                             Drawbridge 2.0 Beta

INTRODUCTION:

Drawbridge is a copyrighted but freely distributable bridging IP filter
with a powerful syntax and good performance.  It uses a PC with either
two Ethernet cards or two FDDI cards to perform the filtering. It is
composed of three different tools:  Filter, Filter Compiler and Filter
Manager. This distribution is version 2.0 which is a major overhaul of
Filter.

To get a better idea of how Drawbridge works and how it is used, begin
with the OVERVIEW paper in the doc directory. The paper tamu.ps
describes the entire suite of TAMU security tools. (Note that this
paper is in the process of being updated. The portions concerning
Drawbridge are up to date, however.)

CHANGES:

	o Filter now supports FDDI to FDDI filtering. Note however that
		due to the inherent limitations with bridging on FDDI,
		Filter will only work under a very specific and limited
		configuration. Please send email to
		drawbridge@net.tamu.edu if you are interested in
		attempting this.

	o Filter now uses NDIS 2.01 DOS drivers. Therefore any Ethernet
		cards or FDDI cards with adequate NDIS drivers can be
		used with Drawbridge 2.0.

	o Filter now has an IP protocol stack and the management occurs
		via UDP. This allows the Filter Manager to run on just
		about any Unix platform that has BSD sockets. (Note
		that currently I haven't ported it to platforms other
		than Solaris 2.3.)

	o Filter now uses an (as far as we know) exportable Pseudo One
		Time Pad cryptographic scheme for authentication and
		privacy over the management channel.

	o Filter now provides statistics from both the console and
		Filter Manager. Both Filter specific and NDIS
		statistics are reported.

	o Filter is now interrupt driven rather than polling (forced
		because of NDIS) and performance is better.  With the
		previously recommended setup Filter now produces peak
		transfer rates of approximately 5.5 Mb/sec versus the
		previously measured peak of 3.5 Mb/sec. 10 Mb/sec on
		ethernet should be easily achieved with faster cards,
		buses and CPUs.

		Under FDDI with a 60MHz Pentium and two EISA Network
		Peripherals FDDI cards, data rates up to 18Mb/sec have
		been measured. The actual limit is higher but we do
		not have a reliable testbed capable of generating and
		measuring higher data rates at this time.

	o Filter now uses XMS to store the network tables in extended memory.
		A cache is kept in low memory.

	o Filter has a new switch which controls whether or not packets
		other than IP/ARP/RARP are transparently bridged.

	o Filter Compiler (and Filter) is backward source and binary
		compatible. Other than bug fixes, no changes have been made
		to the Filter Compiler.

		For Filter, the DES key file is no longer used and
		a new file PASSWORD is maintained.  Also Filter Manager
		no longer uses .fmkey.* files.

	o The GNU Copyleft has been removed. This material is now covered
		under a Berkeley/MIT style copyright. I.E. you can do anything
		you want with the code but must credit us. See the file
		COPYING.

	o A few commands have been added/changed in the Filter Manager. The
		changes are documented under the help system.

	o Bug fixes since the Alpha release

		Filter was binding to the cards opposite of what was specified
		in the protocol.ini file (oops!).

		Filter Manager was core dumping when querying the reject
		or allow tables.

		A bug with subnets in the allow table has been fixed.

		Fixed a race condition in the event management which could 
		allow events to be lost.

		Fixed a serious (but not fatal) bug in the event
		management that would cause events not to fire after
		the first time midnight went by. The symptom was
		Drawbridge would no longer respond to keystrokes.

		Fixed and cleaned up all of the NDIS error messages.

	o Changes since the Alpha release

		NDIS 2.1 from Microsoft rather than NDIS 2.0 from 3Com
		is now included. Thanks go to Alex Li for giving me the
		pointer to the newer version.

		Patches have been made so that fc and fm will now run
		on little endian machines. If you can get fc and fm to
		compile, endianness should not be a problem. Thanks
		go to Danny Thomas for generating the fixes for fc.
		(Note that due to the extensive amount of changes
		required, fc and fm do not and will not any time soon
		run on 64 bit architectures (e.g. Alpha).)

		An uptime statistic has been added to the statistics 
		reporting.

		The original paper covering the entire TAMU security
		package has been updated to cover Drawbridge 2.0. It
		is still not up to date on Tiger and Netlog but will
		be soon.
		
		Added "retries" and "timeout" variables to the fm user
		interface. When managing a Drawbridge installation that
		uses floppy disk for the storage of the tables, a write
		can easily timeout. The default values are 3 retries
		and 3 seconds.

AVAILABILITY:

Drawbridge is available via anonymous ftp from net.tamu.edu (128.194.177.1)
in pub/security/drawbridge as:

drawbridge-2.0b.tar.gz

The package should untar into 4 directories:

	doc    - directory with documentation about Drawbridge
		 (including three papers referenced in the documentation)
	fm     - directory with source code for the Filter Manager plus
		 a binary for Solaris 2.3 on Sparc.
	fc     - directory with source code for the Filter Compiler plus
		 a binary for Solaris 2.3 on Sparc.
	filter - directory with three PKZIP archives and PKUNZIP.EXE
		ndis.zip   - PKZIP archive containing version 2.1 of the 
			     NDIS 2.01 utilities.
		filter.zip - PKZIP archive with source code and
			     executable for the Filter.
		config.zip - PKZIP archive with example config.sys,
			     protocol.ini, autoexec.bat and the latest 
			     SMC driver for the Ethernet cards required 
			     by earlier versions of Drawbridge.

And 2 files:

	README 	- this file
	COPYING - copyright notice.


REQUIREMENTS:

The requirements are less stringent in Drawbridge version 2.0.  Filter
is compiled for and requires an 80386 or higher processor (it is
documented in the makefile how to compile specifically for a higher
processor). Any Ethernet or FDDI boards for any bus may be used as long
as they have DOS NDIS 2.01 drivers.

NOTE! These drivers *must* support promiscuous mode, *must* allow you
to configure the driver to support two cards in one PC, and *must*
provide access to the native media frame format. Be careful to confirm
this before you settle on any adapters. Some adapters do not support
these features.

It is recommended that you use a PC with a hard disk, however, you can
build a setup that uses a floppy. The reason for recommending a hard
disk is that when Filter performs a write and writes all of its tables
to disk, *all packet forwarding stops* for the duration of the write.
This may take a substantial amount of time on a floppy depending on
the configuration loaded into Filter.


BUILDING:

The Filter Compiler and Filter Manager both require an ANSI C compiler;
the GNU C Compiler (gcc) is recommended. The Filter requires Borland
C++ 4.02 and Borland Turbo Assembler 4.0. An executable version of
Filter is provided in case you do not have access to these tools.

To build Filter Compiler (fc) and Filter Manager (fm), just go into the
respective directories and type "make". This will build the
exectuables. To install fc and fm, edit the makefiles to set the
destination directory, become root and type "make install".

To build Filter, unarchive the PKZIP archive, go to the source directory
and type "make".


CONTACTS:

Any suggestions or comments can be sent to: drawbridge@net.tamu.edu

Any and all feedback on this Beta release is welcome. Also, ports of the
Filter Compiler and Filter Manager to other platforms would be appreciated.

Drawbridge is designed and programmed by:

David K. Hess
Douglas Lee Schales
David R. Safford

Texas A&M University
February 1, 1994
