 
 
Sleep at Night with the AltaVista Firewall
A firewall is a computer that monitors what comes into the network from the outside. This computer uses
special firewall software to scan the information packets and allow only authorized users into the internal
network. This protects the network from unwanted visitors and dangerous files from being passed through the
firewall.
Why do I need a firewall?
A firewall protects the systems and data on your network - while still letting you get your job done. In a
case where a company's security policies dictate how data must be protected, a firewall is very important
since it embodies corporate policy. A firewall can act as your corporate "ambassador" to the Internet. Many
corporations use their firewall systems as a place to store public information about corporate products and
services, files to download, bug-fixes, and more.
What can a firewall protect against?
Generally, firewalls are configured to protect against unauthenticated interactive log-ins from the "outside"
world. Firewalls, more than any other function, help prevent vandals from logging into machines on your
network. Some firewalls permit only e-mail traffic through them. Others provide less strict protection, and
block services that are known to be problems. More elaborate firewalls block traffic from the outside to the
inside, but permit users on the inside to communicate freely with the outside.
Firewalls are also important since they can provide a single point where security and audits can be imposed.
What can't a firewall protect against?
Firewalls cannot protect against attacks that don't go through the firewall. For example, a magnetic tape can just as effectively be used to export data as a network. Allowing physical access to your firewall console is also extreme risky. Although separate software can be run
on the firewall for virus detection, firewalls cannot offer complete protection against viruses entering via the desktop. Nor can a firewall protect against a data-driven attack—attacks in which
something is mailed or copied to an internal host where it is then executed.
Why use an internal firewall?
A firewall can be used to secure a connection to a public network, or a connection to another private
network within your organization (an intranet connection). The firewall performs the same functions in both
cases. You may wish to deploy a firewall within a firewall, in which one firewall controls the connection to
the Internet, and a second firewall controls connections between internal networks.
Any network connection involves a balance between security and availability of services. A firewall lets you
control your network connection in three ways:
- Secure the internal network by preventing or restricting access to it
- Enforce security policies for your site
- Manage services that are available to internal users by controlling which hosts can access each service
and what individuals can use them through the firewall
Does AltaVista Firewall install in a secure or unsecured state?
AltaVista Firewall is automatically installed in a secure state. That means during initial configuration,
the firewall blocks all traffic and logs all events. All Internet services are switched off - the
administrator must explicitly turn on any required service. When the service is first switched on, the most
restrictive security policy for the service is set by default. The administrator must explicitly set a less
restrictive policy. This ensures maximum security and minimized room for error. With the AltaVista's
predefined policies and secure installation mode the firewall can be up and running in hours rather than days!
On what hardware and operating system platforms does AltaVista Firewall run?
AltaVista Firewall runs on Windows NT on Intel and Alpha, Digital UNIX on Alpha hardware, and BSD/OS on Intel.
Has AltaVista Firewall been independently tested or certified?
Yes. AltaVista Firewall has received NCSA certification (see http://www.ncsa.com). It has also been
independently tested by a variety of groups.
Digital has tested AltaVista Firewall with SATAN and failed to find any security vulnerabilities. SATAN is a
collection of tests that probe for security vulnerabilities in networked systems. SATAN probes for security
holes that are generally known to industry security experts. Thus, properly configured firewalls will be able
to repel SATAN's probes. And AltaVista Firewall is able to do so.
What makes AltaVista Firewall different from other firewalls?
AltaVista Firewall deploys a unique combination of technologies that enable you to place a highly-secure, yet
flexible barrier among your private networks, the Internet and other private networks. AltaVista Firewall
combines trusted application gateways for popular Internet services with real-time reporting, comprehensive
logging, custom reporting evasive action, anti-spoofing, strong user authentication and an industry leading
GUI that provide you with an unparalleled level of protection.
What is the source of AltaVista Firewall technology?
AltaVista Firewall is base on proven and tested application level firewall technology which was developed by
Digital over a decade ago to protect its own Internet connections. These Digital connections are among the
busiest in the world, with over two-million mail messages passing through them each day. AltaVista Firewall
and its predecessors, Digital Firewall for UNIX and Digital SEAL, have been installed at the highest level of
US and foreign governments sites, countless Fortune 500 sites and many smaller businesses around the world.
Can AltaVista Firewall be expanded to handle larger, more complex environments?
Yes, AltaVista Firewall is now available in your choice of platforms - Windows NT, BSD/OS and Digital UNIX,
which enable it to easily scale from small businesses to enterprise environments.
| AltaVista Firewall |
Price (US$) |
| For 25 nodes |
$2,495 |
| For 50 nodes |
$3,995 |
| For 200 nodes |
$7,995 |
| For an unlimited number of nodes |
$14,995 |
|
|
|
AltaVista Firewall 97: Focus on OnSite Protection.
AltaVista Firewall deploys a combination of technologies that enable you to place highly-secure yet
flexible barriers among your private networks, the Internet and other private networks.
Today, the AltaVista Firewall keeps constant watch on the network day and night, actively deploying evasive action technology to detect and stop network attacks. The active firewall offers maximum security based on a unique four-tiered alarming system. This alarming mechanism automatically takes actions not only on the attack itself but also on its context.
As a result, AltaVista Firewall provides better tools to fight against repetitive or multi-proxy threats. Furthermore, AltaVista Firewall 97 also provides a wide spectrum of actions to respond to any attack levels. This includes mail or paging to system administrators, custom scripts, and even services or firewall shutdown to guarantee the protection of your assets under any circumstances.
|
AltaVista Firewall 97 Features |
Digital UNIX |
Windows NT (Alpha/Intel) |
|
Best-in-class Management |
X |
X(note 1) |
|
URL and JAVA blocking |
X |
X(note 2) |
|
Proxies |
|
|
Enhanced WWW proxy
|
X |
|
Real-audio proxy
|
X |
X |
Generic UDP proxy
|
X |
|
SQL*net proxy
|
X |
X |
One to one and many to one generic proxy
|
X |
X(note 3) |
|
Authentication |
|
|
NT domain login |
|
X |
Web user or group of users |
X |
|
|
Dual DNS |
X |
|
|
Single server for firewall and VPN |
X(note 4) |
X |
|
DMZ support |
X |
|
Note 1: Some restrictions apply. See feature description
Note 2: Only URL blocking is supported on NT
Note 3: Already supported on NT.
Note 4: Already supported on UNIX.
Excelling in all aspects of management: This is a key ingredient in the AltaVista Firewall design center. AltaVista not only delivers leading security features but also offers best-in-class management capabilities to significantly enhance security levels. Firewall management can indeed greatly minimizes risk of mis-configuration when implementing policies. It also decreases system managers' time and reduces overall MIS costs.
According to Network-World (2/3/97) "AltaVista Firewall is the easiest to configure and control of all the firewalls we looked at." This security report continues by stating that "AltaVista Firewall... has one of the most sophisticated features in this (reporting and accounting) area." AltaVista Firewall 97 maintains its leadership in this active management arena by including the best-in-class enhanced management in its offering.
Managing heterogeneous configurations: Because system administrators may have to manage several platforms, the remote firewall management is very consistent and compatible on all supported platforms. It implements a HTML based user interface for a same look-and-feel. It is written in Java for enhanced portability.
Centralized Management: AltaVista Firewall 97 offers remote management for firewalls within any network sizes from a centralized console running either Windows 95 or Windows NT. This is both a cost and time saving feature which allows system administrators to monitor and take quick actions on their UNIX or NT based firewall.
Remote management without compromises on security: Unlike any competitive offerings which establish a weak link to the firewall via a serial port or telnet session on a high port, AltaVista Firewall remote management includes - at no-cost - the best-in-class features of the AltaVista Tunnel. The tunnel product provides RSA 512 bit authentication, MD5 integrity and the strongest encryption worldwide with RSA 128bit (U.S.) and 56/40 bit (International.)
Efficiently managing firewalls from anywhere: The new remote management enables system administrators to view firewall activities and allows them to quickly take appropriate actions. Consistently with the OnSite Computing vision of AltaVista, network managers are able to manage the firewall from anywhere within the intranet or from an untrusted network.
