Useful Tips

Overview of Software Firewalls for ISPD Security

Pin
Send
Share
Send
Send


Like many other advanced products for remote management, RMS Remote Access has a special built-in technology that makes it easy to overcome firewalls and NAT. In our product, this technology is called “Internet-ID”. RMS also supports other advanced tools for working in complex networks, such as proxy server support, “connection through the host”, and so on. "Reverse connection".

Internet id

Thanks to the Internet-ID technology, special configuration of firewalls or port forwarding via NAT is no longer required. Establishing connections is coordinated by the servers of our company, i.e. just specify the ID (unique identifier) ​​of the remote computer. You do not even need to know its IP address or DNS name. To establish a connection, just enter the ID and password.

Proxy support

Sometimes, inside the organization, all Internet traffic is redirected through the so-called proxy server. Currently, this technology is considered obsolete, however, it is still quite widespread. The main disadvantage of this technology is that software that requires access to the Internet must be able, in a special way, to interact with a proxy server. A fully transparent connection is not possible.

Proxy server support is available both on the Client side and on the Host side. On the Client side, you can specify separate proxy server settings for each connection.

It is also possible to import proxy settings directly from Internet Explorer. There is support for HTTP, HTTPS and SOCKS4 / 5 proxies. There is NTLM authorization.

Connection via Host

The computer on which the RMS Host is installed can act as an intermediate link to connect to another Host. This is possible thanks to the “Connect via Host” function, it can be enabled in the connection properties, on the “Network and operating mode” tab.

Below is a small usage example. Suppose you have a network of 10 computers. Only one has direct internet access. It is necessary through the Internet, from the outside, to access one of the computers that do not have direct access to the Internet. Thanks to the “Connect via Host” function, a computer with the Internet can act as a “bridge” between the remote administrator and computers within the local network. To do this, you will first need to log in to the first (gateway) computer, and then to the computer within the network.

Reverse connection

This function is the parent of Internet->

If you do not have a clear understanding of how the TCP / IP connection is made, the Internet-ID rather than a “reverse connection” is the best choice.

Choosing a firewall for a certain level of personal data security

In this review, we will consider the firewalls presented in Table 1. This table shows the name of the firewall and its class. This table will be especially useful when selecting software to protect personal data.

Table 1. List of FSTEC Certified Firewalls

SoftwareME class
ME “Block Post-Screen 2000 / XP”4
Special software “Z-2” firewall, version 22
TrustAccess Information Security Tool2
TrustAccess-S Information Security Tool2
StoneGate Firewall2
Security Studio Endpoint Protection Personal Firewall4
The software package "Security Server CSP VPN Server. Version 3.1"3
The software package "Security Gateway CSP VPN Gate.Version 3.1"3
The software package “Security Client CSP VPN Client. Version 3.1 "3
Firewall software package Ideco ICS 34
The software package "Traffic Inspector 3.0"3
Means of cryptographic information protection "Continent-AP". Version 3.73
Firewall "Cybersafe: Firewall"3
The software package "Internet Gateway Ideco ICS 6"3
VipNet Office Firewall4

All these software products, according to the FSTEC registry, are certified as firewalls.
According to the order of the FSTEC of Russia No. 21 dated February 18, 2013, to ensure the 1st and 2nd levels of protection of personal data (hereinafter referred to as PD), firewalls of at least 3 classes are used in case of urgency of threats of the 1st or 2nd type or interaction of the information system (IS ) with networks of international information exchange and firewalls of at least class 4 in case of relevance of threats of the 3rd type and lack of interaction between IP and the Internet.

To provide 3 levels of security for PDs, firewalls of at least class 3 (or class 4, in case of relevance of type 3 threats and the lack of interaction between IP and the Internet) are suitable. And to provide 4 levels of security, the simplest firewalls are suitable - at least grade 5. Those, however, are not currently registered in the FSTEC registry. In fact, each of the firewalls presented in Table 1 can be used to provide 1-3 security levels, provided that there are no threats of the 3rd type and there is no interaction with the Internet. If you have an Internet connection, you need a firewall of at least 3 classes.

Firewall Comparison

Firewalls have a specific set of features. So let's see what functions this or that firewall provides (or does not provide). The main function of any firewall is filtering packets based on a specific set of rules. Not surprisingly, all firewalls support this feature.

Also, all the firewalls in question support NAT. But there are quite specific (but no less useful) functions, for example, port masking, load control, multi-user mode of operation, integrity control, program deployment in ActiveDirectory and remote administration from the outside. Quite conveniently, you must admit when the program supports deployment to ActiveDirectory - you do not need to manually install it on each computer on the network. It is also convenient if the firewall supports remote administration from outside - you can administer the network without leaving your home, which will be relevant for administrators who are used to performing their functions remotely.

