A Reseller S Guide to the Strengths and Benefits of the Borderware Firewall Server

Positioning BorderWare

A reseller’s guide to the strengths and benefits of the BorderWare Firewall Server

Peter Cox Vice President October 1998

Contents

1. Background...... 2 2. Firewall Market Development...... 2 2.1 First Firewalls...... 3 2.2 Evolving Requirements...... 3 3. BorderWare Firewall Server...... 3 3.1 BorderWare Architecture...... 4 3.2 BorderWare Strengths...... 5 3.3 Lowering Cost of Ownership...... 6 3.4 BorderWare Development Plans...... 6 4. Competitive Positioning...... 7 4.1 Complete Solution...... 7 4.2 BorderWare Firewall Server vs the Packet Filtering Firewall...... 8 4.3 BorderWare Firewall Server vs the Proxy Server...... 9 4.4 BorderWare Firewall Server vs the Enterprise Firewall...... 10

1. Background

The BorderWare Firewall Server was introduced in 1994 and has enjoyed considerable and continued success. This success is largely due to BorderWare’s architecture and product positioning. The BorderWare Firewall Server is a complete and easy to manage security solution. At the end of June 1998, the rights to the Firewall Server were acquired by BorderWare Technologies Inc (BTI). BTI is a new company formed by some of the original BorderWare architects and developers. BTI are committed to the continued success of the BorderWare Firewall Server and have embarked on a development plan to ensure that the BorderWare Firewall Server will remain one of the leading Firewall products in a rapidly changing market.

This white paper examines the likely changes in the Firewall Market, shows how BorderWare is already well-placed to take advantage of those changes and outlines BTI’s development plans which will ensure continued success for the BorderWare Firewall Server.

2. Firewall Market Development

Since the launch of the BorderWare Firewall Server back in 1994, the Firewall Market has seen considerable development. Firstly today’s market is considerably more crowded. One regularly updated list contains just under 100 products claiming to be Firewalls1, this is a significant increase from 1994 when there were only 10-12 products. Secondly, Firewall users have become far more demanding, expecting their Firewall to offer a lot more flexibility and to allow their users to run many more applications.

This market development is set to continue and if anything the pace of change will accelerate, as a secure Internet connection becomes one of the basic requirements for all businesses. The evidence for this is clear; the typical Firewall customer today is likely to be a small to medium sized company needing a secure Internet connection to support a corporate e-mail service, an Intranet or Extranet service or an electronic commerce server. Much of the early Firewall demand was generated by larger companies, the first to connect to the Internet. Now that secure Internet connections are a requirement for small to mid-sized companies the demand is larger but the requirements have changed.

To succeed in this evolving market a Firewall must meet the needs of the new generation of users. The Firewall must provide the resilience needed of a mission critical system and must support the range of applications needed to drive the organisations business. The Firewall must also be as simple as possible to configure and manage without sacrificing security.

2.1 First Firewalls

At its launch, the BorderWare Firewall Server was a radical departure from the conventional idea of a Firewall. Until then many Firewalls were supplied as “toolkits”. These tool kits offered flexibility allowing users to support most network applications. This flexibility had a price, the toolkits were very difficult to configure, and indeed one leading product was typically sold with 3 or 4 days of high-level consultancy simply to complete the system planning and installation.

The BorderWare Firewall Server changed all that. It was the first true turn-key Firewall server coupling a high level of security with ease of management and a comprehensive set of application services. This was obviously a winning combination as the BorderWare Firewall Server has consistently been listed as a market leader every year since it’s introduction.

2.2 Evolving Requirements

Of the market leading Firewalls, the BorderWare Firewall Server is uniquely placed to serve the needs of the Firewall market sector showing the most rapid growth. This sector is the new category of user, the small to medium sized organisation. Of the top 5 products the BorderWare Firewall Server is the only one to provide a true turn-key solution. It is interesting to note that 4 of the top 5 Firewall Products, including the BorderWare Firewall Server have been available for more than 4 years. These products are successful, as each has found its market niche and has been unaffected by the introduction of some 95 other products into the market. The niche claimed by the BorderWare Firewall Server, the turn-key solution for small to medium organisations, with the resilience and capacity to support those organisations as they grow, is the fastest growing market sector. IDC characterise the small business market as being “hungry for a low support security solution”2. BorderWare is very well positioned to take advantage of that growth.