On all supported platforms, the remote management displays the states of all services as well as various statuses and alarms. It also allows to modify the firewall status and start/stop specific services such as FTP. Additionally, on Digital UNIX, network administrators can maintain and manage security policies, user authentication, DNS, mail, new SNMP alarms and active monitoring of traffic. Furthermore, different levels of control can be assigned on UNIX. As an example, one Firewall administrator can monitor the status of the firewall, while another can change some security policies.
This is both a performance and a security feature. According to easily definable policies, AltaVista Firewall 97 can block URLs to preserve network performance and to restrict access to specific Web sites for productivity purposes. Security managers can define specific policies for URL access. AltaVista Firewall 97 can also detect and block Java applets entirely by allowing selective filtering of Java applets through the firewall to protect against one the most common network attacks.
Enhanced WWW proxy: This updated proxy contains significant performance improvements based on code optimization and caching implementation. It supports the following protocols: HTTP, HTTPS/SSL, gopher and ftp. It implements the CERN/NCSA Common Log Format for enhanced reporting and integration with third party analysis tools. As for other proxies, access restriction policies per user can also be combined with time limitations.
Support for Real-Audio proxy: RealAudio is an application that allows playback of audio in real-time over internet connections. Through the RealAudio proxy, managers can allow or prevent users on internal network systems with Web browsers to access RealAudio services on the external network. For this proxy, system administrators can specify security policy details, time restrictions and blacklists of hosts forbidden access (common with ftp, telnet and finger proxies.)
New Generic UDP proxy: A new generic UDP proxy allows UDP-based applications, such as Internet Chat, to pass through the firewall securely.
New SQL*net proxy: With AltaVista Firewall 97, system architects are free to build sophisticated, distributed networks of Oracle7 or third-party data repositories across the Internet. SQL*Net establishes a connection to a database when a client or another database server process requests a database session. The proxy is based on the Oracle Multi-Protocol Interchange (MPI), so it inherits many of the Multi-Protocol interchange's features. SQL*Net firewall proxy is able to control access based on information contained in the SQL*Net connection packet. This includes the client machine name, the destination name and the database service. The firewall also integrates the administration of this authorization list with various authentication methods such as smartcards.
Generic TCP relay enhancements: AltaVista Firewall 97 broadens security policies by offering a generic TCP relay for one-to-many and many-to-one connections. Consequently, an instance of the generic relay such as news can have one server on the inside of the firewall getting feeds from multiple news servers on the outside. This generic relay is also fully transparent outbound so there will be no need to reconfigure internal systems. The management GUI supports both one-to-many and many-to-one configurations.
Authentication for WWW users or group of users: The enhanced WWW proxy includes authentication for specific users or group of users by any authentication schemes currently supported by the UNIX firewall such as CRYTOcard or re-useable passwords. This feature provides system administrators with great flexibility to implement their policies with finer granularity. This authentication is integrated with the existing system management GUI on UNIX.
Windows NT domain authentication support: This feature Integrate Windows NT domain authentication scheme. This allows access to Internet services (e.g. FTP, telnet) to users authenticated by this scheme and finer grained control over firewall traversal. This is a clear win for both end-users and MIS managers. MIS managers can easily integrate NT domain concept in their policies and users can appreciate a simplified login mechanism. The AltaVista Firewall 97 authenticates in both directions across the firewall.
Before the introduction of AltaVista Firewall 97, the recommended name server configuration was the hidden DNS setup hiding the internal address space from the untrusted network. However, this recommendation required to set up a second name server within the intranet causing some management issues.
With Altavista Firewall 97, firewalls can now be configured as Dual-DNS servers that understand which name services are internal or external. This Dual-DNS server is fully configurable through the GUI based management.
F500 companies are mostly interested in dedicated boxes for security, performance and management reasons. AltaVista has been offering the capability of running a security low-end server on the same UNIX box. It managed to minimize any security impacts by a close integration between those two products. With Firewall 97, AltaVista now extends this integrated solution to Windows NT servers.