The reader will probably be surprised, but the deployment of ActiveDirectory does not support many of the firewalls shown in Table 1, the same can be said about other functions, such as load balancing and port masking. In order not to describe which of the firewalls supports this or that function, we systematized their characteristics in table 2.

Table 2. Firewall Features

How will we compare firewalls?

The main task of firewalls in protecting personal is the protection of ISPDn. Therefore, the administrator often does not care what additional functions the firewall will have. The following factors are important to him:

  1. Protection time. It is clear here, the faster the better.
  2. The convenience of use. Not all firewalls are equally convenient, as will be shown in the review.
  3. Cost. Often the financial side is crucial.
  4. Delivery time. Often, the delivery time is poor, and you need to protect the data now.

The security of all firewalls is about the same, otherwise they would not have a certificate.

Firewalls in Review

Next, we will compare three firewalls - VipNet Office Firewall, Cybersafe Firewall and TrustAccess.
TrustAccess Firewall - This is a distributed firewall with centralized management, designed to protect servers and workstations from unauthorized access, delimiting network access to the enterprise IP.
Cybersafe firewall - A powerful firewall designed to protect computer systems and the local network from external malicious influences.
ViPNet Office Firewall 4.1 - a software firewall designed to control and manage traffic and traffic conversion (NAT) between segments of local networks during their interaction, as well as in the interaction of local network nodes with resources of public networks.

ISPD protection time

What is ISPD protection time? In fact, this is the time it takes to deploy the program to all computers on the network and the time it takes to configure the rules. The latter depends on the ease of use of the firewall, but the first on the adaptability of its installation package to a centralized installation.

All three firewalls are distributed as MSI packages, which means that you can use ActiveDirectory deployment tools to install them centrally. It would seem simple. But in practice it turns out that no.

An enterprise typically uses centralized firewall management. This means that a firewall management server is installed on some computer, and client programs are installed on the rest, or as they are also called agents. The whole problem is that when installing the agent, you need to set certain parameters - at least the IP address of the management server, and maybe also a password, etc.
Therefore, even if you deploy the .msi files to all computers on the network, you still need to configure them manually. And this would not be very desirable, given that the network is large. Even if you have only 50 computers, just think about it - go to each PC and configure it.

How to solve a problem? And the problem can be solved by creating a transformation file (MST file), which is also an answer file for an MSI file. But neither VipNet Office Firewall nor TrustAccess can do this. That is why, by the way, Table 2 indicates that there is no support for deploying Active Directory. You can deploy these programs in the domain, but manual work of the administrator is required.

Of course, an administrator can use editors like Orca to create an MST file.


Fig. 1. Orca editor. Attempt to create .msst file for TrustAccess.Agent.1.3.msi

But do you really think it's that simple? Opened the .msi file in Orca, corrected a couple of parameters and got a ready answer file? There it was! Firstly, Orca itself is simply not installed. You need to download the Windows Installer SDK, from it using 7-Zip extract orca.msi and install it. Did you know about this? If not, then consider that you spent 15 minutes searching for the necessary information, downloading software and installing the editor. But this does not end all torment. An MSI file has many options. Look at the pic. 1 - these are only the parameters of the Property group. Which one to change to indicate the IP address of the server? You know? If not, then you have two options: either manually configure each computer or contact the developer, wait for an answer, etc. Considering that developers sometimes respond quite a while, the actual deployment time of a program depends only on the speed of your movement between computers. Well, if you installed the remote control tool in advance, then the deployment will be faster.

Cybersafe The firewall creates an MST file on its own, you just need to install it on one computer, get the treasured MST file and specify it in Group Policy. You can read about how to do this in the article “Differentiation of information systems in the protection of personal data”. For some creep (or even less), you can deploy a firewall to all computers on the network.

That is why the Cybersafe Firewall receives a rating of 5, and its competitors - 3 (thanks to at least the installers are in MSI format, not .exe).

ProductRating
VipNet Office Firewall
Cybersafe firewall
TrustAccess

The convenience of use

A firewall is not a word processor. This is a rather specific software product, the use of which is reduced to the principle of “installed, configured, forgot”. On the one hand, usability is a secondary factor. For example, iptables on Linux cannot be called convenient, but you use it? On the other hand, the more convenient the firewall is, the faster it will be possible to protect ISPDn and perform some functions for its administration.

