Try our RSS feed

Unix Review > Archives > 2001 > 0101
Print-Friendly Version

January 2001

Reviewing the InstaGate EX Firewall

by Adam Olson

For anyone who wants to increase the security of their business or home network, a firewall is a must have; It’s a necessity for any network that is accessible via any type of external or publicly accessible connection. A wide range of tools exist that enable otherwise harmless script kiddies to scan, probe, and exploit well known vulnerabilities in any reachable network. Firewalls fulfill a key and essential requirement for this kind of network: they keep possibly harmful traffic at bay and maintain data integrity and security.

If you’re in the market for a firewall, my review of the InstaGate EX by eSoft will provide you with helpful information on a specific product and on firewalls in general. The InstaGate EX is targeted at a small to medium size enterprise with 10 to 250 users. I will examine various aspects of the InstaGate EX that are important when choosing any firewall product, such as management, performance, virtual private network (VPN) support, security, and resiliency.

First Impressions

As soon as the firewall was delivered, I was anxious to play with it. When I finally found time to open up the box, I was pleased by the device's simplicity and unimposing presence.

The device measures roughly 12" x 12" x 3" high. On the front of the box, there is simply an On/Off button and three LEDs for Power, Disk, and WAN activity. That's always spiffy looking in a server room! No screws, no covers, nothing else but an air vent. I did notice that there aren't any holes for attaching mounting brackets. Based on its physical size, however, it can fit just about anywhere.

The back of the device sports three card slots, a VGA port, two DB9 serial ports, a printer port, an RJ-45 port labeled WAN, and two USB ports. The USB ports are non-functional in the InstaGate EX.

Under the Hood

What exactly makes up the InstaGate firewall? You're looking at RedHat 6.1 on a 500 mhz processor with anywhere between 64 and 512 MB of RAM, a 10.2 GB hard drive, and two 10/100 Mbps auto-sensing Ethernet ports. An internal modem and EuroISDN card are available options.

I found that a lot of the internals are actually versions of public domain software. For example, the Web server runs on Apache, the proxy/cache server runs on Squid, the packet filter is ipchains, and the POP3 daemon used is qpopper. Overall, this firewall comprises both well known software packages and custom code. I get the feeling that most of the services provided by the firewall are running on public domain code, while the management front end contains most of the custom code.

Initial Setup

The InstaGate can accommodate various network configurations. It has one 100 Mbps Ethernet interface for the private internal network and one 100 Mbps Ethernet interface for the public or external network. This allows for easy deployment behind a border frame relay, ISDN, DSL, or cable router, meaning firewall protection between any two IP networks. It also supports direct connection to an ISP via EuroISDN or an internal/external modem.

The network configuration I tested, and probably the one most often used, featured the InstaGate EX between two Ethernet segments, one external and the other internal. This is a very common network configuration because the firewall doesn't require any special WAN interface; it simply passes IP traffic between two networks. It's much easier to do this, for example, than to have an integrated CSU/DSU Serial interface right on your firewall. However, as mentioned, the InstaGate does offer the ability to connect directly to an ISP via dialup or EuroISDN if needed.

The physical setup was a breeze. Plug in the power, connect the two Ethernet ports to their respective locations, and flip the power switch. After about two minutes, the firewall was up.

Basic Configuration

The firewall's entire configuration is done through a GUI running on port 8000 of the Web server. By default, the IP address on the internal interface is 192.168.1.1. So to access the GUI, I placed a machine on the internal network and pointed my browser at: http://192.168.1.1:8000, and logged in with the default administrative account. Then, the Setup Wizard began.

The Setup Wizard consists of a series of forms that gather basic system information, such as connectivity options, ISP information, user accounts, administrator password, etc. The Setup Wizard was easy to use, and the firewall was operational in a very short amount of time. Once I pointed my default routes on my internal boxes at the InstaGate, I could immediately see the outside world. Pointing my browser at the Web proxy Squid, running on port 8080, was required in order to use my browser. Applications like telnet and ftp worked right away.

