[ISN] Tiny firewalls fill a niche

From: mea culpa (jerichoat_private)
Date: Thu Dec 03 1998 - 17:48:39 PST

  • Next message: mea culpa: "[ISN] Glitches hit cable modem users"

    [Moderator: Several security consulting groups have been doing about
     the same with low end pentium's running linux and ipfwadm for years.]
     
    From: darek milewski <darekmat_private>
    
    http://www.nwfusion.com/reviews/1130rev.html
    
    Tiny firewalls fill a niche
    Global Technology Associates and Sonic Systems
    provide firewall systems for frugal net managers.
    
    By Christopher Null
    Network World, 11/30/98
    
    Network security is rarely simple or inexpensive. Even the most basic
    firewall system typically costs $10,000 or more, and configuration
    nightmares can leave all but the most experienced network managers
    cringing. 
    
    Two vendors - Sonic Systems and Global Technology Associates - promise to
    change all that with their low-cost, easy-to-use firewall systems, both of
    which cost less than $1,000 and can be set up in one afternoon. However,
    would-be buyers should know that when it comes to security, you get what
    you pay for.  These products are only suited to protecting small offices
    or satellite divisions. They lack features you find in high-end firewalls,
    such as a way to easily manage multiple firewalls, virtual private network
    support and integrated user authentication. 
    
    Sonic boom
    
    Sonic Systems' SonicWALL Plus 2.0 is a tiny firewall appliance the size of
    a videocassette. Its list of features is impressive for a product whose
    price starts at less than $500: stateful inspection; full Network Address
    Translation (NAT); Java and ActiveX filtering; HTML content filtering;
    detailed logging; and Dynamic Host Configuration Protocol provisioning. 
    
    After a relatively painless installation, we found that most of
    SonicWALL's features were well-implemented, but the device was
    horrendously slow on a production network of about 25 Windows machines on
    a 100Base-T LAN. 
    
    Part of the problem is in hardware limitations.  SonicWALL's LAN and WAN
    ports support only 10Base-T connections, leaving users (like us) with 100M
    bit/sec-only hubs and switches in a quandary over how to connect to it. We
    daisy-chained a 10M bit/sec hub into the loop, but the resulting tangle of
    connections was not something we would approve of in a production
    environment. That may not be a problem in a typical small office, which
    may have only 10M bit/sec Ethernet hardware. 
    
    The much larger problem was SonicWALL's inability to keep up with heavy
    data traffic on our network. Not only did we find our WAN access slowed to
    a crawl, but even accessing a page of the unit's browser-based management
    utility often took several minutes. The unit requires you to use a
    Java-enabled browser that supports HTTP uploads, namely Netscape Navigator
    3.0 or higher. 
    
    Put simply, performance shortcomings make SonicWALL a poor choice for any
    network of more than two or three active computers. 
    
    Still, on a very small network, SonicWALL may be a good firewall. The
    graphical user interface is overloaded with features. However, we found
    the box's security (which is certified by the International Computer
    Security Association) to be bulletproof against attacks generated through
    Internet Security Systems' Internet Scanner 5.0, various port-scanning
    applications and other hacker tools. 
    
    Then again, most hackers we know would be too impatient to try to poke
    holes in the SonicWALL. A hack attempt would simply take too long, given
    it's poor performance. (Look at it this way: The box itself is its own
    denial-of-service attack; it doesn't need a hacker with malicious intent
    to bring it to a crawl.) 
    
    Our conclusion: While SonicWALL is a passable firewall device for very
    small offices, it simply will not scale for enterprise, or even
    departmental, traffic. 
    
    A GNAT on the wall
    
    Unlike SonicWALL, Global Technology Associates' GNAT Box 2.1.0 isn't a box
    at all. It's a software firewall that runs on a PC. GNAT Box's proprietary
    operating system requires only a machine with a 386 processor and as
    little as 8M bytes of RAM. At $995 for unlimited users, it's one of the
    least expensive firewalls you'll find. 
    
    But don't let its small size mislead you - GNAT Box boasts a feature set
    that would fare well in any checklist comparison. This is a full-blown
    proxy server, providing NAT, PPP filtering and multimedia protocol
    support. It also works with NetPartners Internet Solutions' WebSENSE (at
    additional cost) to provide Web content filtering. 
    
    You can install GNAT Box from any Windows or DOS system, most Unix flavors
    or even a Macintosh. From the CD-ROM or Web download, you install a simple
    application that configures your firewall. After that's done, the utility
    creates a special bootable diskette you use to run the firewall. All
    firewall operations are run from the diskette. There is even a Web server
    sitting on the diskette, so you can administer the firewall through a
    browser if you are so inclined. 
    
    You can also configure GNAT Box from Windows (see graphic, page 49), but
    it's far easier and faster to use the text-based console, which doesn't
    require you to boot to Windows or shut down the operating firewall. 
    
    Everything about the system, from its boot sequence to its arcane names
    for different vendors' network interface cards (NIC), screams Unix, so
    users with basic Unix familiarity will find themselves right at home. 
    
    The only configuration problem we had was that the software failed to
    detect the EISA NICs we installed on one machine. It isn't documented
    anywhere, but the company confirms that GNAT Box doesn't support EISA. 
    Instead, we used another machine with PCI NICs, which the firewall did
    detect. 
    
    We found the firewall ran fairly fast on a low-end Pentium with 32M bytes
    of RAM. The vendor claims GNAT Box can support 32,000 simultaneous
    connections with that much RAM. This should be fine for most small
    businesses, but companies looking to serve heavy Web traffic or provide
    high-traffic remote office connectivity through the firewall will most
    likely find it insufficient. 
    
    While the firewall is certified by the International Computer Security
    Association, we found a minor vulnerability in the way GNAT Box performs
    HTTP proxy services. Outsiders might be able to penetrate the system
    through a hole in TCP Port 80. Otherwise, the system's security is tight. 
    
    Our only real complaint with the firewall is that it requires a hardware
    dongle, without which it runs for only an hour in demo mode. It's our
    opinion that security dongles are evil incarnate. They make it hard to
    move applications from one machine to another. If they go bad, you can't
    solve the problem with a phone call for a new key.  Instead, you need to
    wait for the vendor to ship you new hardware. Dongles fall out, and
    they're easily misplaced or damaged. Any application that resorts to their
    use earns our immediate displeasure. 
    
    Still, we liked GNAT Box for what it is: A low-cost firewall that offers
    full-blown security from one diskette.  Altogether it's quite an admirable
    system and a good choice for small shops. 
    
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:13:14 PDT