Well, let's see how convenient the considered firewalls are in the process of creating and protecting ISDN.

We will start with the VipNet Office Firewall, which, in our opinion, is not very convenient. You can select computers in groups only by IP addresses. In other words, there is a binding to IP addresses and you need to either select different ISDN in different subnets, or split one subnet into ranges of IP addresses. For example, there are three ISPDn: Management, Accounting, IT. You need to configure the DHCP server so that computers from the Management group “get” IP addresses from the range 192.168.1.10 - 192.168.1.20, Accounting 192.168.1.21 - 192.168.1.31, etc. This is not very convenient. That’s exactly why VipNet Office Firewall will earn one point.


Fig. 2. When creating computer groups, there is an explicit binding to the IP address

In the cybersafe firewall, on the contrary, there is no binding to the IP address. Computers that are part of a group can be on different subnets, in different ranges of the same subnet, and even be located outside the network. Look at the pic. 3. The company’s branches are located in different cities (Rostov, Novorossiysk, etc.). Creating groups is very simple - just drag the computer names into the desired group and click the button To apply. After that, you can press the button Set rules to form specific rules for each group.


Fig. 3. Group Management in Cybersafe Firewall

As for TrustAccess, it should be noted close integration with the system itself. Already created system groups of users and computers are imported into the firewall configuration, which facilitates the management of the firewall in the ActiveDirectory environment. You can not create ISDN in the firewall itself, but use the existing computer groups in the Active Directory domain.


Fig. 4. User and computer groups (TrustAccess)

All three firewalls allow you to create so-called schedules, thanks to which the administrator can configure the passage of packets on a schedule, for example, restrict access to the Internet after hours. In VipNet Office Firewall, schedules are created in the section Timetables , and in the Cybersafe Firewall, the rule runtime is set when defining the rule itself.


Fig. 5. Schedules in the VipNet Office Firewall


Fig. 6. Runtime Rules in Cybersafe Firewall


Fig. 7. Schedule in TrustAccess

All three firewalls provide very convenient means for creating the rules themselves. And TrustAccess also provides a convenient rule creation wizard.


Fig. 8. Creating a rule in TrustAccess

Let's take a look at another feature - tools for receiving reports (magazines, logs). In TrustAccess, to collect reports and information about events, you need to install an event server (EventServer) and a report server (ReportServer). Not that this is a flaw, but rather a feature (“feature”, as Bill Gates said) of this firewall. As for the Cybersafe and VipNet Office firewalls, both firewalls provide convenient means of viewing the IP packet log. The only difference is that at Cybersafe Firewall all packets are displayed first, and you can filter the necessary ones using the capabilities of the filter built into the table header. And in VipNet Office Firewall you first need to install filters, and then view the result.


Fig. 9. Managing the IP Packet Log in Cybersafe Firewall


Fig. 10. Manage IP packet logs in VipNet Office Firewall

I had to remove 0.5 points from the firewall of Cybersafe for the lack of the function to export the log to Excel or HTML. The function is far from critical, but it is sometimes useful to simply and quickly export several lines from the log, for example, for “debriefing”.

So, the results of this section:

ProductRating
VipNet Office Firewall
Cybersafe firewall
TrustAccess

It is simply impossible to get around the financial side of the issue, because often it becomes decisive when choosing a product. So, the cost of one ViPNet Office Firewall 4.1 license (license for 1 year for 1 computer) is 15 710 rubles. And the cost of a license for 1 server and 5 TrustAccess workstations will cost 23 925 rubles. You can find the cost of these software products at the links at the end of the article.

Remember these two numbers are 15710 p. for one PC (per year) and 23 925 p. for 1 server and 5 PCs (per year). And now attention: for this money you can buy a license for 25 nodes Cybersafe Firewall (15178 p.) Or add a little and it will be enough for a license for 50 nodes (24025 p.). But the most important thing in this product is not the cost. The most important thing is the duration of the license and technical support. License for Cybersafe Firewall - no expiration date, as well as technical support. That is, you pay once and get a software product with a lifetime license and technical support.

ProductRating
VipNet Office Firewall
Cybersafe firewall
TrustAccess

Firewall

What is a firewall?

4 minutes reading

A thorough understanding of the principles of work firewalls (firewalls) and related technologies is absolutely necessary for any person who wants to develop in the field of information security. It also helps to configure and manage the information security system correctly and with a minimum of errors.

The word "firewall" usually refers to a system or device that is located on the border between the internal (trusted) network and the external.

Several different firewalls offer users and applications specific security management policies for various threats. They also often have the ability to record events, to provide the system administrator with the ability to identify, examine, verify and get rid of the threat.

