|
January 2001
Reviewing the InstaGate EX Firewall
by Adam Olson
For anyone who wants to increase the security of
their business or home network, a firewall is a must
have; It’s a necessity for any network that is
accessible via any type of external or publicly
accessible connection. A wide range of tools exist that
enable otherwise harmless script kiddies to scan, probe,
and exploit well known vulnerabilities in any reachable
network. Firewalls fulfill a key and essential
requirement for this kind of network: they keep possibly
harmful traffic at bay and maintain data integrity and
security.
If you’re in the market for a firewall, my review of
the InstaGate EX by eSoft will provide you with helpful
information on a specific product and on firewalls in
general. The InstaGate EX is targeted at a small to
medium size enterprise with 10 to 250 users. I will
examine various aspects of the InstaGate EX that are
important when choosing any firewall product, such as
management, performance, virtual private network (VPN)
support, security, and resiliency.
First Impressions
As soon as the firewall was delivered, I was anxious
to play with it. When I finally found time to open up
the box, I was pleased by the device's simplicity and
unimposing presence.
The device measures roughly 12" x 12" x 3" high. On
the front of the box, there is simply an On/Off button
and three LEDs for Power, Disk, and WAN activity. That's
always spiffy looking in a server room! No screws, no
covers, nothing else but an air vent. I did notice that
there aren't any holes for attaching mounting brackets.
Based on its physical size, however, it can fit just
about anywhere.
The back of the device sports three card slots, a VGA
port, two DB9 serial ports, a printer port, an RJ-45
port labeled WAN, and two USB ports. The USB ports are
non-functional in the InstaGate EX.
Under the Hood
What exactly makes up the InstaGate firewall? You're
looking at RedHat 6.1 on a 500 mhz processor with
anywhere between 64 and 512 MB of RAM, a 10.2 GB hard
drive, and two 10/100 Mbps auto-sensing Ethernet ports.
An internal modem and EuroISDN card are available
options.
I found that a lot of the internals are actually
versions of public domain software. For example, the Web
server runs on Apache, the proxy/cache server runs on
Squid, the packet filter is ipchains, and the POP3
daemon used is qpopper. Overall, this firewall comprises
both well known software packages and custom code. I get
the feeling that most of the services provided by the
firewall are running on public domain code, while the
management front end contains most of the custom code.
Initial Setup
The InstaGate can accommodate various network
configurations. It has one 100 Mbps Ethernet interface
for the private internal network and one 100 Mbps
Ethernet interface for the public or external network.
This allows for easy deployment behind a border frame
relay, ISDN, DSL, or cable router, meaning firewall
protection between any two IP networks. It also supports
direct connection to an ISP via EuroISDN or an
internal/external modem.
The network configuration I tested, and probably the
one most often used, featured the InstaGate EX between
two Ethernet segments, one external and the other
internal. This is a very common network configuration
because the firewall doesn't require any special WAN
interface; it simply passes IP traffic between two
networks. It's much easier to do this, for example, than
to have an integrated CSU/DSU Serial interface right on
your firewall. However, as mentioned, the InstaGate does
offer the ability to connect directly to an ISP via
dialup or EuroISDN if needed.
The physical setup was a breeze. Plug in the power,
connect the two Ethernet ports to their respective
locations, and flip the power switch. After about two
minutes, the firewall was up.
Basic Configuration
The firewall's entire configuration is done through a
GUI running on port 8000 of the Web server. By default,
the IP address on the internal interface is 192.168.1.1.
So to access the GUI, I placed a machine on the internal
network and pointed my browser at:
http://192.168.1.1:8000, and logged in with
the default administrative account. Then, the Setup
Wizard began.
The Setup Wizard consists of a series of forms that
gather basic system information, such as connectivity
options, ISP information, user accounts, administrator
password, etc. The Setup Wizard was easy to use, and the
firewall was operational in a very short amount of time.
Once I pointed my default routes on my internal boxes at
the InstaGate, I could immediately see the outside
world. Pointing my browser at the Web proxy Squid,
running on port 8080, was required in order to use my
browser. Applications like telnet and
ftp worked right away.
Additional Features
The InstaGate EX can also act as your mail server, or
can relay your mail as it comes into an internal email
system, which would be of use if you didn't want your
email hosted by your ISP. This feature was extremely
easy to configure through the Web based GUI. After
enabling the mail server and creating a few accounts, I
could send and receive email via POP3 and IMAP without a
problem.
One feature everyone wants in a firewall is the
ability to permit traffic from specific external IP
addresses to certain internal hosts. This is easily
accomplished on the InstaGate EX by creating
"passthrough" rules or by modifying the firewall policy
table.
