information. The mechanism for this already exists through the resolver library. Because the PrivateNet server has a local resolver configuration file pointing to the internal name servers, all inquiries originating on the PrivateNet server are resolved by those name servers instead of the name server running on the PrivateNet server.
Q44. Is running a split name server required?
A. If you do not want to use a split name server, the name server on the PrivateNet server can be configured as the traditional primary or secondary name server with complete information about all internal hosts. However, if configured in that manner, information on all internal hosts would be readily available on the Internet even though these hosts could not be reached directly. This would provide crackers with a great source of information on the internal networks, which they could use to attack the hosts on those networks.
Up to Contents