Кроме того, несколько программных продуктов могут запускаться на рабочей станции только для защиты конкретной машины.

Сетевые брандмауэры обладают несколькими ключевыми особенностями, для того что бы обеспечивать защиту сети по ее периметру. Основной задачей сетевого брандмауэры является запрет или разрешение на пропуск траффика, который попадает в сеть, основываясь на предварительно настроенных политиках. The following are processes that allow you to grant or block access to traffic:

  • Single criteria (simple) packet filtering techniques
  • Multi-criteria packet filtering techniques
  • Proxies-servers
  • Status check packages
  • Network Address Translation

Package Filtering Methods

The main goal of packet filters is simply to control access to individual network segments by determining the allowed traffic. Filters typically examine incoming traffic at model level 2 OSI (transport). For example, packet filters are able to analyze TCP and UDP packets and evaluate them according to a number of criteria called access control sheets. They check the following items inside the package:

  • Outgoing network address
  • Destination Address
  • Outgoing port
  • Port of destination
  • Protocol

Various firewalls based on the packet filtering technique can also check the packet headers to determine the source of the packet — that is, from which session it appeared: new or existing.

Simple packet filtering techniques, unfortunately, have certain disadvantages:

Access Control Sheets can be extremely large and difficult to manage

They can be circumvented by packet substitution, an attacker can send a packet whose header will be the network address allowed by the access control list.

So many applications can constantly build multiple connections to randomly used ports. Because of this, it becomes really difficult to determine which ports will be used after the connection is established. For example, such an application are various multimedia programs - RealAudio, QuickTime and others. Packet filters do not perceive protocols above the transport protocol and their specificity associated with each specific application and providing such access using access control sheets is a very time-consuming task.

Delivery time

In our experience, the delivery time for VipNet Office Firewall is about 2-3 weeks after contacting Infotex. Honestly, this is quite a long time, considering that a software product is bought, not a PAK.
TrustAccess delivery time, if ordered through Softline, is from 1 day. A more realistic period is 3 days, given some delay of Softline. Although they can be delivered in 1 day, it all depends on the workload of Softline. Again - this is personal experience, the actual term for a particular customer may vary. But in any case, the delivery time is quite low, which cannot be noted.

As for the CyberSafe Firewall software product, the manufacturer guarantees the delivery of the electronic version within 15 minutes after payment.

ProductRating
VipNet Office Firewall
Cybersafe firewall
TrustAccess

Proxies

Proxies are devices that are intermediaries that act on behalf of clients that are on a secure or private network. Clients on the protected side send requests to establish a connection to the proxy server to transfer information to an insecure network or to the Internet. Accordingly, a proxy server or application makes a request on behalf of an internal user. Most proxy firewalls operate at the very top, seventh level of the OSI model (application) and can store information in cache memory to increase their performance. Proxy technologies can protect the network from specific web attacks, but in general they are not a panacea, and, in addition, they do not scale well.

What to choose?

If you focus only on the cost of the product and technical support, then the choice is obvious - Cybersafe Firewall. Cybersafe Firewall has the optimal ratio of functionality / price. On the other hand, if you need Secret Net support, then you need to look towards TrustAccess. But VipNet Office Firewall can only be recommended as a good personal firewall, but for these purposes there are many other and also free solutions.

Network Address Translation

Some devices operating at the third level (network) can translate network addresses, or NAT (Network Address Translation). A third-level device translates the internal network address of a host into a public one, which can be routed on the Internet. Due to the small number of network addresses in the IP protocol, this technology is used everywhere.

Packet health firewalls

Such firewalls have additional advantages over single-filter packet filtering firewalls. They check every packet passing through their interfaces for correctness. They examine not only the package header, but also information from the application layer and the payload of the package. Thus, it is possible to create different rules based on different types of traffic. Such firewalls also allow you to monitor the status of the connection and have a database with this information, which is also called the "state database". It describes the status of connections, that is, such as “installed”, “closed”, “restart”, “in the process of negotiation”. Such firewalls protect the network well from various network attacks.

The number of different firewalls is large, and currently they combine different techniques to prevent attacks. The main thing is that the network should always be protected. However, one should not forget that one should not get carried away and spend more money on protecting information than the information itself is worth.

Please tell me why?

We are sorry that the article was not useful for you :( Please, if it does not complicate, indicate for what reason? We will be very grateful for the detailed answer. Thank you for helping us to become better!

Subscribe to our weekly newsletter and we will send the most interesting publications :) Just leave your details in the form below.

Pin
Send
Share
Send
Send