Solstice FireWall-1 Version 3.0b
New Features

      1. FireWall-1 for IBM/AIX 4.1.5 & 4.2.1 
      2. FireWall-1 support for Solaris 2.6 
      3. SecuRemote Version 3.0 including: 
            Client Encapsulation 
            Support for all FireWall-1 authentication schemes 
            Support for Windows 95B 
            Support for Windows 95 Power Management suspend/hibernation 
      4. Support for Cisco 11.2 routers management 
      5. New Services Support: Connected OnLine Backup, AOL, OnTime 
      6. Session Authentication Agent for Windows 3.11 

Known Bugs and Restrictions

Solaris 2.6

      1. FireWall-1 3.0b supports Solaris 2.6. Since previous FireWall-1 versions cannot be installed on Solaris 2.6, you must upgrade your FireWall-1 software to 3.0b before upgrading the
      Operating System to Solaris 2.6. 
      2. The X/Motif Log Viewer cannot run on Solaris 2.6. Contact your FireWall-1 re-seller to get a patch for supporting it when it is available. 
      3. If if there is no dumb terminal installed, the FireWall-1 installation may fail. 
      4. When setting the boot security on Solaris 2.6, the file /etc/rcS.d/S30rootusr.sh gets corrupted, and the system fails to reboot. Before installing the software, please contact
      your FireWall-1 reseller for a patch that solves this problem. 

Solaris 2.x

When using encryption on Solaris 2.x machines, you must create certificate keys when defining network objects (you are not prompted to do so during installation).

IBM/AIX

The IBM/AIX version does not support multiprocessor machines. Please contact you re-seller for a special patch for supporting it. 

Windows NT 4.0

FireWall-1 on Windows NT 4.0 with Service Pack 3 does not work properly with RAS. 

Windows 95

SecuRemote installation fails on some portable machines.

All Platforms

The SMTP Security Server sends an LF symbol rather then a CR-LF for each line. This causes compatibility problems with some SMTP Servers. Contact your re-seller for a patch that solves
this problem. 

FireWall-1 3.0b Management station cannot properly manage 3.0 FireWall Modules. You need to upgrade the FireWall Module to 3.0b as well. 

Using FireWall-1 Synchronization under a heavy load may crash the machine under the heavy load. Contact your re-seller for a patch that solves this problem.

User Guide Clarifications

The following material clarifies subjects discussed in the FireWall-1 User Guide.

Getting Started

Installing FireWall-1

Operating Systems

In Table 3-8 on page 87, the list of Solaris versions under Operating Systems should read "Solaris 2.3, 2.4, 2.5 and 2.6".

Licenses

On page 105, any references to "serial number" should read "Certificate Key."

Architecture and Administration

Security Servers

FTP Resources

When an FTP connection is mediated by the FireWall-1 FTP Security Server, then the user's requested FTP commands and file names are matched against the FTP Resource defined in the
relevant rule.

      The FTP Security Server is invoked when a rule specifies an FTP Resource in the Service field and/or User Authentication in the Action field. If no FTP Resource is specified in
      the rule (that is, if the Security Server is invoked because the Action is User Authentication), then an FTP Resource of GET and PUT allowed for all files is applied.

FTP Resource Matching

FTP Resource matching consists of matching methods and file names. 

Methods

Table 1-1 on page 7 lists the FTP commands that correspond to the methods specified in the FTP Resource definition. 
                          FTP actions and commands 
 method (defined in the FTP Resource) 
                                applies to these FTP commands 
                                                             meaning 
 GET 
                                RETR 
                                                          retrieve 
                                RNFR 
                                                          rename from 
                                XMD5 
                                                          MD5 signature 
 PUT 
                                STOR 
                                                          store 
                                STOU 
                                                          store unique 
                                APPE 
                                                          append 
                                RNFR 
                                                          rename from 
                                RNTO 
                                                          rename to 
                                DELE 
                                                          delete 
                                MKD 
                                                          make directory 
                                RMD 
                                                          remove directory 



The FireWall-1 FTP Security Server passes all other FTP commands to the FTP server for execution.

File Names

File name matching is based on the concatenation of the file name in the command and the current working directory (unless the file name is already a full path name) and comparing the result to
the path specified in the FTP Resource definition. 

      When specifying the path name in the FTP Resource definition, only lower case characters and a directory separator character / can be used.

