[Moderator: Several security consulting groups have been doing about
the same with low end pentium's running linux and ipfwadm for years.]
From: darek milewski <darekm@cmeasures.com>
http://www.nwfusion.com/reviews/1130rev.html
Tiny firewalls fill a niche
Global Technology Associates and Sonic Systems
provide firewall systems for frugal net managers.
By Christopher Null
Network World, 11/30/98
Network security is rarely simple or inexpensive. Even the most basic
firewall system typically costs $10,000 or more, and configuration
nightmares can leave all but the most experienced network managers
cringing.
Two vendors - Sonic Systems and Global Technology Associates - promise to
change all that with their low-cost, easy-to-use firewall systems, both of
which cost less than $1,000 and can be set up in one afternoon. However,
would-be buyers should know that when it comes to security, you get what
you pay for. These products are only suited to protecting small offices
or satellite divisions. They lack features you find in high-end firewalls,
such as a way to easily manage multiple firewalls, virtual private network
support and integrated user authentication.
Sonic boom
Sonic Systems' SonicWALL Plus 2.0 is a tiny firewall appliance the size of
a videocassette. Its list of features is impressive for a product whose
price starts at less than $500: stateful inspection; full Network Address
Translation (NAT); Java and ActiveX filtering; HTML content filtering;
detailed logging; and Dynamic Host Configuration Protocol provisioning.
After a relatively painless installation, we found that most of
SonicWALL's features were well-implemented, but the device was
horrendously slow on a production network of about 25 Windows machines on
a 100Base-T LAN.
Part of the problem is in hardware limitations. SonicWALL's LAN and WAN
ports support only 10Base-T connections, leaving users (like us) with 100M
bit/sec-only hubs and switches in a quandary over how to connect to it. We
daisy-chained a 10M bit/sec hub into the loop, but the resulting tangle of
connections was not something we would approve of in a production
environment. That may not be a problem in a typical small office, which
may have only 10M bit/sec Ethernet hardware.
The much larger problem was SonicWALL's inability to keep up with heavy
data traffic on our network. Not only did we find our WAN access slowed to
a crawl, but even accessing a page of the unit's browser-based management
utility often took several minutes. The unit requires you to use a
Java-enabled browser that supports HTTP uploads, namely Netscape Navigator
3.0 or higher.
Put simply, performance shortcomings make SonicWALL a poor choice for any
network of more than two or three active computers.
Still, on a very small network, SonicWALL may be a good firewall. The
graphical user interface is overloaded with features. However, we found
the box's security (which is certified by the International Computer
Security Association) to be bulletproof against attacks generated through
Internet Security Systems' Internet Scanner 5.0, various port-scanning
applications and other hacker tools.
Then again, most hackers we know would be too impatient to try to poke
holes in the SonicWALL. A hack attempt would simply take too long, given
it's poor performance. (Look at it this way: The box itself is its own
denial-of-service attack; it doesn't need a hacker with malicious intent
to bring it to a crawl.)
Our conclusion: While SonicWALL is a passable firewall device for very
small offices, it simply will not scale for enterprise, or even
departmental, traffic.
A GNAT on the wall
Unlike SonicWALL, Global Technology Associates' GNAT Box 2.1.0 isn't a box
at all. It's a software firewall that runs on a PC. GNAT Box's proprietary
operating system requires only a machine with a 386 processor and as
little as 8M bytes of RAM. At $995 for unlimited users, it's one of the
least expensive firewalls you'll find.
But don't let its small size mislead you - GNAT Box boasts a feature set
that would fare well in any checklist comparison. This is a full-blown
proxy server, providing NAT, PPP filtering and multimedia protocol
support. It also works with NetPartners Internet Solutions' WebSENSE (at
additional cost) to provide Web content filtering.
You can install GNAT Box from any Windows or DOS system, most Unix flavors
or even a Macintosh. From the CD-ROM or Web download, you install a simple
application that configures your firewall. After that's done, the utility
creates a special bootable diskette you use to run the firewall. All
firewall operations are run from the diskette. There is even a Web server
sitting on the diskette, so you can administer the firewall through a
browser if you are so inclined.
You can also configure GNAT Box from Windows (see graphic, page 49), but
it's far easier and faster to use the text-based console, which doesn't
require you to boot to Windows or shut down the operating firewall.
Everything about the system, from its boot sequence to its arcane names
for different vendors' network interface cards (NIC), screams Unix, so
users with basic Unix familiarity will find themselves right at home.
The only configuration problem we had was that the software failed to
detect the EISA NICs we installed on one machine. It isn't documented
anywhere, but the company confirms that GNAT Box doesn't support EISA.
Instead, we used another machine with PCI NICs, which the firewall did
detect.
We found the firewall ran fairly fast on a low-end Pentium with 32M bytes
of RAM. The vendor claims GNAT Box can support 32,000 simultaneous
connections with that much RAM. This should be fine for most small
businesses, but companies looking to serve heavy Web traffic or provide
high-traffic remote office connectivity through the firewall will most
likely find it insufficient.
While the firewall is certified by the International Computer Security
Association, we found a minor vulnerability in the way GNAT Box performs
HTTP proxy services. Outsiders might be able to penetrate the system
through a hole in TCP Port 80. Otherwise, the system's security is tight.
Our only real complaint with the firewall is that it requires a hardware
dongle, without which it runs for only an hour in demo mode. It's our
opinion that security dongles are evil incarnate. They make it hard to
move applications from one machine to another. If they go bad, you can't
solve the problem with a phone call for a new key. Instead, you need to
wait for the vendor to ship you new hardware. Dongles fall out, and
they're easily misplaced or damaged. Any application that resorts to their
use earns our immediate displeasure.
Still, we liked GNAT Box for what it is: A low-cost firewall that offers
full-blown security from one diskette. Altogether it's quite an admirable
system and a good choice for small shops.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Tue Dec 8 09:00:37 1998