Firewall Server Road Map


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Firewall Server Road Map

  1. 1. Firewall Server Road Map Development plan summary for the BorderWare Firewall Server Version 1.6 March 2003 Confidential – BorderWare Technologies Inc.
  2. 2. Firewall Server Road Map 1 Introduction This document describes the BorderWare Firewall Server development plans for calendar year 2003. Although every effort will be made to follow these plans closely, BorderWare reserves the right to modify development plans without notice. 2 Review of previous developments This section briefly summarizes recent releases of the Firewall software. These releases have delivered most of the features documented in the last Firewall Road Map (August 2001) and have added many additional features not included in that road map. Release Date Version New Features September 2001 V6.5 • Additional Network Interfaces • Remote Management Enhancements • Graphical Console Support February 2002 Feature • HALO, High Availability Option Pack A • Access Rules for SMTP Server • Oracle Proxy Enhancements • Security Connection • Patch Management • SMTP Server Access Rules July 2002 IPSec V3.0 • New Encryption Algorithms • PKI Authentication • Access Control Rules on VPN connections • NAT Traversal Support In addition to the above, BorderWare has also delivered a new IPSEC client (SSH Sentinel), a firewall reporting package (InsideOut), and a new URL filtering package in partnership with SurfControl. © BorderWare Technologies Inc 2003 Page 2 of 8
  3. 3. Firewall Server Road Map 3 Development Plans Development plans in 2003 will focus on delivering a blend of new features and updates to some of the existing facilities included in the Firewall Server. These will be delivered in two new versions of the Firewall: • V7.0 planned for Q2 2003 • V7.1 planned for Q3/Q4 2003 This plan represents a change to the previously published road map, which included a plan for the release of a second feature pack (Feature Pack B) for V6.5 of the Firewall server. Feature Pack B will now not be released. This decision has been made for the following reasons: • some of the planned changes involve install kernel modifications and cannot be implemented using the software update mechanism • the number of existing updates and options for 6.5 makes installation time consuming These two new releases are described in more detail below. © BorderWare Technologies Inc 2003 Page 3 of 8
  4. 4. Firewall Server Road Map 4 V7.0 Description 4.1 Enhanced hardware support The Version 7.0 kernel will include support for the Promise IDE Raid controller, adding redundancy and resilience to the Firewall. The Promise IDE Raid controller supports disk mirroring and disk striping with full redundancy. 4.2 SMP Support Version 7.0 will include support for certain Symmetric Multi Processor systems, notably the Sun LX50 server. Other systems may be supported subject to Borderware testing. SMP provides additional performance benefits, particularly for high traffic environments, and for CPU intensive tasks such as URL filtering. Switching between SMP and non-SMP mode will be possible, but will require a system reboot. 4.3 Updated Firewall Appliances To take advantage of the enhanced hardware support, particularly Raid support, BorderWare’s security server appliance range will be extended and upgraded to produce a new range of integrated Firewall appliances. These appliances will include the existing R-2500 as well as larger and smaller systems. The R-2500 and larger systems will include a front-panel LCD display and key-pad providing access to basic functions such as shutdown without the need to attach a key board and console, simplifying the management of rack-mounted systems. © BorderWare Technologies Inc 2003 Page 4 of 8
  5. 5. Firewall Server Road Map Briefly, the firewall appliance range will consist of the following models: Model Target Market Features R-1200 Low-end departmental Lowest cost EAL4 firewall firewall available on the market. R-2500 Mid-range general Excellent performance. Front purpose firewall panel configuration keypad and display. R-4000 High-end enterprise Very high performance, mirrored firewall RAID drives, dual hot swap power supplies. 6 interfaces standard, including 4 GB Ethernet. A separate announcement on the details or the extended appliance range, including full specifications and pricing will be made nearer the release date. 4.4 SurfControl The SurfControl option provides URL filtering using the Control List produced by SurfControl. The SurfControl URL Filtering option includes granular policy management enabling differential access rights to be defined by user and by group. The SurfControl option is currently available only as a patch. Effective with V7.0, it will be fully integrated into the Firewall Server, and will be available in “demonstration mode” on all systems. When the evaluation period expires, Surfcontrol will be disabled until a license key is entered. Surf Control may be configured from either the Firewall console or via BWClient. The control list updates are fully automated and run daily. The updates are incremental avoiding the overhead of downloading a complete new control list. SurfControl requires a system with a minimum of 512MB of main memory. © BorderWare Technologies Inc 2003 Page 5 of 8
  6. 6. Firewall Server Road Map 4.5 PPPOE Support for PPPOE will be added. This will complement the existing DCHP support and enable the Firewall to work seamlessly with ISPs running PPPOE rather than DHCP. 4.6 Stateful Inspection/ Direct Packet Option Effective with V7.0, BorderWare will be adding a stateful inspection capability to the firewall. This feature will greatly increase the firewall’s flexibility, and will allow it to be used in situations which previously required a packet filtering firewall. We are currently referring to this new feature as the “Direct Packet Option”, however a more descriptive name may be chosen prior to launch. The Direct Packet Option provides Extended Stateful Inspection. Direct Packet enables packet level routing and filtering and supports connections between any pair of interfaces. Direct Packet provides flexible filtering options and is fully protected by the S-Core operating system to ensure that security is maintained. It supports “Configurable NAT” i.e. Network Address Translation may be selectively disabled for specified traffic flows, and allows for both dynamic and static Network Address Translation. Traffic that is flowing through a Direct Packet connection is routed and filtered entirely within the operating system kernel, maximizing performance. Direct Packet can co-exist with the standard application proxy features of the firewall. If a Direct Packet connection and a proxy are both configured on the same port, the Direct Packet connection will take precedence. The Direct Packet Option is intended for the following types of applications: • as a proxy replacement when very high performance is required • for protocols where no proxy is available • for applications where IP addresses are embedded within packet data • for any other situations where the Firewall’s built-in NAT feature needs to be bypassed 4.7 Web site redirection This new feature will enable the Firewall Server’s integrated web server to re- direct connections to an alternate site. This will provide a simple and convenient method of directing connections to the web site associated with the Firewall’s organizational domain to a hosting service or a web site in a different domain. © BorderWare Technologies Inc 2003 Page 6 of 8
