HOW WE DID IT
Before testing, we established three sample security policies that an
organization might support. We called them loose, standard and tight.
We attached each firewall to our lab network, which is connected to
the Internet. And we placed two workstations and a protocol analyzer inside
We implemented as many of the policies as each firewall supported. For
each policy, we did simple tests to ensure that the firewall was doing what
In addition, we tried some basic confidence tests, such as trying to
communicate across the firewall while it was booting.
We also attempted to communicate outside the policy to see how well
and how efficiently each firewall handled logging and alerting.
In all, we looked at 16 different characteristics, including product
philosophy and orientation, flexibility, management style, reporting, user
interface and documentation.