Note that the Windows NT server must be connected to the ISP through a router. Support for a direct connection over an ISDN or a dial-up line will follow in a next release.
With DMZ (Demilitarized Zone), AltaVista 97 on UNIX offers more than a simple trusted/untrusted implementation supporting only two LAN connections. While two interfaces is often enough for an Internet-oriented firewall, many organizations need three: one for the Internet, one for public servers for such items as WWW, News and File Transfer Protocol (FTP), and one for the intranet. The introduction of DMZ support provides security managers with great flexibility when configuring their security implementations. While DMZ is fully supported, it still needs to be done outside the GUI. An application note in the GUI describes the configuration process.
|
Type of Firewall |
Digital UNIX |
Windows NT |
|
- Hardware |
Alpha |
Intel and Alpha |
|
- Software |
Only |
Only |
|
- Packet filtering |
Yes |
Future |
|
- Application-level |
Yes |
Yes |
|
- Circuit-level |
Yes |
Yes |
|
- Dual Homed |
Yes |
Yes |
|
- Fast networking connections |
Yes |
Yes |
|
- DMZ support |
Yes |
No (Future) |
|
Proxies |
Digital UNIX |
Windows NT |
|
- Proxy server |
Yes |
Yes |
|
- Transparent proxy |
Yes (FTP, Telnet, Generic TCP, SMTP) |
Future |
|
- Telnet |
Yes |
Yes |
|
- FTP |
Yes |
Yes |
|
- SMTP |
Yes |
Yes |
|
- NNTP |
Yes |
Yes |
|
- HTTP |
Yes |
Yes |
|
- Gopher |
Yes |
Yes |
|
- S-HTTP |
Yes (with SSL) |
Yes (with SSL) |
|
- POP |
Yes (via generic tcp relay) |
Yes (via generic tcp relay) |
|
- RPC |
No (large security risk) |
No (large security risk) |
|
- ICMP |
No (no pings through fw) |
No (no pings through fw) |
|
Authentication and encryption |
Digital UNIX |
Windows NT |
|
- Reusable passwords |
Yes |
Supported through NT domain authentication |
|
- One-time passwords |
Yes |
No |
|
- Token-based |
Yes (Security Dynamics, Crypto Card, S/Key, RACAL Watchword) |
Yes (Security Dynamics) |
|
- Encryption |
Yes, via AltaVista Tunnel (40-56-128 bits) |
Yes, via AltaVista Tunnel (40-56-128 bits) |
|
Tunneling/Virtual Private Networking |
Yes, via AltaVista Tunnel |
Yes, via AltaVista Tunnel |
|
Additional security |
Digital UNIX |
Windows NT |
|
- Anti-spoofing |
Yes |
Yes |
|
- Internal address hiding |
Yes |
Yes |
|
- Trusted Operating System |
Yes |
Yes |
|
- Virus Scanning |
Yes (via third-paries e.g. Finjan, McAfee) |
Yes (via third-parties e.g. FinJan, McAfee) |
|
- Java Blocking |
Yes |
No |
|
- URL Blocking |
Yes |
Yes |
|
- ActiveX Blocking |
Future |
Future |
|
Certification |
Digital UNIX |
Windows NT |
|
NCSA |
Yes |
Yes (first vendor to obtain NT certification) |
|
ITSEC |
Future |
Future |
|
Management |
Digital UNIX |
Windows NT |
|
Graphical interface |
Yes (HTML) |
Yes (HTML and Windows) |
|
Real-Time monitoring |
Yes |
Yes |
|
Real-Time reporting |
Yes |
Yes |
|
Service-user logging |
Yes |
Yes |
|
Failed-Usage attempt logging |
Yes |
Yes |
|
Statistical analysis |
Yes |
Yes |
|
Alarm analysis |
Yes |
Yes |
|
Evasive action |
Yes |
Yes |
|
Paging |
Yes (SNPP and script) |
Yes (script only) |
|
Remote administration |
Yes |
Yes |
|
Central admin of multiple firewalls |
Yes |
Yes |
|
