Feds have a controlling interest

Keeping intruders out of your systems is enough of a headache without adding a
firewall that’s difficult to configure and manage.


Hence, this admonition from a Transportation Department user in Seattle on FireWall-1
from CheckPoint Software Technologies Inc. of Redwood City, Calif., the top-rated firewall
in the GCN survey:


“Think of the user who has to manage—not technicians.”


Overall, survey respondents ranked network address translation, which provides extra
security by keeping individual IP addresses hidden from the outside world, as the most
important firewall attribute.


The results of the survey, GCN’s first on firewalls, also were notable for
users’ generally lackluster ratings of the products in the chart below.


FireWall-1 bagged the top spot in the ratings despite its smaller installed
base—14 percent of the market surveyed.


Microsoft Proxy Server, No. 2 in the survey, was the most widely used firewall in the
survey, capturing 20 percent of the market canvassed. A member of Microsoft’s
BackOffice family, Proxy Server is an extensible firewall and Web cache server.


PIX Firewall, an integrated hardware and software system from Cisco Systems Inc. of San
Jose, Calif., was rated No. 3 and garnered 16 percent of users responding to the survey.


Much of the installed base in the survey was spread among a handful of products.


Other firewalls occupying slimmer slices of the market were Sidewinder from Secure
Computing Corp. of Roseville, Minn., at 12 percent; and CyberGuard Firewall from
CyberGuard Corp. of Fort Lauderdale, Fla., Eagle from Raptor Systems Inc. of Waltham,
Mass., and Gauntlet from Network Associates Inc. of Santa Clara, Calif., at 10 percent
apiece.


FireWall-1 got mixed reviews from feds who offered comments. For example, one user
found it easy to design a policy with Firewall-1 but was critical of CheckPoint’s
documentation and support desk.


Microsoft’s Proxy Server and Cisco’s PIX also met with assorted notices.


At the Federal Housing Finance Board, Walter Scott, associate director of information
resources, said he thinks Proxy Server needs a strong authentication feature.


“It needs some way to let you know who the person dialing in is, other than just a
password,” he said.


Although FHFB’s network has yet to suffer any serious intrusions, Scott frets
about the possibilities.


“I just keep reading horror stories,” he said.


Vandalism is the biggest threat to FHFB’s system, Scott said. “There’s
no organized group out there that’s going to try to break into our system,” he
said. “It’s either going to be kids or somebody who’s playing around. We
have very little data that anybody would want.”


Scott also thought better support for virtual private network features would improve
Proxy Server.


Another Proxy Server user said, “I’m not completely sure if it is secure in
all instances.”


On the other hand, an Army WAN manager in Pennsylvania found Proxy Server easy to
configure.


At the Federal Aviation Administration in San Juan, Puerto Rico, air traffic system
specialist Mike Narvaez wanted easier configuration from PIX—and he got it from the
latest version of the program.


“We just got a new version from Cisco, and it has fixed most of the bugs,” he
said.


Resolving PIX configuration issues came just in time at FAA’s San Juan site, which
has about 120 users on its LAN.


Overall, PIX has performed well, Narvaez said. “Scalability is good, functionality
is good,” he said. n


“We’re going to be using a new encryption standard, so we have to configure
for the new type of encryption,” he said. “We’re in that stage right now.
The migration is going well.”


Designing a policy also is a snap. “The FAA has its own security and network
management program, so we already have a stable management policy in hand,” he said.
“We just have to integrate that into the system.”


“We use [the Agriculture Department’s] National Finance Center and they have
brought out a VPN to connect to their system,” he said.


“The VPN required us to open up our full LAN in order to use it because we had to
have IP addresses available and open directly to them. But they had no way to work with
Proxy Server, so we couldn’t use their solution. And they have no concept of what a
Microsoft world looks like, so I don’t know if we’ll ever get together.”


Cisco System’s PIX got the thumbs up from a Caribbean user.


inside gcn

  • security in the cloud (ShutterStock image)

    Cloud security is the agency’s responsibility

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above