T.REX Firewall: protection by proxy

Touted as "the open source firewall," you'd expect T.REX Firewall to be completely open source. But for the latest release of the product (version 2), no source is available. The firewall itself is a patchwork of closed and open source products that offer proxy support for a variety of protocols. Although T.REX Firewall offers a wide array of features, the difficulty of implementing and managing those features makes the product most appropriate for IT departments that have a high level of technical expertise.

Functions
T.REX is an ambitious product. It includes software used to proxy a huge variety of protocols (HTTP, FTP, NTP, RealAudio, RTSP), provides full-featured system-monitoring tools, and can balance load and proxy for inbound connections. Such functionality sounds great until you realize that each proxy must be configured separately.

T.REX can perform load balancing for inbound HTTP requests, strip Java, Javascript, and cookies out of outbound HTTP requests (to protect internal users), and block Web sites via list. Additionally, it can filter inbound mail through a secure mail server and can proxy Telnet and FTP sessions. T.REX also features hardware acceleration support for VPN connections and supports various secure hardware token devices for increased security.

Not your everyday packet filter
Most firewalls (commercial and open source) are packet filters that watch traffic going through the firewall and block packets according to a rule set. Sophisticated packet filters such as ipfilter and netfilter/iptables, use stateful packet filtering to remember outbound traffic and allow responses to that traffic. T.REX, on the other hand, is an application layer gateway (ALG) that sits in the middle of every network conversation. Instead connecting directly to a server, a client connects to T.REX and, if T.REX decides that the connection is acceptable, it connects to the server on behalf of the client. T.REX then passes the traffic for that connection back and forth between client and the server.

Although generally considered more secure than packet filters (stateful or otherwise), ALGs suffer from two disadvantages. First, they tend to be a lot slower than packet filters. And second, in order to support a network protocol, new software must be written for the ALG to understand that protocol. This is exactly why T.REX includes so many different programs.

Security by proxy
Network-based firewalls (packet filters and stateful packet filters) cannot properly protect servers accessed by the public. For example, if a firewall is configured to allow Web traffic and your Web server is a vulnerable version of Microsoft's IIS Web server, attackers will still be able to attack the Web server. In the case of a proxy (or ALG), however, the HTTP proxy performs specific checks on the requests it allows through, so that many attacks on the server may fail to get through the firewall at all. In this way, even vulnerable Web servers can be protected.

Installation and configuration

Running a simple shell script from the T.REX CD installs binaries and configuration files to the proper locations. The script also makes an attempt to secure the existing operating system by removing many standard services already running on the system.

The installation script ends with a few instructions on how to configure the system--in fact, no less than 30 tasks are necessary to configure T.REX. Although you don’t have to complete every task to get a minimal firewall running, most administrators will need to perform most of the tasks to provide reasonable support for their users. The T.REX Web site does offer a 400-page manual that covers installation and configuration in depth.

The T.REX system will not work at all unless a bind (a DNS server) is installed on the system. Also, you must edit more than 15 text files, specifying everything from network topology to the kind of Web application blocking that's desired. Configuring the Web proxy (Apache) involves editing Apache's httpd.conf file. Several of the other included proxies have their own configuration environments, and no clear direction is provided regarding how they all interact. Finally, you must set up users on the firewall (or configure the firewall to find them elsewhere on a RADIUS or LDAP server), and this process is poorly documented. Once installed, the proxies can be administered either locally on the server or through a java-based program called "Hoplite," which requires the use of a CryptoCard hardware device.

Bottom line
Ultimately, due to its complexity, T.REX Firewall is most appropriate for companies staffed by Unix experts who know the ALG firewall model inside and out. T.REX pricing starts at $300 for 15 concurrent connections, up to $31,500 for unlimited connections on a 6-processor server.