There's a firewall for every net

Network World, 2/3/97

Responding to the pace of Internet and intranet activity, firewall vendors are furiously churning out robust Unix-based packages, Windows NT-based offerings and shrink-wrapped units that are easy to install and configure. At the same time, companies are coming out with enhanced support for Internet-based virtual private networks (VPN) and better firewall management tools.

The broad spectrum of firewalls available should make it easy to find one that fits tightly with your security policy, whether it calls for an application gateway, proxy or packet-level filtering service.

Application-level and stateful inspection firewalls provide the highest level of security. By checking application layer information against a set of established security rules, application-levelfirewalls decide whether a user should be granted access to a particular application. If access is approved, the firewall does some form of packet address translation and brokers the passage of packets between your network and the Internet, thus hiding your internal network addresses from the 'Net.

Firewall vendors are clearly sold on this level of security. Most of the products listed in our chart work at this level. They provide access protection for a variety of applications such astelnet, File Transfer Protocol, Network File System, SMTP, Wide-Area Information Servers and so on.

A number of other firewalls support an advanced packet filtering technique known as stateful inspection, which tracks the context or state of network activity. This hybrid technology intercepts packets at the network layer, then extracts application layer information used to track and control connections. Among the vendors that support this scheme are CheckPoint Software Technologies, Inc., Global Technology Associates, Inc., LanOptics, Inc., Network-1 Software and Technology, Inc. and On Technology Corp.

Ira Machefsky, Internet analyst at Giga Information Group in Santa Clara, Calif., says stateful inspection functionality has moved into routers and other network access equipment that previously filtered solely on network addresses. Bay Networks, Inc., and CheckPoint, for example, have formed an alliance to move CheckPoint's stateful architecture into Bay's routers. Ascend Communications Corp. bought MorningStar Technologies, Inc. , another stateful inspection vendor, and is assimilating MorningStar's technology into its network access products. And Cisco Systems, Inc., Machefsky says, has developed its own stateful technology that it now sells as Cisco PIX.

Another trend involves the underlying operating systems firewall vendors use. Until recently, most firewalls were Unix based, but now Windows NT-based offerings are coming on strong. NT-based products provide reasonable security, but as a relatively new operating system with millions of lines of code, there are bound to be security holes you haven't heard about yet, says Ted Julian, Internet research manager at International Data Corp. in Framingham, Mass..

However, because there is widespread familiarity with the Windows interface, NT-based firewalls can be more easily configured than their Unix counterparts, which should minimize the potential for security breaches, Julian says.

''You might not have to worry about NT if you work in a small or medium-size company,'' says Michael Zboray, vice president of network security at Gartner Group, Inc. in Stamford, Conn. Rather, he says, vendors including Seattle Software Labs, Inc., Secure Computing Corp. and Cisco offer shrink-wrapped products that require minimal configuration via a point-and-click interface.

Signs indicate that before too long, there will be large-scale deployment of Internet-based VPNs, secure chunks of the public Internet that you carve out using encryption.

''This is a must-have for any time-sensitive data that is going across public lines and is also important for international links,'' says Allen Leibowitz, president of Anzen Computing, Inc. in Ann Arbor, Mich. He points out that you can save big by tapping Internet service providers to link your sites instead of using leased lines.

Most vendors include proprietary encryption software in their firewalls. However, several vendors, along with TCP/IP stack vendors and encryption company RSA Data Security, Inc., are trying to define packet encryption interoperability standards. Dubbed the S/WAN initiative, this effort is moving to implement the IETF IPSec security standard for IP Version 6, the next-generation Internet protocol.

The security that firewalls is also now extending to how they are administered. Advances in encryption technology and authentication tools are making for more secure remote administration. Several companies provide centralized management of multiple firewalls. These include CheckPoint, Raptor Systems, Inc., and Trusted Information Systems, Inc.

However, Peter Vogel, editor in chief of The Firewall Report published by Glen Head, N.Y., market research firm Outlink, Inc., says that users will soon need vendors to provide them with tools for integrating the management of security policies across multiple firewalls, routers and servers.

A potential tiebreaker in your firewall decision, Gartner's Zboray says, is the age of the source code. It's likely most of the bugs have been worked out of code from the more mature players, notably Trusted Information Systems (TIS). For example, the TIS Firewall Toolkit is the foundation for many firewall products.

Ron Hale, senior manager of computer assurance services at Deloitte & Touche LLP in Chicago, says even after you've settled on a firewall, you should periodically revisit the product's effectiveness. ''It is not like buying a server or database, where you have a long-term commitment,'' he says. ''The product you have today may not protect you against future threats.'' He recommends working with a vendor that has a long track record, a robust product, and that routinely deploys fixes to address newfound Internet threats.

Feedback | Network World, Inc. | Sponsor index
How to Advertise | Copyright

Home | NetFlash | This Week | Industry/Stocks
Buyer's Guides/Tests | Net Resources | Forums | Careers
Seminars & Events | Product Demos/Info
Audio Primers | IntraNet