Kernel-level protection against intruders

\[Editor's Note: At press time, Network-1 Security Solutions had released CyberwallPLUS-SV 5.2, which includes several updates and enhancements (e.g., a new central management utility, new network intrusion signatures, QuickStart guide) to the 5.1.1 version. For more information about this release, visit the company's Web site.\]

User access controls provide an incomplete OS defense against network-based attacks. Windows NT provides some TCP/IP network security features, but these features merely limit access to specific TCP ports, UDP ports, and IP protocols. Traditional routing-technique-based firewalls provide network inspection points that actively control access to a trusted network. Such firewalls add some security to NT but have shortcomings, such as only one line of defense from the perimeter of the network, difficult deployment, fixed packet-per-second performance limit, and high purchase price. Network-1 Security Solutions' CyberwallPLUS-SV 5.1.1 protects NT servers at the kernel level. CyberwallPLUS-SV comes on a CD-ROM with CyberwallPLUS-AP, which protects your network from internal attacks, and CyberwallPLUS-IP, which protects your network perimeter from outside attacks.

Managing Cyberwall
CyberwallPLUS-SV is a software-based embedded firewall that resides at the kernel level on an NT server, between the host's Ethernet NICs and the network protocol stacks. During installation, the program bonds its proprietary virtual network device interface specification (NDIS) driver to the server's NIC drivers and inspects all incoming and outgoing packets. The product includes high-speed packet filtering, highly granular rules-based access control, stateful packet inspection, and extensive logging. In addition, Cyberwall's intrusion-protection feature recognizes, defeats, and logs known network attack signatures in realtime.

The software has nine control areas. The Main tab includes buttons to start the Cyberwall filter, manage remote Cyberwall systems, back up Cyberwall policies and sets, save Cyberwall sets, schedule policies, and update license information. The System tab shows the NIC that manages traffic. Nodes are servers and the clients that access the servers. The Nodes tab lets you manage three types of nodes: broadcast, local machine, and untrusted. Cyberwall uses broadcast nodes to broadcast and multicast packets to network users and systems. The firewall software considers the machine on which it resides as the local machine node and anything that sits above the kernel level (including other nodes and application servers that the program manages) as untrusted nodes. This architecture protects the entire system from intrusions.

CyberwallPLUS-SV uses a rule set to filter incoming and outgoing traffic to the local machine. You can set these rules in the Rules tab. Choose from user-friendly, prebuilt security policy templates (e.g., allow incoming connections only, allow VPN access), or create a custom rule set. The Protocols tab includes various protocols, such as HTTP, TCP, and UDP. You can use granular settings to customize the protocols, and you can add new protocols. The Statistics tab displays the time that the filter engine started, incoming and outgoing connections, the number of configured rules and filters, and current connections. In this tab, you can quickly kill a connection.

The Logs tab has color-coded logs for events, connections, intrusions, and applications. The event-log information is granular; the information includes all the protocols you're tracking for the event, destination media access control (MAC) address, and destination manufacturer. The Reports tab lets you create comma-delimited reports for each event log. The comma-delimited files are cumbersome, so I was disappointed that the reports didn't include HTML-based reports and graphs. The Intrusion Setup tab contains detection options for 15 common attacks, including Smurf, TCP/UDP port scans, SYN Flood, Fraggle, and WinNuke. By default, CyberwallPLUS-SV enables all 15 detection options and logs intrusions for these attacks. You also can modify the properties for each intrusion entry to enable email alerts, or you can click Add and edit the entry to add custom intrusion-detection events.

Entering Cyberwall
I followed the software's easy installation wizard to install CyberwallPLUS-SV. Then, I restarted the system and opened CyberwallPLUS-SV from the Start menu. The program prompted me to choose a local host, remote host, or local system files. I selected Local Host, which opened the main task screen.

I clicked the Start Filter option, which looks like a stoplight, and waited for the light to turn green. I went to the System tab to see the NIC that managed traffic. To add a node for a test client system that I named kayak, I went to the Nodes tab, right-clicked Any Node under the Untrusted Nodes tree, clicked Add Node, and entered kayak and my system's IP address. (You can add a range of IP addresses, which speeds up processing large numbers of systems.) I clicked OK, and my system appeared under the Untrusted Nodes tree, as Screen 1 shows.

I tested the system by pinging to and from my test server, without success. Next, I went to the Rules tab and changed the policy to Allow IP connections in and out. I saved the policy and attempted the pings again, this time successfully. To test the default settings, I used AG Group's AGNetTools ( to run a port scan on my test server. I went to the Logs tab, clicked Intrusion Log, and noted multiple entries for a TCP port scan from my test client.

Getting Behind Cyberwall
You can use CyberwallPLUS-SV to protect Web servers outside your perimeter firewall or to protect servers within the perimeter firewall from both internal and external threats. Also, Cyberwall might be a better solution to protect servers connected to high-speed communications links, because a Cyberwall-protected server must process a rule set only for itself, whereas a perimeter firewall must process rule sets for all the servers that the firewall protects.

Prebuilt security templates contribute to the product's easy installation and configuration. Systems administrators with firewall experience will find CyberwallPLUS-SV to be a great addition to their arsenals, although initially the software might confuse new firewall users. Depending on the number of servers you want to protect, the product might cost much less than traditional firewalls. If you want to provide superior strength to your application servers and network, Cyberwall is a must-have tool.

CyberwallPLUS-SV 5.1.1
Contact: Network-1 Security Solutions * 781-522-3400 or 800-638-9751
Price: $995 for 1 CD-ROM; $6995 for a package of 10 CD-ROMs; $14,995 for a package of 25 CD-ROMs
Pros: Easy to install and configure; can cost less than perimeter firewalls (depending on the number of servers you want to protect); protects servers from internal and external attacks at the kernel level; application-specific security templates get users up and running quickly; tabbed interface lets you move quickly between product features
Cons: Help file is disorganized; software lacks QuickStart menu and tutorials