Other features include a Web server for Intranet and
Internet access, a file and print server for local
Windows and Macintosh boxes, and a DHCP server. The Web
server configuration is very straightforward and can be
used to serve up not only a company site, but individual
Web pages as well. A new SoftPak (SoftPak details below)
will be out in the near future, and is supposed to bring
increased functionality to the Web server as well.
The InstaGate EX also has an easy-to-use Backup and
Restore function. With this, you can customize what gets
backed up and to where (a Windows share or
ftp directory), as well as a schedule with
retention values. The backups are stored in a compressed
tar file.
SoftPaks
eSoft has developed a system for end users to request
certain features to be downloaded into their firewall.
Each group of software is called a SoftPak. The eSoft Web
page currently lists four SoftPaks available for
download:
- Anti Virus -- Virus protection.
- Firewall Policy Manager -- Firewall enhancement.
- SiteFilter -- Web content filtering.
- SmartReports -- Extended reporting capabilities.
Downloadable SoftPaks are a good idea, because
maintenance of the firewall becomes easier as new
features are added. I downloaded all of the SoftPaks to
give them each a whirl; I found that they provided
useful functions in their designated areas, and they
were all easy to use. Each SoftPak comes with a
subscription charge that is based on either a monthly or
yearly time period. The process for obtaining a SoftPak
is quite easy. Choose the one you want, click download,
click install, and you've got it! The billing is tracked
by the unit's serial number and registration
information.
After installing all of the SoftPaks, I noticed that
all the Web administration had switched over to Secure
Socket Layer (SSL) communication, meaning encryption.
So, not only was I administering the firewall via my VPN
connection, but SSL was thrown in the mix as well.
The Anti-Virus SoftPak is great. It seamlessly adds
the ability to scan emails and attachments for known
viruses and will add a header detailing the scan results
to each received email. It will also strip the
attachments out of the message, if desired.
Alerts and Reporting
With any firewall, the administrator needs to know
when something fishy is going on, or when a given
threshold is crossed. The InstaGate EX meets these needs
with a number of options under its Alerts and Reports
section. The options include:
- System Alert Settings -- Alerts for user quotas,
transfer quotas, and failed connection attempts.
- Internet Connection -- Hours of connect time,
megabytes sent and received.
- Web Access -- Per-user Internet use report.
- Email Usage -- Per-user report on amount of email
sent and received.
- File Sharing -- Shared files, including size.
- User Quotas -- Per-user report on disk usage.
- System Security -- Report of failed login
attempts.
These reports are easy to generate, and the alerts
are sent to the list of administrators via email. After
installing the firewall enhancement SoftPak, my reports
began to include stats on denied traffic in general.
These stats are vital; failed logins are nice to know
about, but what about when someone port scans your box
and that's the end of it? Reports with this kind of
information are a must-have on any firewall.
VPN
The InstaGate EX comes with a very smooth
implementation of the Point-to-Point Tunneling Protocol
(PPTP) that allowed me to establish a VPN from a Windows
98 box, dial into Earthlink, to the InstaGate with
extreme ease. It took only a few mouse clicks to enable
the PPTP instance on the firewall, which is much better
than the time it took me to configure the Windows side.
Here’s how it works: After enabling PPTP on the
InstaGate and creating a user account, you’re finished
with the firewall configuration. On the Windows box,
create a new dial-up networking connection, but use the
Microsoft VPN Adapter as the device. Once you are dialed
up to your ISP, you can open the VPN connection, put in
your login information, and click connect. About five
seconds later, you should have a VPN connection to the
firewall! On my Windows box, the default route was
modified to point over my VPN interface automatically,
which allowed me to point my local browser at the
InstaGate Web proxy. This is cool for people who want
easy access to a proxy server. The end result will be an
encrypted session to your office, and proxy support all
in one.
I also noticed an option to create IPSec VPNs, which
is primarily used to build encrypted tunnels between
InstaGate firewalls at separate sites. I was unable to
test this because I only had one unit.
Security and Resiliency
I performed a number of port scans against the
firewall and found an extremely low number of services
running on the external interface. This is exactly what
you want to see. After I had enabled the mail server and
the PPTP server for VPN usage, the only ports answering
were 110 (POP3), 143 (IMAP), and 1723 (PPTP). I found a
much larger number on the internal interface, but they
all corresponded to services I had enabled, such as file
sharing, printing, a Web server, and an ftp
server.
I attempted to connect to a passthrough port several
times, from a host not authorized to do so, and was
unsuccessful each time. The attempt was also logged and
displayed in the System Security report.
