1/28/99
UK: - AN ALL-IN-ONE HACKER REPELLENT.
Effective security for your network doesn't always come in big beige
boxes, as Bob Walder explains.
The term network appliance is gradually making its way into common usage.
It refers to self-contained devices that plug into a Lan at any
appropriate point, are managed over the network (often using a standard
web browser), and then just do a single job without any further attention
required from the network administrator.
Such devices come in a range of flavours, including print, fax and mail
servers, and now firewalls. Even these devices once - considered as big
budget purchases for equally sized companies - are now such a commodity
that you can buy them for less than #1,000 and install them in under five
minutes.
This is the category that Sonicwall falls into. Ranging from #495 for a
10-user basic version, we reviewed the high-end #1,795 version, which
includes three network interfaces and a De-Militarised Zone (DMZ) on which
you can host all your publicly available web and FTP servers.
A set-top box
All the necessary hardware and software is contained in a single box the
size of a paperback book. There are three network ports at the back and
three sets of corresponding status LEDs on the front panel. That, and a
reset switch, is all there is to it. The hardware is a 25MHz 68360 Risc
processor with 4Mb Ram, 128Kb Rom and 2Mb of flash memory. The firewall
code and host operating system is completely proprietary, making it
unlikely that hackers will concentrate their attentions on it when they
can be having so much fun undermining general purpose operating systems,
such as Windows NT.
Installation ought to be simple, especially if you have a correctly
configured network to start with and follow the instructions to the
letter. However, despite the fact that I install these things day in and
day out, I found the installation procedure to be fraught with
complications if you didn't have exactly the right network according to
the less-than helpful manual.
Once you iron out any inconsistencies in your network and get the firewall
in place, you will find a whole host of features available to secure your
network.
The firewall engine uses stateful inspection, and includes full Network
address translation (Nat) and hacker attack prevention (to repel Denial Of
Service attacks). Creating and amending filters is not the easiest I have
seen, but is far from impossible. A built-in DHCP server makes the
administrator's life an easier one, as does full support for DHCP on all
ports.
Nat translates multiple IP addresses on the private Lan to one public
address visible on the Net. This adds a level of security since the IP
address of a PC connected to the private Lan is never transmitted on the
Internet. Further, Nat allows Sonicwall to be used with low cost Internet
accounts where only one IP address is provided by the Internet service
provider.
Big brother is watching
An optional Cybernot filter list subscription is available. This allows
the administrator to select categories of Internet sites to block or
monitor access. These categories, such as pornography or racial
intolerance, are selected from a predefined list that is updated online.
Sonicwall contains comprehensive logging capabilities, including a
customisable log, HTML-based log, and the ability to email the log
(including alerts) at regular intervals. Reporting is also included, with
pre-defined reports such as web site hits, bandwidth usage by IP address,
and bandwidth usage by service.
A final word of caution: these devices may appear to be easy to install
and configure, and many of them are (some are even easier than Sonicwall).
However, this does not mean they are secure. But don't get me wrong;
Sonicwall is as secure a firewall device as you are likely to find,
although it would be nice if more firewall vendors opted for the Checkmark
certification process from West Coast Labs in addition to ICSA.
There is more to configuring a firewall than getting it out of the box, as
we all know. In the default state, these devices are either wide open or
too restrictive to be of any use. This means that 99 per cent of all sites
must start fiddling with the filters, and that is when the loopholes are
introduced - some wide enough for your average hacker to drive a double
decker bus through! If you don't know what you are doing, it is worth
spending a little extra money to get a security consultant to install and
configure these things for you.
AT A GLANCE
SONICWALL FIREWALL AND DMZ
What it is
An inspection firewall with DMZ capability - everything you need comes in
a single box Price #495, excluding VAT (10-user licence) to #1,795
excluding VAT (unlimited users) Contact Tekdata (01782) 254706
www.tekdata.co.uk
COMPUTING VERDICT
If you can get past the configuration and less-than-helpful documentation,
the Sonicwall Plus DMZ is superb value for money, providing a complete
turnkey solution and all the features you could ask for in a firewall.
COMPUTING 21/01/1999 P60
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
Received on Thu Mar 11 17:21:28 1999