[Moderator: Several security consulting groups have been doing about the same with low end pentium's running linux and ipfwadm for years.] From: darek milewski <darekmat_private> http://www.nwfusion.com/reviews/1130rev.html Tiny firewalls fill a niche Global Technology Associates and Sonic Systems provide firewall systems for frugal net managers. By Christopher Null Network World, 11/30/98 Network security is rarely simple or inexpensive. Even the most basic firewall system typically costs $10,000 or more, and configuration nightmares can leave all but the most experienced network managers cringing. Two vendors - Sonic Systems and Global Technology Associates - promise to change all that with their low-cost, easy-to-use firewall systems, both of which cost less than $1,000 and can be set up in one afternoon. However, would-be buyers should know that when it comes to security, you get what you pay for. These products are only suited to protecting small offices or satellite divisions. They lack features you find in high-end firewalls, such as a way to easily manage multiple firewalls, virtual private network support and integrated user authentication. Sonic boom Sonic Systems' SonicWALL Plus 2.0 is a tiny firewall appliance the size of a videocassette. Its list of features is impressive for a product whose price starts at less than $500: stateful inspection; full Network Address Translation (NAT); Java and ActiveX filtering; HTML content filtering; detailed logging; and Dynamic Host Configuration Protocol provisioning. After a relatively painless installation, we found that most of SonicWALL's features were well-implemented, but the device was horrendously slow on a production network of about 25 Windows machines on a 100Base-T LAN. Part of the problem is in hardware limitations. SonicWALL's LAN and WAN ports support only 10Base-T connections, leaving users (like us) with 100M bit/sec-only hubs and switches in a quandary over how to connect to it. We daisy-chained a 10M bit/sec hub into the loop, but the resulting tangle of connections was not something we would approve of in a production environment. That may not be a problem in a typical small office, which may have only 10M bit/sec Ethernet hardware. The much larger problem was SonicWALL's inability to keep up with heavy data traffic on our network. Not only did we find our WAN access slowed to a crawl, but even accessing a page of the unit's browser-based management utility often took several minutes. The unit requires you to use a Java-enabled browser that supports HTTP uploads, namely Netscape Navigator 3.0 or higher. Put simply, performance shortcomings make SonicWALL a poor choice for any network of more than two or three active computers. Still, on a very small network, SonicWALL may be a good firewall. The graphical user interface is overloaded with features. However, we found the box's security (which is certified by the International Computer Security Association) to be bulletproof against attacks generated through Internet Security Systems' Internet Scanner 5.0, various port-scanning applications and other hacker tools. Then again, most hackers we know would be too impatient to try to poke holes in the SonicWALL. A hack attempt would simply take too long, given it's poor performance. (Look at it this way: The box itself is its own denial-of-service attack; it doesn't need a hacker with malicious intent to bring it to a crawl.) Our conclusion: While SonicWALL is a passable firewall device for very small offices, it simply will not scale for enterprise, or even departmental, traffic. A GNAT on the wall Unlike SonicWALL, Global Technology Associates' GNAT Box 2.1.0 isn't a box at all. It's a software firewall that runs on a PC. GNAT Box's proprietary operating system requires only a machine with a 386 processor and as little as 8M bytes of RAM. At $995 for unlimited users, it's one of the least expensive firewalls you'll find. But don't let its small size mislead you - GNAT Box boasts a feature set that would fare well in any checklist comparison. This is a full-blown proxy server, providing NAT, PPP filtering and multimedia protocol support. It also works with NetPartners Internet Solutions' WebSENSE (at additional cost) to provide Web content filtering. You can install GNAT Box from any Windows or DOS system, most Unix flavors or even a Macintosh. From the CD-ROM or Web download, you install a simple application that configures your firewall. After that's done, the utility creates a special bootable diskette you use to run the firewall. All firewall operations are run from the diskette. There is even a Web server sitting on the diskette, so you can administer the firewall through a browser if you are so inclined. You can also configure GNAT Box from Windows (see graphic, page 49), but it's far easier and faster to use the text-based console, which doesn't require you to boot to Windows or shut down the operating firewall. Everything about the system, from its boot sequence to its arcane names for different vendors' network interface cards (NIC), screams Unix, so users with basic Unix familiarity will find themselves right at home. The only configuration problem we had was that the software failed to detect the EISA NICs we installed on one machine. It isn't documented anywhere, but the company confirms that GNAT Box doesn't support EISA. Instead, we used another machine with PCI NICs, which the firewall did detect. We found the firewall ran fairly fast on a low-end Pentium with 32M bytes of RAM. The vendor claims GNAT Box can support 32,000 simultaneous connections with that much RAM. This should be fine for most small businesses, but companies looking to serve heavy Web traffic or provide high-traffic remote office connectivity through the firewall will most likely find it insufficient. While the firewall is certified by the International Computer Security Association, we found a minor vulnerability in the way GNAT Box performs HTTP proxy services. Outsiders might be able to penetrate the system through a hole in TCP Port 80. Otherwise, the system's security is tight. Our only real complaint with the firewall is that it requires a hardware dongle, without which it runs for only an hour in demo mode. It's our opinion that security dongles are evil incarnate. They make it hard to move applications from one machine to another. If they go bad, you can't solve the problem with a phone call for a new key. Instead, you need to wait for the vendor to ship you new hardware. Dongles fall out, and they're easily misplaced or damaged. Any application that resorts to their use earns our immediate displeasure. Still, we liked GNAT Box for what it is: A low-cost firewall that offers full-blown security from one diskette. Altogether it's quite an admirable system and a good choice for small shops. -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:13:14 PDT