Performance
To test the performance of the InstaGate EX, I used
two separate methods. The first method consisted of
several 82-MB file downloads via ftp, and
the second method was a user perception test how quickly
my SSH or telnet sessions were reacting. I
conducted both of these tests on two separate machines,
one behind the InstaGate EX, and one with a clear path
out of the network. After comparing the results of these
tests, I got a better idea of the level of latency
injected into the session by the InstaGate EX.
I found that when downloading a large file offsite
via ftp, the difference in download time
was negligible between a host behind the firewall and
one that was not. However, when the file was on a local
machine, the time difference was huge roughly 240
seconds when behind the firewall, and 10 seconds when
not. I'd have to attribute this to the overhead that is
added to a session when a proxy is involved. The
overhead really becomes apparent as the throughput is
increased, because the firewall just can't sustain those
high transfer rates. Moving, or mirroring, your
ftp server behind the firewall can avoid
this delay.
When running the user perception test, I didn't
notice a difference between SSH or telnet
through the firewall versus not having a firewall. Both
performed at normal levels.
Documentation
The InstaGate EX shipped with very little paper
documentation basically what I’d consider a "getting
started" guide. The rest of the documentation was in PDF
format on the accompanying CD that also holds a little
utility for setting up clients. Even though the need to
consult the documentation is next to none, I would have
liked a paper version of the PDF document. I prefer to
reach for the book instead of searching for the digital
formats.
Overall Likes, Dislikes, and Rating
One of the best aspects of the InstaGate EX is the
ease of administration. Because it is designed for a 10-
to 250-user network, it is really meant for a small to
medium-size company, in which a fairly small IT support
staff would appreciate a box like this. Additionally,
the InstaGate EX provides a lot of functionality in one
device. A medium-size company can use it for its Web
server, ftp server, mail server, VPN
server, and firewall. It's nice when a firewall is just
a firewall, but when a smaller company is looking for an
economical and secure solution, this device can fit that
role.
I don't have a lot of complaints about this firewall,
because it really fits the audience it was designed for.
A small improvement I would like to see is a paper
version of the documentation.
Conclusion
The InstaGate EX is a solid and very functional
firewall. It can provide a large number of services that
would otherwise require additional hardware expenditures
and increase the total cost of ownership. It is
extremely easy to manage, quick, and functional, and the
SoftPak system will make it easy to maintain.
Pricing and Contact Information
|
Category |
25 users |
50 users |
100 users |
250 users |
|
InstaGate EX |
$795 |
$995 |
$1,495 |
$2,195 |
|
Enhanced Firewall Module |
$500 |
$750 |
$1,195 |
$1,695 |
|
Premier Care Agreement 1yr |
$199 |
$249 |
$399 |
$499 |
|
Premier Care Agreement 2yr |
$299 |
$374 |
$599 |
$749 |
|
Add V.90 modem |
$150 |
$150 |
$150 |
$150 |
|
Add EuroISDN |
$165 |
$165 |
$165 |
$165 |
|
Monthly Subscription Price |
25 users |
50 users |
100 users |
250 users |
|
InstaGate EX |
$49 |
$75 |
$129 |
$209 |
|
Enhanced Firewall Module |
$25 |
$39 |
$75 |
$110 |
|
Anti-Virus Screening |
$65 |
$100 |
$150 |
$315 |
|
Anti-Virus Screening (1yr) |
$741 |
$1,140 |
$1,710 |
$3,591 |
|
Site Filter |
$45 |
$89 |
$145 |
$200 |
|
Site Filter (1yr) |
$513 |
$1,015 |
$1,653 |
$2,280 |
|
Reporting |
$25 |
$49 |
$89 |
$199 |
|
Reporting (1yr) |
$285 |
$559 |
$962 |
$2,269 |
|
Firewall Monitoring |
$85 |
$85 |
$85 |
$85 |
|
Firewall Monitoring (1yr) |
$969 |
$969 |
$969 |
$969 |
|
Basic Firewall Mgmt |
$120 |
$120 |
$120 |
$120 |
|
Basic Firewall Mgmt (1yr) |
$1,368 |
$1,368 |
$1,368 |
$1,368 |
|
Firewall Setup (one time) |
$250 |
$250 |
$250 |
$250 |
eSoft, Inc.
295 Interlocken Blvd.
Suite 500
Broomfield, CO
80021
USA
888-903-7638
303-444-1640 (fax)
[email protected]
http://www.esoft.com/
Adam Olson lives in the Bay Area, but will soon be
moving to Tahoe. He has helped build a successful
ISP (http://www.humboldt1.com/), designed
and configured portions of the California Power Network
while working at MCI WorldCom, and is currently working
for a startup in Santa Clara (http://www.quaartz.com/). Adam is
looking forward to moving to the mountains. He can be
reached at [email protected].
|