3. BorderWare Firewall Server

The BorderWare Firewall Server was the first commercial product to provide a complete packaged solution for Internet security, offering all the components needed to provide a fully functional firewall as a single product. BorderWare was also the first Firewall Server to include application servers (e-mail, WWW, news etc) and to provide an integrated user interface for easy configuration and management. Until that time most Firewall solutions were provided as toolkits requiring specialised knowledge to configure and maintain. The majority of these toolkits concentrated on providing the security components of a Firewall system. Servers for process and routing e-mail, Domain Name servers and Web server had to be installed and configured separately. This reinforced the need for specialist knowledge and increased the cost of the solution.

The BorderWare Firewall Server brought the highest level of Internet security within the reach of every corporate IT department. With a BorderWare Firewall Server the definition of a company’s Internet security policy, the installation and configuration of a Firewall to implement that policy and the subsequent management of the system is well within the capability of all network managers. This obviates the need to place one of the most important aspects of an organisation’s IT strategy, network security, in the hands of an external consultant. BorderWare remains one of the few products that can make that claim.

3.1 BorderWare Architecture

The BorderWare Firewall server is designed as a black box, a closed system that includes all the components needed for a complete firewall solution. The Firewall Server is built on a hardened Unix kernel. Hardened means that changes are made to the operating system to optimise it for use in a Firewall and to secure it. Most operating systems (including Unix and NT) were not designed specifically to run Firewalls; they are too open. Nearly all Firewalls are run on systems with two or more network interfaces. Faced with this hardware configuration, most operating systems will readily forward data arriving on one interface to another. While this behaviour is useful and welcome on application servers it is not desirable on a Firewall. The operating system used on BorderWare is modified so that uncontrolled forwarding of data from one network interface to another is simply not possible. In its default configuration a BorderWare server will not and cannot relay data between networks. This configuration forms a very secure base for building a Firewall as it effectively provides an impenetrable barrier between an internal and external network, exactly what a Firewall should do.

The BorderWare operating system is further hardened by blocking all user access. There are no user logins and there is no way to run applications on a BorderWare Firewall Server. All administration and configuration on a BorderWare system is carried out via secure graphical user interfaces. Interfaces are available on the system console or on a remote workstation. The use of a secure GUI has two important benefits; it reinforces the security of the server by obviating the need for operating system access and removes the need for any specialist knowledge of the underlying operating system. BorderWare can be configured and maintained by anyone with a basic knowledge of network applications.

Building on the secure operating system base, The BorderWare Firewall Server provides a comprehensive set of secure application level proxy servers including user configurable proxies. Proxy servers provide the most controlled and hence the most secure method of relaying data between protected and unprotected networks.

Uniquely, the BorderWare Firewall Server includes a number of application servers fully integrated with the security components and with the management interface. These application servers include dual Domain Name Servers (DNS), e-mail, FTP and WWW. BorderWare’s dual DNS relieves the system administrator of one of the most complex tasks, planning and maintaining the domain name structure. A properly configured DNS is essential but defining that configuration can be a complex task. Unfortunately installing a Firewall inevitably complicates this task still further. BorderWare’s integrated dual DNS removes the complexity.

BorderWare’s integrated mail server is unique in the Firewall market. It is designed so that it can fulfil a number of different roles depending on requirements. For an organisation without an existing e-mail system, BorderWare offers a simple to configure mail server compatible with all popular e-mail clients (Microsoft Exchange, Outlook, Netscape Messenger, Eudora etc). If an organisation already has an e-mail server then BorderWare is easily configured as an e-mail relay passing messages between the protected network and the Internet. Using a mail relay for this purpose offers a much better solution and an additional level of protection than the alternatives of passing mail through a proxy or packet filter, as the relay never allows a direct connection from the Internet to your mail server. Larger organisations with multiple e-mail servers will find BorderWare’s mail routing capabilities powerful and simple to use.

The BorderWare Firewall server also includes a Web server. This is designed to provide a fast-start for companies connecting to the Internet for the first time. A BorderWare Firewall Server provides everything needed to establish and secure that Internet connection including a server ready for the first set of web pages.

It is recognised that not every user will need or wish to use all of the built-in servers provided with BorderWare. Indeed for security reasons, the Web server included with BorderWare does not provide all functionality found in stand-alone servers. To provide a secure connection for these stand-alone servers, BorderWare includes a special third network connection. This is known as the Secure Server Network (SSN). As its name suggests it is designed specifically to connect third party servers to which public access is needed, but provides a far more secure option than simply connecting these servers to the untrusted network. BorderWare’s SSN is equivalent to the De-Militarised Zone (DMZ) provided by some other Firewalls.