Additional Features

The InstaGate EX can also act as your mail server, or can relay your mail as it comes into an internal email system, which would be of use if you didn't want your email hosted by your ISP. This feature was extremely easy to configure through the Web based GUI. After enabling the mail server and creating a few accounts, I could send and receive email via POP3 and IMAP without a problem.

One feature everyone wants in a firewall is the ability to permit traffic from specific external IP addresses to certain internal hosts. This is easily accomplished on the InstaGate EX by creating "passthrough" rules or by modifying the firewall policy table.

Other features include a Web server for Intranet and Internet access, a file and print server for local Windows and Macintosh boxes, and a DHCP server. The Web server configuration is very straightforward and can be used to serve up not only a company site, but individual Web pages as well. A new SoftPak (SoftPak details below) will be out in the near future, and is supposed to bring increased functionality to the Web server as well.

The InstaGate EX also has an easy-to-use Backup and Restore function. With this, you can customize what gets backed up and to where (a Windows share or ftp directory), as well as a schedule with retention values. The backups are stored in a compressed tar file.

SoftPaks

eSoft has developed a system for end users to request certain features to be downloaded into their firewall. Each group of software is called a SoftPak. The eSoft Web page currently lists four SoftPaks available for download:

  • Anti Virus -- Virus protection.
  • Firewall Policy Manager -- Firewall enhancement.
  • SiteFilter -- Web content filtering.
  • SmartReports -- Extended reporting capabilities.

Downloadable SoftPaks are a good idea, because maintenance of the firewall becomes easier as new features are added. I downloaded all of the SoftPaks to give them each a whirl; I found that they provided useful functions in their designated areas, and they were all easy to use. Each SoftPak comes with a subscription charge that is based on either a monthly or yearly time period. The process for obtaining a SoftPak is quite easy. Choose the one you want, click download, click install, and you've got it! The billing is tracked by the unit's serial number and registration information.

After installing all of the SoftPaks, I noticed that all the Web administration had switched over to Secure Socket Layer (SSL) communication, meaning encryption. So, not only was I administering the firewall via my VPN connection, but SSL was thrown in the mix as well.

The Anti-Virus SoftPak is great. It seamlessly adds the ability to scan emails and attachments for known viruses and will add a header detailing the scan results to each received email. It will also strip the attachments out of the message, if desired.

Alerts and Reporting

With any firewall, the administrator needs to know when something fishy is going on, or when a given threshold is crossed. The InstaGate EX meets these needs with a number of options under its Alerts and Reports section. The options include:

  • System Alert Settings -- Alerts for user quotas, transfer quotas, and failed connection attempts.
  • Internet Connection -- Hours of connect time, megabytes sent and received.
  • Web Access -- Per-user Internet use report.
  • Email Usage -- Per-user report on amount of email sent and received.
  • File Sharing -- Shared files, including size.
  • User Quotas -- Per-user report on disk usage.
  • System Security -- Report of failed login attempts.

These reports are easy to generate, and the alerts are sent to the list of administrators via email. After installing the firewall enhancement SoftPak, my reports began to include stats on denied traffic in general. These stats are vital; failed logins are nice to know about, but what about when someone port scans your box and that's the end of it? Reports with this kind of information are a must-have on any firewall.

VPN

The InstaGate EX comes with a very smooth implementation of the Point-to-Point Tunneling Protocol (PPTP) that allowed me to establish a VPN from a Windows 98 box, dial into Earthlink, to the InstaGate with extreme ease. It took only a few mouse clicks to enable the PPTP instance on the firewall, which is much better than the time it took me to configure the Windows side.

Here’s how it works: After enabling PPTP on the InstaGate and creating a user account, you’re finished with the firewall configuration. On the Windows box, create a new dial-up networking connection, but use the Microsoft VPN Adapter as the device. Once you are dialed up to your ISP, you can open the VPN connection, put in your login information, and click connect. About five seconds later, you should have a VPN connection to the firewall! On my Windows box, the default route was modified to point over my VPN interface automatically, which allowed me to point my local browser at the InstaGate Web proxy. This is cool for people who want easy access to a proxy server. The end result will be an encrypted session to your office, and proxy support all in one.

I also noticed an option to create IPSec VPNs, which is primarily used to build encrypted tunnels between InstaGate firewalls at separate sites. I was unable to test this because I only had one unit.

Security and Resiliency

I performed a number of port scans against the firewall and found an extremely low number of services running on the external interface. This is exactly what you want to see. After I had enabled the mail server and the PPTP server for VPN usage, the only ports answering were 110 (POP3), 143 (IMAP), and 1723 (PPTP). I found a much larger number on the internal interface, but they all corresponded to services I had enabled, such as file sharing, printing, a Web server, and an ftp server.

I attempted to connect to a passthrough port several times, from a host not authorized to do so, and was unsuccessful each time. The attempt was also logged and displayed in the System Security report.

Performance

To test the performance of the InstaGate EX, I used two separate methods. The first method consisted of several 82-MB file downloads via ftp, and the second method was a user perception test how quickly my SSH or telnet sessions were reacting. I conducted both of these tests on two separate machines, one behind the InstaGate EX, and one with a clear path out of the network. After comparing the results of these tests, I got a better idea of the level of latency injected into the session by the InstaGate EX.

I found that when downloading a large file offsite via ftp, the difference in download time was negligible between a host behind the firewall and one that was not. However, when the file was on a local machine, the time difference was huge roughly 240 seconds when behind the firewall, and 10 seconds when not. I'd have to attribute this to the overhead that is added to a session when a proxy is involved. The overhead really becomes apparent as the throughput is increased, because the firewall just can't sustain those high transfer rates. Moving, or mirroring, your ftp server behind the firewall can avoid this delay.

When running the user perception test, I didn't notice a difference between SSH or telnet through the firewall versus not having a firewall. Both performed at normal levels.

Documentation

The InstaGate EX shipped with very little paper documentation basically what I’d consider a "getting started" guide. The rest of the documentation was in PDF format on the accompanying CD that also holds a little utility for setting up clients. Even though the need to consult the documentation is next to none, I would have liked a paper version of the PDF document. I prefer to reach for the book instead of searching for the digital formats.

Overall Likes, Dislikes, and Rating

One of the best aspects of the InstaGate EX is the ease of administration. Because it is designed for a 10- to 250-user network, it is really meant for a small to medium-size company, in which a fairly small IT support staff would appreciate a box like this. Additionally, the InstaGate EX provides a lot of functionality in one device. A medium-size company can use it for its Web server, ftp server, mail server, VPN server, and firewall. It's nice when a firewall is just a firewall, but when a smaller company is looking for an economical and secure solution, this device can fit that role.

I don't have a lot of complaints about this firewall, because it really fits the audience it was designed for. A small improvement I would like to see is a paper version of the documentation.

Conclusion

The InstaGate EX is a solid and very functional firewall. It can provide a large number of services that would otherwise require additional hardware expenditures and increase the total cost of ownership. It is extremely easy to manage, quick, and functional, and the SoftPak system will make it easy to maintain.

Pricing and Contact Information

Category

25 users

50 users

100 users

250 users

InstaGate EX

$795

$995

$1,495

$2,195

Enhanced Firewall Module

$500

$750

$1,195

$1,695

Premier Care Agreement 1yr

$199

$249

$399

$499

Premier Care Agreement 2yr

$299

$374

$599

$749

Add V.90 modem

$150

$150

$150

$150

Add EuroISDN

$165

$165

$165

$165


Monthly Subscription Price

25 users

50 users

100 users

250 users

InstaGate EX

$49

$75

$129

$209

Enhanced Firewall Module

$25

$39

$75

$110

Anti-Virus Screening

$65

$100

$150

$315

Anti-Virus Screening (1yr)

$741

$1,140

$1,710

$3,591

Site Filter

$45

$89

$145

$200

Site Filter (1yr)

$513

$1,015

$1,653

$2,280

Reporting

$25

$49

$89

$199

Reporting (1yr)

$285

$559

$962

$2,269

Firewall Monitoring

$85

$85

$85

$85

Firewall Monitoring (1yr)

$969

$969

$969

$969

Basic Firewall Mgmt

$120

$120

$120

$120

Basic Firewall Mgmt (1yr)

$1,368

$1,368

$1,368

$1,368

Firewall Setup (one time)

$250

$250

$250

$250

eSoft, Inc.

295 Interlocken Blvd.
Suite 500
Broomfield, CO 80021
USA
888-903-7638
303-444-1640 (fax)
sales@esoft.com
http://www.esoft.com/


Adam Olson lives in the Bay Area, but will soon be moving to Tahoe. He has helped build a successful ISP (http://www.humboldt1.com/), designed and configured portions of the California Power Network while working at MCI WorldCom, and is currently working for a startup in Santa Clara  (http://www.quaartz.com/). Adam is looking forward to moving to the mountains. He can be reached at adamo@humboldt1.com.

Sys Admin Spotlight

New Products
New Products

CMP DevNet Spotlight

C++/CLI: Cloning
Making copies of heap-based objects

In the News

Cell Users Compromise Airplane Safety, Study Says
Carnegie Mellon University researchers conclude that passengers are regularly violating the ban on using the devices and are creating risk to airplane navigation.


Apple Fixes Critical Safari Bug, 16 Other Flaws
Apple Computer releases its first security update of 2006 to patch 17 bugs, including a critical flaw in the Safari browser and a gaffe in iChat that was used by the first Mac OS X worm to infect Macintosh machines.


Registrar Firms Objects To ICANN-VeriSign Agreement
Domain registrars are seeking to derail the agreement before the U.S. Department of Commerce approves the deal.


Bagle Bullies Users Into Infections
A variant of the long-running Bagle worm appeared Wednesday, and tried to bully people into installing its payload.


Philadelphia Will Provide Wi-Fi Access For Under $20 Per Month
City's agreement with Earthlink will create a 135-square-mile hotspot supplied largely by 700 discounted discounted T-1 links.


Vista Expected In Early October
Global rollaout of next version of Windows will come in first week of October 2006, after two release candidates, says Tom's Hardware site.


Oracle Challenges Google With New Enterprise Search Engine
Oracle Secure Enterprise Search 10g can locate information in enterprise applications, E-mail systems, and stored documents.


Newsletter

Subscribe to the UnixReview Newsletter

Subscribe to Sys Admin

Subscribe to THE journal for UNIX systems administrators. Receive 45% off your subscription by following the link below:

CD-ROM

Sys Admin and The Perl Journal CD-ROM version 11.0

Version 11.0 delivers every issue of Sys Admin from 1992 through 2005 and every issue of The Perl Journal from 1996-2002 in one convenient CD-ROM!

Order now!




MarketPlace

Dual-Core AMD Opteron server /graphics workstation
Utilize the power of two Dual-Core AMD Opteron 64-bit processors, and high speed PCI Express 16x databus from any location. Portable graphics development workstation and server. Differentiate your custom applications on this sylish portable system.

UNIX and Linux Performance Tuning Simplified
SarCheck is a UNIX performance analysis and tuning tool for most UNIX and Linux systems. It produces recommendations and explanations, complete with supporting graphs and tables. Get the most from your hardware by keeping your systems tuned.

DOVICO Time & Project Tracking Software
Award Winning Project Tracking And Costing Software Application!

Timesheet + time tracking for payroll and projects
Clockware is the first timesheet and time tracking software that is 100% J2EE-compliant. Clockware's Payroll Timesheet integrates with all major Payroll systems. Clockware also supports Time and Attendance, and Project Timesheets in one system.

Wanna see your ad here?

Free Unix Spec BookManage IT with less effort. Go!Get to root cause faster. Troubleshoot with ease.Get better mainframe performance. Go! • Buy Sell Used Cisco Hardware • SSL Certificates from VeriSignPoint-of-Sale SuppliesA+ Certification • Unix managed hosting review • Webcore ColdFusion Hosting