Enterprise firewalls halt network traffic

Enterprise firewalls halt network traffic

KnightStar

VelociRaptor

FireboxIII 4500

Keeping your network up and running while safe from attack is the first concern of every administrator.

The GCN Lab took a look at three leading enterprise firewalls that can halt all traffic headed for a network and permit only authorized traffic to proceed.

They act much like the guard at the gate of a government facility. But, like the official who decides how scrupulously the guard checks IDs, the network administrator must tell a firewall exactly what to stop.

Without the right guidance, the firewall might turn all traffic away, or none.

It takes skill and practice to define a security policy that's right for the kinds of data a particular agency receives and sends.

Some sites need medium security, others need the maximum available.

Not long ago, setting up a network firewall was a daunting task. Now the world is a different place, and firewalls are so essential that their makers are adding helpful software wizards for inexperienced users.

Up to the boss

But the main thing that makes one firewall work better than the next is still the administrator's ability to set an effective security policy.

Second in importance is the firewall's competence at sniffing out illegitimate IP packets.

The CyberGuard Corp. KnightStar appliance, the largest in this review, is a sizable, 2U rackmount monster with a sizable price tag: $20,995. It can cover a network with up to 1 million simultaneous connections.

The KnightStar carries the Common Criteria Evaluation Assurance Level 4 certification, the most stringent level of an internationally accepted standard for security equipment.

Like the KnightStar, Symantec Corp.'s VelociRaptor has a Domain Name Server proxy built in to secure server port 53 from hackers. The port is often left open in network servers because many firewalls don't have the ability to monitor DNS.

VelociRaptor does a effective job of distinguishing malicious packets. Its virtual private network driver, unique to Symantec, conducts a preliminary scan of all packets approaching the firewall to identify their protocols and determine whether they exhibit the right characteristics.

If there are no abnormalities, the VPN driver continues feeding the data to other levels of the firewall software for further proxy tests.

The VelociRaptor documentation does a good job of describing the setup requirements: a static IP address, a netmask for the firewall, a gateway address and the IP address of the workstation that will run the firewall software.

Once this information has been compiled, installation is relatively simple: Plug in the firewall, enter the IP addresses, password and other necessary numbers, and then follow the setup wizard. For a large organization that needs good security, it can protect up to 14,000 simultaneous connections. But the VelociRaptor's price tag is high: $14,995.

According to Symantec, VelociRaptor is in the process of receiving EAL4 certification.

The WatchGuard Technologies Inc. Firebox III 4500 is relatively inexpensive'$10,000'and secures up to 5,000 connections and 330 VPN tunnels simultaneously. It's less robust than the other two firewalls.

Although WatchGuard claims the Firebox can defend 5,000 connections, that would push it to the limit. For maximum protection, the Firebox should stay well below the 5,000 mark. The other two firewalls in the review do not have that limitation.

Left unguarded

Also the Firebox 4500, unlike the other two products, cannot defend against hacking through the DNS port 53. The other two firewalls have DNS proxies in place.

WatchGuard representatives said they are developing software for attacks from this direction.

The Firebox has a reputation for good compatibility with other firewalls. It complies with the IP Security Protocol, which means it can set up virtual private networks with other vendors' firewalls.

Although the KnightStar outshone its competition in my view, all three firewalls could do a good job of protecting a large network.

Which brick is best? It depends on user needs and the agency's security policy.

They also were relatively simple to install and set up, which is especially tough considering the complexity of firewall technology.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above