Product Details
Product Rating
Astaro Security Linux
BarbedWire Technologies DP Inspector
Check Point Express
Cyberguard KS1000
InstaGate PRO
Microsoft Internet Security & Acceleration Server 2000
Nokia IP380
SonicWALL TZ 170
Stonesoft StoneGate SG-3000 VPN/Firewall
Sun iForce VPN/Firewall
Superstack 3 Firewall
Symantec Gateway 5460
Trustix Enterprise Firewall
WatchGuard Firebox X1000
ZyXEL ZyWALL 70
We have three Best Buys this month. At the enterprise level, the Sun iForce offers the best performance and a proven firewall, while for the SME market we would recommend the Nokia IP380 for its performance and expansion capabilities. In terms of software firewalls, Check Point Express offers all you could need. We also have three Recommended products. We selected the StoneGate SG-3000 for its performance and innovative ideas, while BarbedWire's DP Inspector offers a great deal to the smaller organization. Microsoft's ISA Server is a very capable software solution for Windows systems.
Firewalls (2004)
Seeing a rainbow can evoke a feeling of placid contentment. Wouldn't it be nice if seeing your firewall evoked that same feeling? Ian Parsons gets you closer
Firewalls may have started as obscure pieces of software that were installed to cope with a largely theoretical threat, but they are now an integral and essential part of the networking landscape.
We looked at a range of appliances, from the high end of the enterprise market to those for companies in the small to medium enterprise (SME) market, and at a number of software solutions.
There is still some concern about the security of "software only" firewalls and their underlying operating system. Some products solve this problem by simply reformatting the system's hard drive and installing their own "hardened" operating system as well as the firewall software.
We considered several factors in reviewing these products. We looked for ease of use, both in administering the firewall and in creating security policies.
Firewall configurations tend to be stable once set up, and changes to networks and security policies occur infrequently, so these procedures will tend to be unfamiliar to the security administrator. We looked for good help systems and support from the software, with "sanity checks" on rules and configurations.
We examined firewall security. Firewalls need to defend themselves as well as the networks they protect. A number of firewall exploits make use of underlying operating system features. Making an operating system secure against these attacks is a time-consuming and fairly technical exercise.
In the case of the software solutions, we looked to see if the installation process took care of these issues. We tested firewall security by running port scans against the firewalls in their default configurations as supplied.
We did, however, enable stealth mode if it was offered as a configuration option before running the scans, or if it was mentioned in the accompanying documentation. Check Point Express' documentation, for example, contains a specific reminder to create a stealth rule for each installation. A firewall operating in stealth mode should simply not respond to port scanning attempts, thus preventing intrusion attempts on the firewall. This procedure verified that the firewall was secure in its supplied configuration, before any new rules were applied.
We looked at the logging and reporting features offered. Logs are useful for several reasons apart from simply tracking what has already happened. For example, it is possible to determine traffic load patterns. These patterns may reveal useful information about network capacity, or indicate when different rule sets can be applied, perhaps to change permissions outside normal office hours. Logs can reveal unexpected devices and applications running on the network.
We looked for resilience. A single firewall represents a single point of failure in a network. Just how important the loss of internet access may be to an organization will depend on the nature of the business. If internet access is vital, perhaps for branch virtual private networks (VPNs) or for a website, then the firewall must be able to operate in a cluster or a failover pair. Clustering also allows for load distribution and provides ways of scaling capacity to match demand.
We looked at support. Most firewall appliances have support contracts offering 24/7 and 8/5 as options.
When it came to the VPN aspect, we looked to see if the firewall provided these facilities. Terminating the VPN tunnel at the firewall is generally more secure than allowing VPN traffic through. In either case, the system is only as secure as the system at either end.
Many of the systems offered specific support for Demilitarized Zones (DMZ), also known as screened subnets and perimeter networks. These are of particular use where an organization wishes to provide services on the internet, perhaps as a web server, while allowing access to these services from the internal network as well.
Several of the firewall products offered features that allowed some control over internet access from within the firewall. Email filtering, spam filtering and website access restrictions were often offered as optional extras.
The configuration options on offer varied from the very simple to the fiendishly complex. Some firewall administration systems attempted to simplify everything as much as possible, almost to plug-and-play level, while others offered the opportunity to configure all aspects of the operation, sometimes to a level that would tax most administrators' technical knowledge.
While this level of detail may be acceptable in corporate installations, or in situations where the firewall is installed and maintained by a specialist organization, most SME companies simply do not need to be able to configure a firewall with such a high level of detail.
Most firewalls did however offer sensible default rules that were either all that was required or provided a good starting point from which to customize the setup.