  7. 7. Firewall Server Road Map 4.8 Bug fixes V7.0 will include fixes for a number of minor bugs, including: • Problem restoring XML configuration where the configured link speed of the target system differs from the link speed defined in the XML configuration. • Problem preventing security log from rolling over in certain circumstances. • Mailer problem when processing mail for sites with no DNS A record • Numerous other minor bug fixes and enhancements © BorderWare Technologies Inc 2003 Page 7 of 8
  8. 8. Firewall Server Road Map 5 V7.1 Description 5.1 Upgrade to underlying operating system The S-Core operating system will be upgraded and migrated to a FreeBSD 4.7 code base. This upgrade extends the range of hardware supported by the Firewall server. New hardware supported includes the Perc SCSI and Promise IDE raid controllers plus a number of new fibre and copper Gigabit ethernet cards. 5.2 Additional controls on DNS Zone Transfers DNS Zone transfers are used to synchronize DNS data between primary and secondary name servers. The firewall’s zone transfer servers must be enabled on a primary name server to provide DNS data to any secondary name servers. By default the zone transfer servers (if enabled) will allow a connection from any IP address. The additional controls will place restrictions on the Zone Transfer Servers so that connections will accepted only from IP addresses listed as domain name servers in the primary name server’s data. 5.3 Updated Mailer The BorderWare Firewall Server currently uses zmailer as the basis of its store-and-forward mail relay. Zmailer was chosen because of its modular architecture and simplicity when compared with sendmail. Zmailer conforms strictly to the SMTP protocol standard and to rules for formatting e-mail messages. This strict conformance is beginning to cause problems as the number of incorrectly formatted messages sent by other systems increases. To address these problems, Zmailer will be replaced with Postfix. Postfix is a newer mailer that has all the benefits of Zmailer (modular architecture and simplicity) but is better able to handle the increasing number of incorrectly formatted messages. The new mailer will be functionally compatible with zmailer. 5.4 Alarms generate SNMP Traps As an enhancement to the SNMP support introduced in V6.1.2 Feature Pack B, Alarms will now able to trigger SNMP traps in addition to the current alerting mechanism of logging, generating a console alert and sending an e- mail. 5.5 Squid Updates The Firewall’s Web proxy server is based on Squid V2.4. This will be updated to V2.6. This update will address a number of minor bugs. This update is being made to bring the proxy server up to date and to improve performance. © BorderWare Technologies Inc 2003 Page 8 of 8
  9. 9. Firewall Server Road Map At the same time the proxy server’s logging sub-system will be updated to use syslog so that proxy server logs may be re-directed to external logging and reporting systems. There are no other changes in functionality. 5.6 Proxy Server available via Client and Server VPN Use of the proxy server is currently restricted to web browsers on systems connected to the SSN or Internal networks (or to routed subnets). This enhancement will allow the configuration to be modified to permit use of the proxy server for systems connected via IPSec client-server and server-server VPNs. This combined with appropriate configuration of IPSec ACLs and IPSec client personal Firewall will enable remote user’s Internet Access to be routed through the Firewall so that their access may be logged and subject to the same controls as local users. © BorderWare Technologies Inc 2003 Page 9 of 8
  10. 10. Firewall Server Road Map 6 IPSec Enhancements A series of updates and enhancement for the IPSec server option will be released with V7.1. 6.1 Extended IPSec Client Authentication The optional extended IPSec client authentication will be enhanced to enable client authentication to use a Radius/LDAP back-end database as an alternative to the local user database hosted on the Firewall. The Radius authentication options will also support additional authentication types including challenge/response and one-time password tokens. 6.2 Support for IPSec Templates VPN connection templates will be added to the IPSec server. A connection template will simplify the management of VPN connections by defining parameters that will common to multiple connections. Once a series of templates have been defined, new server-server or client-server VPN connections can be created simply by defining the VPN peer’s identification and authentication data and assigning it to a template. © BorderWare Technologies Inc 2003 Page 10 of 8
  11. 11. Firewall Server Road Map 7 Future Development Development on the Firewall server will continue after the releases of V7.0 and V7.1. The exact development plans have not yet been finalised, but these plans will include the following: • Centralized management of multiple firewalls • IPV6 support • Enhancements to the current alarm system to provide a fully functional Intrusion Detection System. © BorderWare Technologies Inc 2003 Page 11 of 8
  12. 12. Firewall Server Road Map 8 Common Criteria Certification BorderWare was the first firewall in the world to achieve Common Criteria EAL4 certification in January 2000, and the only firewall to have achieved a second certification in January 2002. The most recent certification included EAL5 vulnerability analysis. BorderWare intends to continue our leadership in this area as follows: • Obtaining certification of the V7 series firewall software (most likely V7.1) • Enrolling in the CC certificate maintenance program effective with the above certification © BorderWare Technologies Inc 2003 Page 12 of 8