The Security Server modifies the file name in the command as follows:

      for DOS, the drive letter and the colon (:) is stripped for relative paths 
      the directory separator character (/ or \) is replaced, if necessary, with the one appropriate to the FTP server's OS 

In some cases, the Security Server is unable to resolve the file name, that is, it is unable to determine whether the file name in the command matches the file name in the resource.

Example - DOS

Suppose the current directory is d:\temp and the file name in the resource is c:x. Then the Security Server is unable to determine the absolute path of the file name in the command because the
current directory known to the Security Server is on disk D: and the file is on disk c:, which may have a different current directory.

Example - Unix

If the file name in the command contains .. references which refer to symbolic links, then it's possible that the file name in the command matches the resource's path, but that the two in fact refer
to different files.

When the Security Server cannot resolve a file name, the action it takes depends on the Action specified in the rule being applied:

      If the rule's Action is Reject or Drop, then the rule is applied and its Action taken. 
      If the rule's Action is Accept, Encrypt or Authenticate, then: 

      If the resource path is * or there is no resource, the rule is applied. 
      Otherwise, the rule is not applied. Instead, FireWall-1 scans the Rule Base and applies the next matching rule (which may be the default rule that drops everything). In this case, a
      potential problem is that the rules may specify different entries in their Track fields. For example, it may happen that the original rule specifies Accounting in the Track field while the rule
      that is applied does not. 

Outgoing Connections

User Authentication and Resource rules are applied only to connections incoming to a FireWalled machine. An outgoing connection originating on a FireWalled machine will not be folded into a
Security Server on that machine, but will be dropped.

Authentication

ACE (SecurID)

On Windows NT, the sdconf.rec file is in the SYSTEM32 directory under the directory in which Windows NT is installed.

Miscellaneous Security Issues

Verifying the Default Policy

You can verify that the default Security Policy is indeed loaded as follows:

      1. Boot the system. 
      2. Before installing another Security Policy, type the following command: 
       $FWDIR/bin/fw stat


      The command's output should show that defaultfilter is installed. 

SYNDefender

The following text should be added at the end of the "The TCP SYN Flooding Attack" section.

Choosing an Appropriate SYNDefender Method

As a first step, you should consider whether you need SYNDefender at all. Since the SYN flooding attack is a "denial of service" attack rather than a security breach, it may be more effective to
deploy SYNDefender only after a SYN attack actually occurs. 

Another "low cost" alternative is to deploy SYNDefender Gateway, and if a SYN attack occurs, to deploy SYNDefender Relay. 

SYNDefender Gateway vs. SYNDefender Relay 

SYNDefender Gateway is an effective defense method which divides the cost of the defense between the FireWalled gateway and the server under attack. The overhead for the server is similar
to that of an established non-active connection, of which a server can typically handle thousands. This non-active connection only exists for the short timeout period (configured with the GUI).

In SYNDefender Relay, the FireWalled gateway completely isolates the server from SYN flooding attacks, that is, the connection is not passed to the server until after its validity is verified.
The cost is that the FireWalled gateway must relay (with some overhead) every single TCP packet for the lifetime of the connection. In contrast, with SYNDefender Gateway, the gateway
"forgets" about the connection after a short timeout period or after the connection has been established. 

In addition, problems may arise when a FireWall's Security Policy is uninstalled, or when a FireWall is rebooted. Since every connection was relayed by the FireWall, these connections become
"confused," and the network may be overloaded by the servers' futile attempts to resolve this confusion.

In summary, if SYNDefender is required, start with SYNDefender Gateway. If you find that your servers are coming under frequent SYN flooding attacks (as apparent from the Log Files), and
that your server performance deteriorates as a result of the non-active (short timeout) connections created for each attack attempt, then you should consider the SYNDefender Relay method.

Passive SYNDefender Gateway is an inferior method to both SYNDefender Gateway and SYNDefender Relay. The guidelines above refer to SYNDefender Gateway rather than to Passive
SYNDefender Gateway.

Getting Help

If you have problems installing or using this product, call the appropriate number listed in Table 3-13 on page 110 of Getting Started with FireWall-1. If you cannot locate the number for your
location, call 1-800-SUNSOFT (1-800-786-7638) from anywhere in North America. From other countries, call your Authorized Semisoft Distributor or Reseller.

Please have the following information ready when you call:

      model number of the system 
      serial number of the system 



Copyright  1997,Sun Microsystems, Inc. All rights reserved. 
.
