Drawbridge v2.0 is a freeware bridging IP filter software package. It is composed of three parts. The first and most important part is the Filter program, which actually does the IP packet filtering, and runs on a PC with MS-DOS v5.0 and NDIS v2.1 API. The second is the Filter Manager, which manages the operation of the Filter program and comes as source code to be compiled on any 32-bit UNIX system. The last is the Filter Compiler, which creates the filter tables that run the Filter machine.
Packet filtering is the process of forwarding or discarding packets going from one network to another network based on the source or destination IP address. The most common use of this system is to protect a company or a campus from the Internet. The machine that runs the packet filtering software sits between the internet and the internal network. Any packets coming from the internet, destined for the internal net, are scanned for a source IP address that has been given permission to pass through. Any packets that do not have permission are discarded. This feature allows a system administrator to prevent specified IP networks from accessing the administrator's internal network. In some systems, this scenario can be turned around by preventing internal hosts from accessing specific outside IP networks.
FILTER
The Filter program that comes with Drawbridge is the program that actually performs the packet filtering based on a loadable filter table. Filter runs on a PC with a minimum configuration of a 386 and 2 megabytes of RAM. The PC requires two Ethernet or FDDI network cards with NDIS(Network Device Interface Specification) v2.1 compliant drivers. The NDIS Protocol Manager is freeware copyrighted by Microsoft and included with the tar file. One of the network cards is connected to the 'outside' network and the other is connected to the 'inside' network. This lets the Filter machine discriminate between the Internet and the corporate network to allow directional filtering. The configuration of the filter machine is done with two files. The first, PROTOCOL.INI, configures the machine with the network information, such as the IP address of the two network cards. The second is the filter table which is loaded into the Filter machine's memory by the Filter Manager. This makes for a very easy machine to get up and running fast. Filter has a good packet filtering throughput of 5.5 Mbps on Ethernet and 18 Mbps on FDDI. Filter also allows you to program a dedicated IP number from which to accept requests from the Filter Manager.
FILTER MANAGER
Filter Manager controls the operation of the Filter program using DES encrypted sessions. FM is an interactive program modeled after lpc. It allows the system administrator to remotely administer the Filter machine from any machine on the 'inside' network. The admin can load new filter tables, temporarily bypass or disable the filters, and reboot the Filter machine. The admin can also change the administration password of the Filter machine through an encrypted session. FM is provided precompiled for Solaris 2.x and includes source code and a makefile for other platforms except 64-bit architectures, specifically the DEC Alpha chip.
FILTER COMPILER
The Filter Compiler lets the user customize a filter table on a machine other than the machine that runs Filter. The filter tables contain the information that instructs the Filter machine as to which packets to forward and which to discard. The forwarding can be based on TCP/IP port numbers, service names, IP network ID's and other IP protocols. The filtering can also be directional, by allowing a specific connection in one direction but not in the other. FC also lets you create group definitions of multiple service and/or port configurations. This greatly simplifies configuration by not having to enter data repeatedly. FC uses a simple but powerful command syntax. This gives FC a flexibility to implement large scale filtering applications.
Drawbridge appears to be a superior product if you are working on a budget and you want a reasonable level of security for your internal network. The use of a PC as the Filter machine is a good way to keep costs down rather than using a dedicated UNIX machine running the FireWall Toolkit. The design of the software shows that secure communication between Filter Manager and the Filter machine was a top priority. However, most corporations would opt for the Firewall ToolKit due to its industry-wide acceptance.
Texas A&M University, ftp://net.tamu.edu/pub/security/TAMU/drawbridge-2.0.tar.gz, This is the Drawbridge program and documentation. Programmed by David K. Hess, Douglas Lee Schales, and David R. Safford
Purdue University, ftp://coast.cs.purdue.edu/pub/aux/tools.abstract, Short description of Internet security tools.
National Institute of Standards and Technology, http://www.first.org/tools/tools.htm, Description of Drawbridge v1.1.