Raptor Firewall 6.5

The last time I looked at the Raptor firewall product, in 1998, it was called Raptor EagleNT. Today, Axent Technologies owns the product and has simplified its name to Raptor Firewall 6.5. Raptor Firewall 6.5 is packed full of features and functionality. It fits well into any size network and has enough flexibility that most companies won't need additional add-ons and security services.

Raptor Firewall 6.5 runs on Windows NT 4.0, and the product will soon be available for Windows 2000, Sun Solaris, HP-UX, and Tru64 UNIX. Diverse networks can benefit from the product's support of a wide range of authentication technologies, including TACAS+, Radius, NT authentication, Defender, SecureID, CryptoCard, Lightweight Directory Access Protocol (LDAP), S/key, Entrust, and gateway passwords. LDAP support is new for Raptor Firewall 6.5, and so is the product's bidirectional Network Address Translation (NAT) support. Bidirectional NAT helps you obscure a system's true internal network address by letting you predefine address mappings so that the source IP address of data packets are different than the firewall's IP address.

For firewall management, Raptor Firewall 6.5 includes a new management interface that uses the Microsoft Management Console (MMC). I found the Raptor Management Console (RMC) plug-in well designed and easy to use, with one caveat: the RMC lets you view and manage only one firewall at a time.

Raptor is an application-level firewall driven by proxies, which is a bit safer than stateful-inspection or packet-filtering firewalls because a proxy acts as a more intelligent agent on behalf of the user. The product comes with out-of-the-box support for numerous common protocols. Raptor supports proxies for NetBIOS, Common Internet File System (CIFS), H.323, streaming multimedia, and commonly used services such as SMTP mail, Network News Transfer Protocol (NNTP) news, Web, Secure Sockets Layer (SSL), and more. Using the Generic Service Passes (GSP), you can define custom proxies—even if you must use nonstandard ports. With GSP, the product is well suited to support future applications. A slick feature of the SMTP proxy is that it can help block mail server attacks and spam by screening mail session content as it passes through the firewall.

For added protection, the firewall supports add-ons such as WebNot and NewsNot, products that can help companies block access to unwanted Web and Usenet newsgroup content. In addition, the product supports MIMESweeper, which screens out malicious content in email Web downloads.

Raptor supports other protective measures that can, for example, detect too many connection attempts in a given period of time— evidence of several common Denial of Service (DoS) attacks. Another nice feature is the product's antispoofing protection, which lets you associate IP addresses with specific network interfaces so that the firewall will drop all packets when the two identifiers don't match. Raptor also guards against network flooding, such as with a SYN attack.

For networks that need to protect data as it travels over networks, Axent offers its PowerVPN as an add-on or standalone product. You can apply Raptor Firewall rules to VPN to restrict traffic within a tunneled connection. You can purchase the firewall with no VPN support, with site-to-site VPN support, or with the PowerVPN integrated into the firewall to protect the internal network traffic, connections to other firewalls, and IKE-compliant mobile users.

I tested the basic Raptor Firewall without VPN support on an NT Server 4.0 system with Service Pack 6a (SP6a). The installation process was intuitive, and dialog boxes helped me throughout the process. For example, Raptor documentation comes as Adobe Portable Document Format (PDF) files, but my test system didn't have the Adobe Acrobat reader installed. The setup program recognized this problem and prompted me to install the reader. The same held true for the MMC— it wasn't installed on my test system, so the setup program prompted me to install it as part of the setup process.

A great feature of the firewall is OS hardening. The firewall runs on top of NT, which has its share of inherent security risks. To help protect the OS, Raptor inserts a shim into the TCP/IP stack that helps protect the network layer and disables numerous risky system services. For example, before I installed the firewall, we had 15 default services running on the server. After the firewall installation completed, I found only five services running: Event log, Plug and Play (PnP), remote procedure call (RPC) Service, Spooler, and the Raptor Security Gateway service (the firewall itself). Once installed and running, the firewall checks the available system services every 60 seconds to ensure that no unwanted services have become available. If an unauthorized service is running, the firewall shuts it down.

With the product installed, I opened the RMC and connected to the firewall to begin the configuration. The first thing I noticed was that the icons in the left pane appeared as solid black characters. After some quick trial and error, I discovered that the icons are designed with 256 colors, so they turn up black on displays set to a higher color scale. My display was set to 65K colors, so I readjusted it to 256 colors, and the icons displayed correctly.

To complete the basic configuration, I defined a few test users, groups, and network entities (e.g., subnet addresses, host addresses, domain, and workgroup). The work went smoothly using the RMC, with no major hurdles or misunderstandings on my part. Next, I defined traffic rules. For users' definitions, I had to provide usernames and authentication methods. In my tests, I used the integrated NT domain authentication, which saves time on networks with many users— you don't have to enter the users' passwords because the NT Server the firewall authenticates against already has the password information. To use NT authentication, the firewall must be a member of the PDC's domain. Keep in mind that NT authentication isn't the most secure user authentication method—the challenge and response information travels as clear text. If your networks require a high level of security, you might prefer to use one of the other supported authentication schemes, such as LDAP.

A shortcoming I discovered is that no rule templates ship with the product—I had to create all my rules from scratch. Another deficit is that unlike Network-1's FirewallPLUS, Raptor can't save rule sets for reloading later. So you can't easily apply a different set of rules or export the rules to use on another firewall.

Raptor's rule filters are granular. For example, within the NNTP Rules Profiles, I could create a rule that prevents all users from reading or posting on a certain newsgroup. I found that I could establish timed-based rules, which helps restrict traffic. The time-based rule logic is very flexible, so I could specify time periods by time of day, day of week, and ranges of time, such as Monday through Wednesday or November 1, 2000, through December 31, 2000. I could also mix the parameters to choose more diverse time periods.

In addition, I could define rules with user and group inclusion or exclusion. For example, if I want to grant all but a few users access to NetMeeting, I could select "All Users Except" on the Rule dialog box and then select which users to exclude. I could also define rules that allow specific groups access and add select users that don't belong to the specified groups. To further secure access to resources, I could specify a particular authentication type for a given rule.

Another slick feature of the product is that it can redirect services to other hosts behind the firewall. For example, if a user outside the firewall attempts to access a particular host address on a particular port, Raptor can transparently redirect that request to a different machine on a different port without the user's knowledge. This redirection helps protect the true identity of internal systems and offers a way to load balance traffic across multiple hosts. In addition, the feature lets you publish one address to grant access to different systems. So, for example, FTP and Web requests could use the same published IP address, and the firewall could redirect FTP traffic to one internal machine while channeling Web traffic to another internal machine.

Firewall administrators want to know about security issues as soon as possible, and Raptor helps make that possible through its supported notification methods. The firewall supports audible, email, pager, SNMP, and external program alerts. I could define alerts based on an incident's severity level, where I could selectively specify which severity level would trigger an alert notification.

Overall, I found Raptor Firewall 6.5 to be a great product because of its flexibility and well-rounded feature set. Administrators familiar with firewalls will find the product well documented. During my tests, I found no need to call Axent's technical support for assistance. If you're looking for an enterprise-level firewall that can fit into diverse environments and scale in step with your network, be sure to place Raptor on your short list.



Raptor Firewall 6.5
Contact: AXENT Technologies, Inc; 301-258-5043;
[email protected]
Web: http://www.axent.com
Price: Starts at $1995
Decision Summary:
Pros: VPN support; Proxy rules can apply to VPNs; easy-to-use management interface; continual OS hardening; malicious traffic filters; definable custom proxies
Cons: Can't view multiple firewalls in the management interface; no import feature for rule templates or saved configurations.
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish