oreilly.comSafari Books Online.Conferences.


Hardware Versus Software Firewalls

by Chris Swartz and Randy Rosel

According to estimates, an unprotected Windows computer system connected to the Internet could be compromised within twelve minutes. In light of this, the need for computer security has expanded in the last few years. Today, it is just as necessary for home users to secure personal computers as it is for businesses to secure office computers. In order to gain security benefits like those many businesses possess, home network security often utilizes the same models. The difference, however, has been that most home users do not have the financial resources for top of the line security equipment. This has led many home users to begin using security tools such as freeware firewalls and over-the-counter hardware firewall solutions.

This raises a question. How do the freeware firewalls compare to expensive, all-in-one firewall solutions such as the Cisco PIX? The goal for this project, then, is to compare the Cisco PIX with two freeware firewalls.

Test Goals

The general testing goal for this project was to observe and compare the behavior of each firewall. More specifically, to compare behavior caused by the testing adapted and common attack methods (not attacks for any specific system type).

The attack types break down into two groups: discovery and penetration. The discovery group establishes or verifies the actual location of the target device. The penetration group observes the defensive measures of each firewall. Table 1 lists each test used and its purpose.

Table 1. Tests and test groups

Test Group Test Type Test Description
Discovery Network sniffer Documents the discovery of the target IP address and any other useful information, such as protocols being used on the target network
Traceroute Attempts to locate the target device and all intermediate routers, switches, and systems
Penetration Synflood attack Used to see whether the firewall can overcome a repeated open connection request and also log the attack
Garbage attack Used to see whether the firewall can overcome random data packets on random ports
UDP Ping Used to see whether the firewall can overcome a large UDP ping packet sent to it
TCP Ping Used to see whether the firewall can overcome a large TCP ping packet sent to it
Ping of death Used to see whether the firewall can overcome a single over-sized packet sent to it

Testing Procedures

The overall testing structure for this project was developed from the perspective of an outside intruder. Because of this, the target network provided public access to itself as a means of establishing a gateway. We placed an FTP server inside the network and gave the outside world (the Internet at large) access to it. This gave the outside intruder a legitimate means of knowing the IP address of the FTP server.

Sniff Test Procedure

First, we ran the network sniff test, because it was necessary to determine the target IP address (the FTP server). The information discovered was necessary in order for many of the other attacking tools to work correctly. This test also verifies the IP addresses of the equipment being used.

  1. Open Ethereal
  2. Select Capture -> Interface, then choose the network interface.
  3. Select Capture.
  4. Allow Ethereal to capture packets for about 30 seconds, and then select stop.
  5. To save the captured packets, select File -> Export as Plain Text File.
  6. Enter an appropriate filename, then click OK.

Traceroute Procedure

The traceroute was an attempt to determine the route used to reach the target network. This step also tries to determine whether there are any other IP addresses, from any other network devices, that lead to the target server. This test helps to establish, if possible, the IP address of the route(s) to the target server.

  1. Open Netwag and select Traceroute.
  2. Ensure the Destination IP Address checkbox is checked.
  3. Enter the appropriate target network.
  4. Select Generate It (bottom of screen).
  5. Then select Run It.

We chose the attack types to test each system against a variety of attack types, not to test every possible type of progressive attack.

Synflood Attack Procedure

The synflood attack observes how each firewall behaves when it receives large amounts of SYN requests. The Netwag program's synflood attack also has the ability to spoof the source IP address.

  1. Open Netwag and select Synflood.
  2. Check the Destination IP Address checkbox.
  3. Check the Destination Port Number checkboxes.
  4. Enter the target IP address.
  5. Enter the target port number.
  6. Select Generate It (bottom of screen).
  7. Select Run It.

Pages: 1, 2

Next Pagearrow

Sponsored by: