PORTUS 4.0 is a full function application proxy firewall. PORTUS supports the following software, hardware and applications.
Operating System Support
AIX 4.x
PORTUS is supported on AIX 4.2 and AIX 4.3 (64-bit AIX).
Linux
PORTUS is supported on Red Hat Linux 6.1 (IA and SPARC) and Caldera 2.3.
Solaris
PORTUS is supported on Solaris 2.6 on SPARC and INTEL architectures. Solaris 2.6 Desktop Intel Platform Edition is required for Intel X86 compatible systems. Solaris 7 support will soon follow.
LAN Interfaces
PORTUS works with any LAN Card supported by the Operating System. This includes:
Ethernet, Fast Ethernet, Gigabit Ethernet, FDDI, Token Ring, ATM (155 Mbs, 622 Mbs)
VPN
PORTUS supports IPSec standards for VPN, including the Internet Security Association and Key Management Protocol or ISAKMP. The IPSEC card uses Digital Signature Standard (DSS) and Secure Hash Algorithm (SHA) in conjunction with X.509 v3 certificates to verify the identity of the sender and provide proof of authorship.
Processor intensive tasks such as encryption are offloaded on to specialized hardware providing unequaled system performance.
VPN Encryption Standards
DES, DES-56, DES-128, Triple DES
Hardware Based Encryption
PORTUS supports hardware based VPN using the RedCreek Communications IPSec Card. The support is currently available only on Linux.
Other Uses of Encryption
PORTUS provides secure remote administration using DES encryption along with strong user authentication.
Authentication Supported
RADIUS, SecureID, CryptoCard, ActiveCard
Advanced Application Proxy
The advanced application proxy (aproxy) is a third generation proxy that can support nearly all TCP/IP connection oriented client server applications. It also provides an Application Program Interface (API) and Workload Balancing.
API
Aproxy provides an Application Program Interface (API) to permit customization for any number of applications. The API provides each application with three exits:
Authentication exit:: permits customized access controls per application,
Client exit:: provides access to the buffer after receiving data from the client,
Server exit: provides access to the buffer after reading data from the server.
Workload Balancing
Aproxy also supports workload balancing between multiple servers on an application by application basis.
High Performance
Aproxy is a standalone proxy that does not run under inetd. This makes it simpler to configure. It also exhibits high levels of performance since it pre-forks processes reducing systems overhead up to 90%. The number of processes are automatically adjusted to match the workload.
Printer Support
The Ignore RST parameter has been added to the permit statement to improve printer support.
DNS lookup can be suppressed for peer hosts that do not have a DNS server.
FTP Proxy
Can control commands by User and Group as well as time of day and day of week.
All file transfers are logged by filename. Ftproxy provides transparent support for inbound anonymous ftp users.
The ftproxy blocks receiving of files when the file names begin with the pipe symbol "|". Some ftp clients will try to execute the file which could have disastrous results.
Ftp access controls can be used to restrict access to ftp sites, and or require user authentication.
HTTP Proxy
The HTTPD proxy is a derivative of the Apache httpd server. It have been compiled with functions that limit it to acting as proxy server only. A module has been included that is used to permit URL content filtering. It operates in stealth mode which means it provides transparent web access to the protected network but can not be seen by an external host. It fully exploits SMP systems to maximize systems performance.
The HTTP proxy implements the latest protocols including HTTP.1.1 (RFC2068). This includes support for persistent connections, and chunked encoding.
Java, Java Script, ActiveX and Cookie Blocking
HTTPD allows selective blocking of Java applets, JavaScripts, ActiveX and cookies. The HTTPD Proxy supports permit and deny commands for all these functions. This facility permits the administrator to allow some systems to send java applets but can deny access from all other systems.
SSL Tunneling:
Httpd now supports SSL tunneling for applications other than SSL (port 443) and snews (port 563).
Performance Featuress:
Httpd allows specification of larger receive data buffers to improve systems throughput. Httpd directives can be used to increase the TCP send buffer size. This is useful to increase performance on high speed high latency networks, such as high speed transcontinental lines.
When presented with a load spike httpd quickly adapts by spawning children at a faster rate.
Webgate Proxy
Webgate is a high speed reverse http proxy designed to secure one or more web servers behind the firewall.
Multiple Web servers can reside behind the firewall each having its own name and IP address. Secure transmission of sensitive data is assured by the use of SSL.
The Web servers can be isolated on a network separated from the organizations secured networks, thus providing higher levels of security.
Webgate now runs as a stand-alone daemon with preallocated processes. This eliminates approximately 90% of the system overhead. Webgate automatically restarts any failed process. The number of processes can dynamically be increased without disturbing existing work.
Webgate dynamically adjusts the number of pre-forked processes depending on the current workload.
Common Log Format extensions have been added to append Agent and Referrer data to the CLF records.
The Webgate recovery time has been reduced for hot backup situations.
Webgate can be directed to write Multi-Homed http access log format records to provide support for WebTrends when supporting multiple domains.
Workload Balancing:
Webgate can be used to balance the workload between multiple web servers, allowing an array of web servers to appear as one. If one of the web servers fails or is varied offline for maintenance then it automatically skips over the offline server until it detects its presence again.
SMTP
PORTUS supplies a Secure Mail Wrapper program to receive mail from remote hosts. This program is designed reduce exposure to SMTP based attacks and scrub internal network information from out bound mail.
Block SMTP based Attacks
Smwrap protects against multiple attacks directed at mail servers, and mail clients. This includes checks for unauthorized use, requests to obtain access to private information, and multiple Denial of Service (DoS) attacks.
Smwrap guards against: Unauthorized sender/receiver, Bogus Helo command, use of VRFY and EXPN commands, anonymous mail relaying, commands imbedded in Header fields, password file access, Root user access, sendmail debug exploits, address spoofing.
DoS Attacks blocked:
Helo buffer overflow, SMTP command buffer overflow, SMTP header overflow, SMTP Header Parsing Attack, Maximum number of recipients exceeded, Maximum message size exceeded, harmful header address characters, MIME header buffer overflow, MIME field overflow, and more.
Mail Blocking
Smwrap prevents annoying e-mail messages, commonly called "SPAM" from entering protected networks. The feature also blocks harassing messages making "Cyber-stalking" more difficult. The Administrators can enter a list of senders, addresses, sites, or domains they want to target for blocking. Like Call Blocking on your telephone PORTUS allows you to choose who you want to get e-mail from. Blocked e-mail can be deleted, sequestered or redirected to a specified recipient. If the mail is sequestered or redirected it can be kept as evidence along with the log information.
The aliasreq command permits control of who is allowed to send mail outbound through the firewall. If a user is not registered in the alias data base then any attempt to send mail through the firewall will be rejected and a Security Alert will be issued.
The Secure Mail Wrapper translates internal e-mail addresses to external e-mail addresses. This translation includes all internal addresses that are part of a Carbon Copy (Cc:) or To: addresses. Translation support for addresses generated by Novell's GroupWise and MS Mail Exchanger is also provided.
Smwarp supports translation of out-bound headers generated by Microsoft OutLook. Smwrap will not translate the e-mail addresses that OutLook encloses within double quotes on out bound mail.
The MS Internet Mail Exchange program can be configured to produce non-standard e-mail addresses in To: and Cc: fields. Smwrap can accommodate translations of several new forms of To: and Cc: addresses on out-bound e-mail.
Smwrap deletes partially completed store and forward files from the hermes directory when there is an unexpected EOF from the remote client or I/O error.
RealAudio Proxy
The RealAudio Proxy (raproxy) allows users behind the firewall to safely access to RealAudio servers through the PORTUS firewall. The raproxy allows the systems administrator to control RealAudio access through the use of permit and deny commands in a manner consistent with the other proxies. Raproxy supports RealAudio Version 3.0 for servers that are not HTTP based. This includes G2 level multi-media. The HTTP proxy supports RealAudio V3.0 for Web browsers.
RPC and UDP Proxy
The RPC-UDP Proxy (rpcproxy) provides controlled access for client server applications that use RPC, TCP and UDP protocols. The RPC proxy supports applications such as NFS, and tftp.
Telnet Proxy
The telent proxy provides extensive controls over the use of the telnet protocol. It also has an interface to allow X-Window applications to be used through the firewall. TN3270 is supported.
X11 support
The xforward proxy has been tunned to minimize the cpu time required to support the X-Window applications.
To allow use of automated telnet scripts that use xforwarding a "port" argument can be added to the xforward command. To use this feature type port = nn after the xforward command.
xforward -port nn
Where nn is an integer from 10 to 99.
SOCKS
PORTUS provides a socks daemon that supports the SOCKS Version 4 and Version 5 protocols. The socks V5 protocol supports both TCP/IP and UDP.
Workload Balancing
PORTUS supports workload balancing for HTTP and most TCP/IP client server applications.
NAT
PORTUS being an application proxy automatically supports NAT.
URL Content Filtering
The HTTPD proxy has built-in URL content filtering. LSLI sells an annual subscription service that automatically updates the blocking lists used by the content filter. The categories is open-ended and the format of the list is defined allowing any administrator to add, delete or modify the list contents.
Blocking of ActiveX, cookies
This is integrated into the HTTP proxy server.
Automated installation process
The installation process has been automated to reduce the time and effort required to install and configure the PORTUS firewall. New users simply run the install_PORTUS command, updates can be applied with the update_PORTUS command.
Online Documentation
The Installation and Administration Guide is available as a PDF document that can be browsed and searched using the Adobe Acrobat reader.
Report programs
Report programs are included that can produce 52 reports which summarize activity by application.
Aproxy 5 reports: summary, top host by: bytes sent, bytes received, connection requests, received connections
FTP 5 reports: summary, top user by: bytes sent, bytes received, connection time, cpu time.
HTTP 27 reports:
Mail 7 reports: summary, top user by: messages received, messages sent, bytes received, bytes sent, exception reports.
Socks 3 reports: top host by bytes sent, bytes received, received connects.
Telnet 5 reports: summary, top user by: bytes sent, bytes received, connection time, cpu time.
Real Time monitoring
Real time displays of the syslog, Security Alerts and HTTP activity can be displayed on the firewall console or on a remote host.
Systems monitoring
The portusmonitor manages specialized daemons the monitor firewall activity.
IP Spoofing
The automated IP Spoofing Monitor (spoofmon) alerts the system and systems administrators to attempted IP spoofing attacks. The IP spoof monitor can support up to 100 alias IP addresses on AIX 4.2+.
SYN Flood
The SYN flood monitor checks for SYN flood attacks. A kernel extension is available for AIX 4.2 that improves resistance to SYN Flood denial of service attacks.
Process
The PORTUS monitor program scans the process table for process names specified in the portusmon.conf file. Procmon counts the number for each of the specified processes and issues a Security Alert if the number falls outside of the specified range.
disk space monitor
The diskmon procedure monitors disk utilization for specified file systems. When a file systems utilization crosses a user defined threshold an appropriate message is delivered to a list of recipients. Four utilization thresholds are mapped to the following message levels: Notice, Warn, Crit, and Alert. As the messages increase in severity the message router will send the message to additional persons.
Diskmon notifies the systems administrators of pending disk shortages in time for them to implement preventative measures.
Performance Monitor
AIX
The PORTUS firewall ships with a real-time performance monitor for AIX 4. The AIX performance monitor provides a real time display of cpu utilization, memory usage, LAN activity by interface, disk activity as well as other information. The monitor can display top processes sorted by cpu, or memory usage. SMP support is included. The monitor can also be used archive resource utilization to disk using weighted averages over a specified period of time. The real-time displays can be customized to use different colors schemes.
Solaris
A comprehensive performance monitor is also available for Solaris.
Linux
Under investigation.
DEFENDER Security Server
PORTUS can be configured to act as an agent for the DEFENDER Security Server (DSS). Configuring PORTUS as a DSS agent bypasses the built-in security server of PORTUS and makes use of a similar challenge response system provided on the DSS.
Enhanced User and Group Administration
PORTUS simplifies user administration by assigning a user to a predefined group from which the user will inherit its permissions.
Year 2000 Compliant
PORTUS version 4.0 is year 2000 compliant.
GUI Administration tool
Admin. Client
Hoplite provides the Graphical User Interface for remote firewall administration. Hoplite allows the systems administrator to manage one or more firewalls from a single location. Hopltie also includes a backup and recovery function for PORTUS configuration data. Hoplite provides strong user authentication and encrypted communications to insure the security and integrity of the firewall. The Hoplite client can run on MS WIN/95 , MS/NT 4.0, AIX 4.1.4+, Solaris 2.5.1+ (SPARC and Intel).
Admin. Server
PORTUS 4.0 introduces the PORTUS Administrative Server (tadminsvr) to support GUI based remote administration using the Hoplite client.
Encrypted Telnet
The ptelnet client provides encrypted telnet sessions. It also provides a secure command line interface for performing remote administration. The ptelnet client runs on AIX, HP-UX, Linux, MS Windows, MS NT, and Solaris (SPARC and Intel).
Error Messages
There are more than 300 unique error messages to assist with problem determination.
Automatic activation of Secure Computing Base.
The automated installation process activates the secure computing base. On HP-UX systems the trusted Systems/Secure Password Facility is activated.
High Availability Option
The addition of new configuration commands allows for improved automated recovery when fwpulse detects its partner system has failed. Auto recovery has been added to simply the process when the failed system comes back online. The takeover and recovery processes can be customized to the local environment through the use of pre and post takeover scripts.
The maximum number of network addresses supported by fwpulse for the takeover process has been increased from 16 to the maximum number of IP addresses supported by the OS ( a very large number).
64-bit accounting routines
The proxies and their associated reporting programs use 64-bit arithmetic to allow numbers as large as 128 terabytes. This allows transmission of multiple large files ( > 2 GB) in a single session with accurate accounting.
Persistent Out Of band Authentication (OOBA)
Non-disruptive procedures to refresh HTTP proxies and syslog daemon
Non-disruptive procedures to refresh the httpd and webgate proxies and the syslog daemon are provided. This allows configuration changes to be made to these proxies and daemon without disrupting operations.
Remote Logging Facility
The plog daemon supports remote logging. This allows HTTP access logs to be send to another machine for log analysis by an third party tool.
Also provided is an plogd program that receives the logs from PORTUS This program also automatically rotates logs and is supported on NT.
Third Party Applications Supported
This is a partial list of applications which work with PORTUS.
Apache, Chameleon, gopher, Hummingbird Exceed, Informix, LDAP, Lotus Notes, Oracle, POP3, Microsoft IE, Microsoft Proxy Server, Microsoft Mail Exchange, Microsoft Outlook, Netmanage, Netscape Communicator, Netscape Secure Commerce Server, NNTP, NTP, OASIS, Pcanywhere, RealAudio, RPCs Assurenet/Digital Pathways DSS Server, SNMP, Sybase, SOCKS clients, tftp, UDP WAIS, ...
