[ISN] An All-In-One Hacker Repellent

From: mea culpa (jerichoat_private)
Date: Tue Feb 09 1999 - 13:53:56 PST

  • Next message: mea culpa: "[ISN] The dark side of the digital home"

    1/28/99
    UK: - AN ALL-IN-ONE HACKER REPELLENT.
    
    Effective security for your network doesn't always come in big beige
    boxes, as Bob Walder explains. 
    
    The term network appliance is gradually making its way into common usage.
    It refers to self-contained devices that plug into a Lan at any
    appropriate point, are managed over the network (often using a standard
    web browser), and then just do a single job without any further attention
    required from the network administrator. 
    
    Such devices come in a range of flavours, including print, fax and mail
    servers, and now firewalls. Even these devices once - considered as big
    budget purchases for equally sized companies - are now such a commodity
    that you can buy them for less than #1,000 and install them in under five
    minutes. 
    
    This is the category that Sonicwall falls into. Ranging from #495 for a
    10-user basic version, we reviewed the high-end #1,795 version, which
    includes three network interfaces and a De-Militarised Zone (DMZ) on which
    you can host all your publicly available web and FTP servers. 
    
    A set-top box
    
    All the necessary hardware and software is contained in a single box the
    size of a paperback book. There are three network ports at the back and
    three sets of corresponding status LEDs on the front panel. That, and a
    reset switch, is all there is to it. The hardware is a 25MHz 68360 Risc
    processor with 4Mb Ram, 128Kb Rom and 2Mb of flash memory. The firewall
    code and host operating system is completely proprietary, making it
    unlikely that hackers will concentrate their attentions on it when they
    can be having so much fun undermining general purpose operating systems,
    such as Windows NT. 
    
    Installation ought to be simple, especially if you have a correctly
    configured network to start with and follow the instructions to the
    letter. However, despite the fact that I install these things day in and
    day out, I found the installation procedure to be fraught with
    complications if you didn't have exactly the right network according to
    the less-than helpful manual. 
    
    Once you iron out any inconsistencies in your network and get the firewall
    in place, you will find a whole host of features available to secure your
    network. 
    
    The firewall engine uses stateful inspection, and includes full Network
    address translation (Nat) and hacker attack prevention (to repel Denial Of
    Service attacks). Creating and amending filters is not the easiest I have
    seen, but is far from impossible. A built-in DHCP server makes the
    administrator's life an easier one, as does full support for DHCP on all
    ports. 
    
    Nat translates multiple IP addresses on the private Lan to one public
    address visible on the Net. This adds a level of security since the IP
    address of a PC connected to the private Lan is never transmitted on the
    Internet. Further, Nat allows Sonicwall to be used with low cost Internet
    accounts where only one IP address is provided by the Internet service
    provider. 
    
    Big brother is watching
    
    An optional Cybernot filter list subscription is available. This allows
    the administrator to select categories of Internet sites to block or
    monitor access. These categories, such as pornography or racial
    intolerance, are selected from a predefined list that is updated online. 
    
    Sonicwall contains comprehensive logging capabilities, including a
    customisable log, HTML-based log, and the ability to email the log
    (including alerts) at regular intervals. Reporting is also included, with
    pre-defined reports such as web site hits, bandwidth usage by IP address,
    and bandwidth usage by service. 
    
    A final word of caution: these devices may appear to be easy to install
    and configure, and many of them are (some are even easier than Sonicwall).
    However, this does not mean they are secure. But don't get me wrong;
    Sonicwall is as secure a firewall device as you are likely to find,
    although it would be nice if more firewall vendors opted for the Checkmark
    certification process from West Coast Labs in addition to ICSA. 
    
    There is more to configuring a firewall than getting it out of the box, as
    we all know. In the default state, these devices are either wide open or
    too restrictive to be of any use. This means that 99 per cent of all sites
    must start fiddling with the filters, and that is when the loopholes are
    introduced - some wide enough for your average hacker to drive a double
    decker bus through! If you don't know what you are doing, it is worth
    spending a little extra money to get a security consultant to install and
    configure these things for you. 
    
    AT A GLANCE
    
    SONICWALL FIREWALL AND DMZ
    
    What it is 
    
    An inspection firewall with DMZ capability - everything you need comes in
    a single box Price #495, excluding VAT (10-user licence)  to #1,795
    excluding VAT (unlimited users) Contact Tekdata (01782)  254706
    www.tekdata.co.uk
    
    COMPUTING VERDICT
    
    If you can get past the configuration and less-than-helpful documentation,
    the Sonicwall Plus DMZ is superb value for money, providing a complete
    turnkey solution and all the features you could ask for in a firewall. 
    
    COMPUTING 21/01/1999 P60
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:18:29 PDT