A machine needs other tools to secure it, including, but hardly limited to, tools to check files (tripwire), audit tools (tiger/cops), secure access methods (kerberos/ssh), something to watch logs and machine states (swatch/watcher some to mind) and filtering and routing tools such as screend/ipfilterd/ipacl. Again, I would recommend that you do not proceed to build a production
FWTK firewall unless you are familiar with UNIX security.
#########################
Brian Reid and a couple of folks at DEC had a corporate gateway, called gatekeeper.dec.com. Paul Vixie took over operating it and was providing services to a growing list of folks inside the company - they'd telnet in and FTP out, or whatever. I worked in one of DEC's sales support units, for Fred Avolio, and we had an Internet connection (9600 baud!!) via an aging MicroVAXII and Fred told me to clean it up some and "make it look like what Paul has in gatekeeper" I think I have Fred's original napkin drawing in my archives someplace. I keep meaning to look for it so I can frame it for him. :) Gatekeeper in those days was what we'd now call a gateway host and there was a screening router built on another MicroVAX running an early Mogul screend. So I built something like that. But I didn't want to give people accounts on it, so one Xmas break I wrote an FTP proxy in a fit of hacking. And it worked pretty well. So instead of giving out accounts like Paul did, I started giving people access via proxies. That worked real well. Then one of our sales guys, in a fit of enthusiasm, sold "a firewall like decuac" to a REALLY huge customer and I wound up cloning the system onto a couple of DECstations and that was, I believe, the first commercial Internet firewall. Then I had to write the documentation for the bloody thing, and so it needed a name, so we stole "SEAL" which the guys in Palo Alto had been talking about for a firewall product but what the heck, we'd already sold something. :) The next best bet for the name, was "PIG" for "Packaged Internet Gateway" but that, as it were, didn't fly. From that one customer, once the documentation had been written, sales took over and we got a little busy with firewalls from then on. :) Fred went to TIS and Marcus was looking to leave DEC and [was going to go to a big place that recently IPO'd and would have made him a millionaire but he didn't go there] he interviewed at TIS and got a job there instead. :) And fate had it that about a month afterwards, ARPA called up and asked "do you guys know anything about these firewalls things?" and it turned out that the White House was going online and so proposals happened and then funding happened and so we were officially researching Internet firewalls and part of that effort included setting up whitehouse.gov and part of that effort included writing tools for whitehouse.gov which evolved into a chance to sit down and rethink firewalls and maybe write a better one... I [Marcus Ranum] wrote all the code for the bloody thing, and all of the documentation, up until almost a year later when we hired Peter Churchyard who brought us the http proxy and Wei Xu who wrote the X proxy. While they were doing that, I kitted the whole thing up on an Intel box and that was the GauntletV1.0. Pete and Wei and Char and Dave subsequently took over the hard work of actually making things work, and I became a useless suit at that point, yakking on the phone all day and generally being a pain in the neck. :) Though I no longer work at TIS, I am still a pain in the neck. :) Our purposes for releasing the FWTK were:
We think all would agree that we achieved our goals.
###########################
Yes, the FWTK is fabulous if you are willing to do a lot of extra work yourself. 50,000 downloads later, we still see about 5,000 a month. It seems to be successfull enough on its own. No, TIS doesn't add enough features to it to make you decide not to buy a commercial firewall from us or anyone else. We're crazy but we're not stupid. (Well, okay so maybe sometimes... :-)) There is a side-by-side comparison in the Gauntlet FAQ at:
What's a "crystal box?" Since those words were first uttered by our first customer, and since we got his permission to use it, I'll expand on it: "Crystal Box Design. A Crystal Box approach is the opposite of "black box." With a crystal box approach, the source code and algorithms that implement security are examinable. In the case of the Gauntlet Internet Firewall, the code is examinable by any Gauntlet customer. The core functionality of the FWTK is examinable by anyone with FTP access to the Internet. We do not depend on the secrecy of our algorithms, methods, or source code for security. A Crystal Box design means the Gauntlet Internet Firewall, has benefited from experts in the firewall field who have examined it, used it, and commented on it." The Gauntlet Internet Firewall and the TIS Internet Firewall Toolkit do not share the same code base for anything, typically, and haven't since version 1.0. (There may be a proxy or two that is identical in cases where TIS decided to just give the code away to the FWTK users. No user-supplied code is used without permission and attribution.) Gauntlet source code is available. We've just unbundled it from some of the kits. Why? Fewer than 10% of our customers used it. It is still available. All we ask is a license agreement be signed to protect our intellectual rights. Why else? UNIX systems are starting to ship without C Compilers. Solaris is an example. If you've asked for source and been waiting for months and not received it and you are a TIS customer, drop me e-mail please. No it's not the proper channel, but mistakes do get made. Fred
The filename is "fwtk-doc-only.tar.Z".
|