Product Round-up: Firewalls
Whether a campus computer network is large or small, it needs security that
blocks unauthorized access and intrusion. On large networks, the increasing
diversification of network activity—including wireless access, telecommuters,
and virtual private network (VPN) connections—complicates the issue. In
order to ensure security, therefore, it's best to implement various solutions,
including antivirus protection, intrusion detection software, and firewalls.
Firewalls are the front line of defense, the border guards against unauthorized
movements of users into or out of the network. Firewalls don't analyze
messages but instead simply prohibit access to anything that d'esn't meet
specified criteria. There are many kinds of firewall products: personal firewalls,
which reside on one specific computer, as well as enterprise-level network firewalls.
Software firewalls are less expensive and more available than hardware solutions.
However, hardware firewalls are always on and don't interfere with other
software running on the computer. We've surveyed several of the top enterprise
firewall products in this issue, from Microsoft Corp. Windows NT products to
Linux and Apple Computer Inc. Macintosh devices.
For Windows NT
CiscoPIX
The Cisco Systems Inc. Secure PIX 500 series is one of the leading Windows
NT firewall products on the market. The series encompasses five models scaled
for a variety of customer needs and network sizes, from the enterprise market
all the way down to the small office environment. At the enterprise level, the
PIX 535 provides a throughput of 1 gigabit/sec with the ability to handle up
to 500,000 connections concurrently. Administrators of a smaller network may
prefer the PIX 525, which delivers 370 megabits/sec and 280,000 simultaneous
sessions. Each model has built-in IPSec encryption, allowing both site-to-site
and remote access VPN deployments for off-campus users. Each model features
an easy-to-install, integrated hardware/software appliance that uses a non-UNIX,
secure, real-time, embedded system. The PIX firewalls may be managed by the
PIX Configuration Manager or centrally managed by the Cisco Secure Policy Manager,
which can manage up to 500 PIX firewalls, integrated software deployments, and
site-to-site VPN installations. Contact: Cisco Systems, Santa Clara, Calif.,
(800) 553-NETS, www.cisco.com.
CyberwallPLUS
Designed to protect Windows NT/2000 systems and enterprise computer networks,
the Cyberwall system consists of a central management system (called CyberWallPLUS-CM)
and a family of four firewalls that secure desktops, servers, Internet access,
and enterprise networks. Cyberwall's approach layers a packet filter firewall
and packet inspection with an active intrusion protection system. This combination
gives the administrator fine-grain access control at the host level. CyberwallPLUS
features pre-configured security templates that help administrators install
the product quickly, regardless of their security experience level. The workstation
version of the product also includes the ability to limit or forbid access to
particular applications, such as Napster or Doom. Contact: Network-1 Security
Solutions, Waltham, Mass., (800) NETWRK1, www.network-1.com.
Symantec Enterprise Firewall 6.5
Symantec Corp. Enterprise Firewall (formerly known as the Raptor firewall)
features a unique hybrid architecture designed to provide transparent firewall
protection without slowing approved traffic. Its support for a broad selection
of user authentication methods such as RADIUS, digital certificates, Lightweight
Directory Access Protocol, and NT domain authentication gives administrators
the flexibility to use existing security databases in the users' environment.
Symantec's product is, above all, flexible. Users can choose between a
hardware- or software-based solution for high availability and load balancing
as well as integrated Web and Usenet content filtering. Developed for the Windows
NT/2000 and Sun Microsystems Inc. Solaris platforms, Symantec touts an intuitive
interface and range of easy-to-use tools for configuring, managing, and maintaining
the firewall. From a central console, administrators can manage security policies
for both local and remote firewalls and obtain a variety of security logs and
management reports. An optional Symantec Enterprise VPN (formerly called the
PowerVPN) can be combined with a personal firewall product and the Symantec
Enterprise Firewall to extend the corporate perimeter to provide secure, low-cost
connectivity for remote offices and telecommuters. Contact: Symantec, Cupertino,
Calif., (408) 517-8000, www.symantec.com.
SonicWALL GX 2500 and 6500
The SonicWALL GX 2500 and 6500 Internet security appliances deliver an integrated
security solution, combining a high-bandwidth firewall and VPN hardware for
large enterprise institutions. With application-specific integrated circuit
security architecture, ICSA-certified packet inspection technology, and the
inclusion of 100 VPN clients for secure connectivity of dial-up users connecting
from off campus, the GX products compete with other firewall packages in this
class. Administrators can manage the GX 2500 or 6500 using a variety of local
and remote options, including CLI, a Web management interface, and Simple Network
Management Protocol. Also included is SonicWALL ViewPoint, a Web-based, graphical
reporting tool for managing and monitoring network security. For mission-critical
security, users can install two SonicWALL GXs, as primary and secondary appliances,
creating a redundant pair. There is even a built-in redundant power supply.
The scalable design accommodates future upgrades and interface types. The product
supports seamless integration of other SonicWALL security appliances, such as
Network Anti-Virus and Internet Content Filtering, to provide all-in-one security.
Contact: SonicWALL, Sunnyvale, Calif., (888) 222-6563, www.sonicwall.com.
For Mac OS X
DoorStop Server Edition
Open Door Networks sells two products that work in combination to provide security
for Macintosh-based servers. The first, a firewall called DoorStop Server Edition,
includes advanced, server-specific security features and is specifically intended
to run with such servers as AppleShare IP, WebSTAR, and ShareWay IP Professional.
The second, Who's There Firewall Advisor, works with DoorStop to analyze
each attack. Who's There provides administrators with critical information,
including access attempts by service type and accessor IP address, built-in
information about the most common attacks and their applicability to the specific
Mac OS environment under which Who's There is running, and an automated
"Whois" lookup to determine details of the accessor's network.
The system can also automatically draft an e-mail that can be used to notify
the administrator of the access attempt and provide him or her with details
that may be useful in tracking the attempt. Who's There works with DoorStop
as well as Symantec and IPNetSecurity products for the Macintosh. Contact: Open
Door Networks, Ashland, Ore., (541) 488-4127, www.opendoor.com.