Feds have a controlling interest
- By Richard W. Walker
- May 10, 1999
Keeping intruders out of your systems is enough of a headache without adding a
firewall thats difficult to configure and manage.
Hence, this admonition from a Transportation Department user in Seattle on FireWall-1
from CheckPoint Software Technologies Inc. of Redwood City, Calif., the top-rated firewall
in the GCN survey:
Think of the user who has to managenot technicians.
Overall, survey respondents ranked network address translation, which provides extra
security by keeping individual IP addresses hidden from the outside world, as the most
important firewall attribute.
The results of the survey, GCNs first on firewalls, also were notable for
users generally lackluster ratings of the products in the chart below.
FireWall-1 bagged the top spot in the ratings despite its smaller installed
base14 percent of the market surveyed.
Microsoft Proxy Server, No. 2 in the survey, was the most widely used firewall in the
survey, capturing 20 percent of the market canvassed. A member of Microsofts
BackOffice family, Proxy Server is an extensible firewall and Web cache server.
PIX Firewall, an integrated hardware and software system from Cisco Systems Inc. of San
Jose, Calif., was rated No. 3 and garnered 16 percent of users responding to the survey.
Much of the installed base in the survey was spread among a handful of products.
Other firewalls occupying slimmer slices of the market were Sidewinder from Secure
Computing Corp. of Roseville, Minn., at 12 percent; and CyberGuard Firewall from
CyberGuard Corp. of Fort Lauderdale, Fla., Eagle from Raptor Systems Inc. of Waltham,
Mass., and Gauntlet from Network Associates Inc. of Santa Clara, Calif., at 10 percent
FireWall-1 got mixed reviews from feds who offered comments. For example, one user
found it easy to design a policy with Firewall-1 but was critical of CheckPoints
documentation and support desk.
Microsofts Proxy Server and Ciscos PIX also met with assorted notices.
At the Federal Housing Finance Board, Walter Scott, associate director of information
resources, said he thinks Proxy Server needs a strong authentication feature.
It needs some way to let you know who the person dialing in is, other than just a
password, he said.
Although FHFBs network has yet to suffer any serious intrusions, Scott frets
about the possibilities.
I just keep reading horror stories, he said.
Vandalism is the biggest threat to FHFBs system, Scott said. Theres
no organized group out there thats going to try to break into our system, he
said. Its either going to be kids or somebody whos playing around. We
have very little data that anybody would want.
Scott also thought better support for virtual private network features would improve
Another Proxy Server user said, Im not completely sure if it is secure in
On the other hand, an Army WAN manager in Pennsylvania found Proxy Server easy to
At the Federal Aviation Administration in San Juan, Puerto Rico, air traffic system
specialist Mike Narvaez wanted easier configuration from PIXand he got it from the
latest version of the program.
We just got a new version from Cisco, and it has fixed most of the bugs, he
Resolving PIX configuration issues came just in time at FAAs San Juan site, which
has about 120 users on its LAN.
Overall, PIX has performed well, Narvaez said. Scalability is good, functionality
is good, he said. n
Were going to be using a new encryption standard, so we have to configure
for the new type of encryption, he said. Were in that stage right now.
The migration is going well.
Designing a policy also is a snap. The FAA has its own security and network
management program, so we already have a stable management policy in hand, he said.
We just have to integrate that into the system.
We use [the Agriculture Departments] National Finance Center and they have
brought out a VPN to connect to their system, he said.
The VPN required us to open up our full LAN in order to use it because we had to
have IP addresses available and open directly to them. But they had no way to work with
Proxy Server, so we couldnt use their solution. And they have no concept of what a
Microsoft world looks like, so I dont know if well ever get together.
Cisco Systems PIX got the thumbs up from a Caribbean user.