1/28/99 UK: - AN ALL-IN-ONE HACKER REPELLENT. Effective security for your network doesn't always come in big beige boxes, as Bob Walder explains. The term network appliance is gradually making its way into common usage. It refers to self-contained devices that plug into a Lan at any appropriate point, are managed over the network (often using a standard web browser), and then just do a single job without any further attention required from the network administrator. Such devices come in a range of flavours, including print, fax and mail servers, and now firewalls. Even these devices once - considered as big budget purchases for equally sized companies - are now such a commodity that you can buy them for less than #1,000 and install them in under five minutes. This is the category that Sonicwall falls into. Ranging from #495 for a 10-user basic version, we reviewed the high-end #1,795 version, which includes three network interfaces and a De-Militarised Zone (DMZ) on which you can host all your publicly available web and FTP servers. A set-top box All the necessary hardware and software is contained in a single box the size of a paperback book. There are three network ports at the back and three sets of corresponding status LEDs on the front panel. That, and a reset switch, is all there is to it. The hardware is a 25MHz 68360 Risc processor with 4Mb Ram, 128Kb Rom and 2Mb of flash memory. The firewall code and host operating system is completely proprietary, making it unlikely that hackers will concentrate their attentions on it when they can be having so much fun undermining general purpose operating systems, such as Windows NT. Installation ought to be simple, especially if you have a correctly configured network to start with and follow the instructions to the letter. However, despite the fact that I install these things day in and day out, I found the installation procedure to be fraught with complications if you didn't have exactly the right network according to the less-than helpful manual. Once you iron out any inconsistencies in your network and get the firewall in place, you will find a whole host of features available to secure your network. The firewall engine uses stateful inspection, and includes full Network address translation (Nat) and hacker attack prevention (to repel Denial Of Service attacks). Creating and amending filters is not the easiest I have seen, but is far from impossible. A built-in DHCP server makes the administrator's life an easier one, as does full support for DHCP on all ports. Nat translates multiple IP addresses on the private Lan to one public address visible on the Net. This adds a level of security since the IP address of a PC connected to the private Lan is never transmitted on the Internet. Further, Nat allows Sonicwall to be used with low cost Internet accounts where only one IP address is provided by the Internet service provider. Big brother is watching An optional Cybernot filter list subscription is available. This allows the administrator to select categories of Internet sites to block or monitor access. These categories, such as pornography or racial intolerance, are selected from a predefined list that is updated online. Sonicwall contains comprehensive logging capabilities, including a customisable log, HTML-based log, and the ability to email the log (including alerts) at regular intervals. Reporting is also included, with pre-defined reports such as web site hits, bandwidth usage by IP address, and bandwidth usage by service. A final word of caution: these devices may appear to be easy to install and configure, and many of them are (some are even easier than Sonicwall). However, this does not mean they are secure. But don't get me wrong; Sonicwall is as secure a firewall device as you are likely to find, although it would be nice if more firewall vendors opted for the Checkmark certification process from West Coast Labs in addition to ICSA. There is more to configuring a firewall than getting it out of the box, as we all know. In the default state, these devices are either wide open or too restrictive to be of any use. This means that 99 per cent of all sites must start fiddling with the filters, and that is when the loopholes are introduced - some wide enough for your average hacker to drive a double decker bus through! If you don't know what you are doing, it is worth spending a little extra money to get a security consultant to install and configure these things for you. AT A GLANCE SONICWALL FIREWALL AND DMZ What it is An inspection firewall with DMZ capability - everything you need comes in a single box Price #495, excluding VAT (10-user licence) to #1,795 excluding VAT (unlimited users) Contact Tekdata (01782) 254706 www.tekdata.co.uk COMPUTING VERDICT If you can get past the configuration and less-than-helpful documentation, the Sonicwall Plus DMZ is superb value for money, providing a complete turnkey solution and all the features you could ask for in a firewall. COMPUTING 21/01/1999 P60 -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:18:29 PDT