3.2 BorderWare Strengths

BorderWare’s architecture gives the Firewall Server a number of important strengths and benefits over other firewall products. The key strength is BorderWare’s inclusion of application servers differentiating BorderWare from other products and qualifying it as a complete Internet Gateway. Other Firewalls provide security but require that key services such as DNS, E-mail, and Web are

© BorderWare Technologies Inc Page 5 Positioning BorderWare provided separately. This means that additional server systems must be purchased and leads to additional configuration and administration effort.

The BorderWare Firewall Server is designed so that setting up and running the application services is made as simple as possible. As an example BorderWare’s dual DNS can be set up in minutes, simplifying a complex task that would normally require specialised knowledge.

The BorderWare Firewall Server’s management system provides a simple user interface to configure and administer the security policy of the Firewall and to control all of the built-in servers. This means that server administration is simplified and integrated with the systems security policy. Integrating administration of application servers with the security policy administration has significant benefits; it is much easier to establish and control the security policy than if the Firewall components were purchased, installed, configured and managed separately from the application servers.

3.3 Lowering Cost of Ownership

The BorderWare Firewall Server’s integrated approach to securing Internet connections brings one important benefit to the end-user, lower cost of ownership. The purchase price of a Firewall system represents only a fraction of the total cost of that system. You must include the costs of planning, installing and configuring the system and the costs of on-going administration and maintenance. If the chosen Firewall does not include services like DNS, E-mail and web, then these must be separately configured and may need additional hardware, all of which adds to the total cost.

The BorderWare Firewall Server reduces all of those costs. BorderWare’s user interface means that installation, configuration and maintenance are simplified and BorderWare’s integrated application servers mean that there is no need to install additional systems.

3.4 BorderWare Development Plans

BorderWare Technologies Inc is committed to retaining the competitive advantage that the BorderWare Firewall Server enjoys. To meet this commitment, BTI’s development plans include new features and feature enhancements that will maintain the Firewall Server’s main key competitive advantage; a lower cost of ownership deriving from an integrated and easy to manage solution.

BTI’s development plans are detailed on our web site3, the key new features designed specifically to maintain and improve BorderWare’s competitive advantage are:

1. Enhanced management interface, simplifying centralised management of multiple Firewalls and including configuration Wizards to simplify the more complex tasks. 2. Enhanced application servers, including flexible and secure remote access to e-mail and enhancements to the Web server. 3. Improved hardware support, enabling the Firewall Server to run on a wider range of low cost hardware.

4. Competitive Positioning

The Firewall market is a maturing and highly competitive market. To succeed in the market the BorderWare Firewall Server must demonstrate some benefits over other Firewall products. BorderWare achieves this very successfully by providing a much greater range of features and services than other products in this market sector.

Most commercial Firewall products fall into one of two categories:

1. The Firewall appliance, a communications server or router with added Firewall features. Products in this category tend to implement security through packet filtering. 2. The Firewall system, Firewall features implemented as a set of applications to run on a standard operating system. Invariably Unix or NT. Most products in this category implement security through application proxies. There is one notable exception to this rule, Checkpoint’s Firewall-1 is a system product which relies mostly on packet filtering.

BorderWare defines a new product category. It is a complete Firewall Server. BorderWare is equivalent to a Firewall system with the addition of a number of essential application servers such as E-mail, DNS, Web and many others. BorderWare combines the highest level of security with the services needed to provide a complete and secure Internet Gateway.

4.1 Complete Solution

The rationale behind positioning BorderWare as an Internet Gateway is simple. All Firewall users purchase a Firewall for fundamentally the same reason. They need to connect a trusted network (normally the company’s LAN) with an untrusted network (normally the Internet) and require a device to safeguard the security of the trusted network. This connection is made to satisfy a business

© BorderWare Technologies Inc Page 7 Positioning BorderWare need. To meet that need, a number of components over and above the Firewall will be required. These components will include one or more Domain Name Servers, E-mail servers or relays and possibly FTP or web servers. If the Firewall does not provide these facilities they must be installed, configured and maintained as separate systems.

BorderWare’s design philosophy is simple, all the components required to implement a secure network connection are supplied in a single, easy-to-install package with a unified user interface. The logic behind this approach is compelling and has certainly contributed to BorderWare’s success in the last four years. However the profile of the average Internet user is changing, the need for a complete solution, as provided by BorderWare is growing. This growth is driven because the costs and benefits of an Internet connection now make Internet communication attractive to smaller organisations, organisations without the resources to own and manage a complex Firewall installation with many discrete components. Firewall purchasers have a simple choice, to select BorderWare and get all the required components for a complete Internet connection or to select a “traditional” Firewall product and be forced to purchase, install, configure and maintain the Firewall plus a range of other systems offering other essential services.

