Number 236 - January 2003
Firewalls
by Milt Hull, Sept 2002 Sacra Blue
    Last month Sacra Blue ran an article about software firewalls by Ben Brady, who recommended Black Ice and Zone Alarm. These are both very strong products and have a lot of support in the industry for personal computer protection. Both have a great deal of development behind them and do everything a "real" firewall does.

    However, in a sophisticated networking environment, neither of these products is strong enough to support more than a few machines. You need a larger firewall that can protect all machines on a local area network (LAN). Usually, a hardware firewall works better and there are many available.

    One of my customers purchased a software firewall called Check Point (a Windows application) and this one computer is solely used to support the firewall. In other words, the box you put it on usually has three network cards, and it supports all the features that a good firewall has.

    Just what does a good firewall have? Most good firewalls have network address translation (NAT) to change the public, static IP numbers to a more private IP address, so no one can directly connect to your machines. Larger firewalls also have a de-militarized zone (DMZ), which is another connection that you would use for servers needing a static IP address that is separate from that of the LAN. This zone also allows you to do a one-to-one NAT so that you can direct a public IP address to a private IP address, supporting direct or indirect connections to your servers.

    Dynamic host configuration protocol (DHCP) is also supported on most firewalls, allowing your LAN to automatically address its stations with appropriate numbers that communicate with each other.

    Content filtering and anti-virus support are also supported by a hardware firewall. Virtual private networking (VPN) is also a desired feature of any high-end firewall. And of course on any firewall, logging is one of the most desired features so you can see who is hitting you as well as who is using your network for malicious behavior.
    Based on this I set out to find the best firewall in the business. I looked at all the high-end units, including WatchGuard, Sonicwall, Check Point, Cisco, and lower-end units like Symantec and 3Ccom. I decided on the Sonicwall Pro 300 hardware device, which is no bigger than a small rack-mounted switch. It is 19" wide and about an 1.5" tall. It has three RJ-45 connections supporting WAN, DMZ, and LAN zones. It also has a serial connection for direct-connect firewall administrative support.

    I chose this device because it has unlimited connections, over 1,000 VPN tunnels, and includes 50 VPN clients. It also has support for an anti-virus subscription, allowing you to protect all your machines on the LAN including your servers on the DMZ.

    The really cool thing about this firewall is its content filtering. You can subscribe to a "list" service that has every porn site listed, including all the sites that change URLs throughout the year, or you can just enter your own URLs and keywords that you want to restrict your users from seeing. I tried this and it works great.

    Reporting is perhaps this device's strongest asset. It comes with an open source MySQL server and all the logs are stored on this server. You simply log into your Web site and look at the Web-based reporting to see all the information, including pie charts and graphs showing you the top users, along with monitoring of FTP and configuration of your device.

    Speaking of Web support, the entire firewall has a Web-based configuration and can only be configured from inside the LAN or DMZ, but not from outside. I personally think that, for the money, this is the best hardware firewall in the industry. If your company is looking for a hardware firewall solution, consider this product for your needs.

    (Copyright) 2002 Sacramento PC Users Group, Inc. All rights reserved.
  Number 236 - January 2003