Is it a
firewall or a server?
Many of the firewalls we tested also include Internet service
software, such as File Transfer Protocol (FTP) or World-Wide Web servers.
All but the router-based firewalls from Livingston Enterprises, Inc.,
Network Systems Corp. (NSC), Network Translation, Inc. and Network-1
Software and Technology, Inc. are based on the Unix operating system, so
adding public domain (or proprietary) service software is not difficult.
If you want an all-in-one solution to Internet connection needs. A
single box can run not just the security application, but FTP, NNTP, SMTP
and POP, Domain Naming Service (DNS), Web and Gopher. Border Network
Technologies' BorderWare goes the furthest in this direction. BorderWare is
designed as a combination security firewall and Internet server, with all
services integrated into the base system.
To keep its firewall safe, Border locks out all interactive access. In
an earlier review of BorderWare, we took the vendor to task for not
providing an escape if you want to separate out security and service
applications. In the newest version of its software, Border has partially
answered that complaint by allowing the connection of a separate network
segment just for handling Internet information servers.
If you're uneasy about the security of public domain products for Web,
FTP and SMTP service, you may want to look at Secure Computing Corp.'s
Sidewinder and Harris Computer Systems Corp.'s CyberGuard.
Both of these servers include heavily modified versions of Unix
designed to contain any security breach that might be created by a poorly
written application. Sidewinder's type enforcement keeps even privileged
applications and users from modifying data or processes outside of their
own security domain. Similarly, Harris' simpler multilevel secure Unix
partitions the operating environment and presents a barrier to an
out-of-control or insecure application.
While products such as Sidewinder and CyberGuard are specifically
designed to run services on the firewall, some other vendors discourage
this practice, including Milkyway Networks Corp., Digital Equipment Corp.,
Trusted Information Systems, Inc. (TIS) and Checkpoint Software
DNS configurations give firewall vendors (and net managers) more
trouble than any other aspect of firewall configuration. In some cases, a
split DNS, which uses two DNS servers to hide internal information from the
outside, makes the most technical sense --- for example, when you have two
mail servers, one for external users sending messages in and one for
internal users sending out, both with the same name.
Some vendors provide both internal and external DNS servers from the
firewall, such as Secure Computing, Border, SOS Corp. and Harris. Other
vendors, including Milkyway, Digital, TIS, IBM and Checkpoint, provide only
Because products from Milkyway, Harris and Checkpoint support packet
filtering, they are the only Unix-based firewalls that do not require at
least one DNS server to be located near the firewall. Livingston, NSC,
Network Translation and Network-1 do not support any services (including
DNS) on their firewalls. Since DNS configuration information changes
constantly in many organizations, we felt most comfortable with firewalls
that let us move the DNS away from the security perimeter.
--- Joel Snyder