In addressing this new market segment of small to mid-sized organisations, BorderWare does not ignore the established Firewall market of larger organisations. BorderWare’s packaged solution is sufficiently flexible to integrate with existing systems. For example if a company has an existing e-mail system, BorderWare’s e-mail service which would be configured to meet the complete e-mail needs of a smaller company is readily re-configurable as a relay which can receive and route messages to multiple e-mail systems. BorderWare’s price positioning and performance capabilities make it an ideal solution for all sizes of network.

4.2 BorderWare Firewall Server vs the Packet Filtering Firewall

Packet Filtering Firewalls achieve their security by examining every packet of data that passes through from one network to another. Although effective security can be implemented with packet filtering it is not the simplest or most obvious approach. Implementing security through packet filtering is rather like screening printed documents by examining each line of text in isolation rather than considering the document as a whole. It is generally accepted that packet filtering is less effective than application level proxies. To extend the analogy application level proxies are equivalent to screening printed documents by considering the document as a whole. Many packet filtering based systems recognise this and enhance their packet filtering through techniques such as stateful filtering, equivalent to remembering previous lines when scanning a printed document, but still not qualifying as application level proxies.

BorderWare offers many advantages over packet filtering firewalls.

1. BorderWare employs application level proxies as the main security component. BorderWare also includes packet filtering but to supplement the proxies, it does not rely on packet filtering for security.

2. The use of proxies makes BorderWare much simpler to configure than a packet filtering Firewall. BorderWare is configured by deciding which services to enable. This means that a default configuration of no access is modified by turning on proxies for the services needed. BorderWare’s approach contrasts with packet filtering firewalls which must be configured by deciding which services to block. This is a more complex task and far more error prone (although the packet filtering firewall’s interface may hide some of this complexity). The increased complexity of the packet filtering firewall adds to the cost of ownership.

3. Packet filtering tends to be used by Firewall Appliances, although there are some exceptions to this. A Firewall Appliance cannot offer application services offered by BorderWare. These services then have to be implemented on other systems, adding to the cost of ownership.

Products falling under the packet filtering firewall include Cisco PIX.

4.3 BorderWare Firewall Server vs the Proxy Server

The BorderWare Firewall server is itself a proxy server, however very few other proxy based firewalls offer the same range of application services as BorderWare. Proxy server products actually cover a very wide range of functionality, not all proxy servers are Firewalls. The primary use of some of these products is to cache frequently accessed information reducing network bandwidth. Caching proxies are most commonly used for Web traffic although other applications can benefit. While caching proxies may have some limited access control features they should not be considered Firewalls.

When comparing BorderWare with fully featured Firewall proxies, BorderWare invariably offers a more complete solution than other products. As we have seen in the discussion on BorderWare architecture, BorderWare is unique in combining the highest level of security with a full set of application servers controlled by a single management system. BorderWare is the only package Firewall server qualifying for the description Complete Internet Gateway.

Products in the Proxy Server category include Microsoft Proxy Server (not strictly a Firewall) and TIS Gauntlet.

4.4 BorderWare Firewall Server vs the Enterprise Firewall

Enterprise Firewalls are specialist systems. They are designed for networks where the standard Firewall model (internal trusted network and external untrusted network) does not suite the network topology. Enterprise Firewalls are designed to support multiple network interfaces to support more complex configurations. Recognising that these more complex configurations are less likely to need built-in application servers, enterprise Firewalls generally do not include such servers. This makes them less suitable for simpler network topologies.

Enterprise Firewalls are directed at the top-end of the market, a restricted market segment. BorderWare is not designed to compete in this market sector. BorderWare does compete very effectively with the enterprise Firewall where the network topology is simpler and fits more readily to BorderWare’s three interface (internal, external and SSN) architecture. Here BorderWare wins over the enterprise Firewall by providing a complete solution, the Secure Internet Gateway lowering the cost of ownership.

Examples of Enterprise Firewalls include Checkpoint’s Firewall-1 and Secure Computing’s SecureZone.

2 The Worldwide Firewall Market, 1997. IDC#`6557R.

3 BorderWare Development Road Map, http://www.borderware.com/update.html