Articles
All-in-one security appliances
Firewall and VPN combination devices simplify security
By Gail James and Miryana Bunic
Network World
April 19, 1999
These days every organization has a firewall, and those that
don't have a virtual private network (VPN) are probably planning
to launch one.
To simplify security management, vendors have created a new
class of equipment that combines firewall security with VPN
features. Vendors market the products under various names
- Internet access devices, policy routers or VPN firewalls
- but the products share a single goal: to provide secure
network access to legitimate remote users and keep intruders
out.
We looked at six such products. Our Blue Ribbon Award winner
is Check Point Software's VPN-1 Appliance, a hardware and
software combination that delivers comprehensive firewall
and VPN features. Of the six products we tested, only VPN-1
Appliance lets you define a single integrated security policy
that can be distributed across multiple firewall gateways
from a central location. Plus, the second or additional gateways
don't have to be dedicated firewall boxes; Check Point creates
added gateways with its Remote Link Module software, called
Firewall-1 4.0, that runs on Unix or Windows NT workstations.
Internet Devices' Fort Knox Policy Router F-3000 placed second
in our tests. Administrators who are less concerned about
installing multiple access devices throughout a large enterprise
will like Fort Knox Policy Router. It has a well-organized
graphical user interface (GUI) with an
optional bandwidth manager software module, HTTP and Domain
Name System (DNS) caching, and several other useful features
that make it an excellent choice for small to mid-size VPN
installations. However, Fort Knox Policy Router is the only
product we tested that lacks direct
access for a manager's console.
NetScreen Technologies' NetScreen-100, Technologic's Interceptor
4.0 and WatchGuard's Firebox II performed well but lacked
many of the advanced features found in VPN-1 Appliance and
Fort Knox Policy Router.
FreeGate's OneGate 1000 offers a little bit of everything
but at the expense of usability. It includes a packet-filtering
firewall, an IP router, two Web servers, an e-mail server
and File Transfer Protocol (FTP), DNS and Dynamic Host Configuration
Protocol services. However, OneGate is hard to configure and
manage, and its firewall and VPN features are merely adequate.
And, unlike the other five products we tested, OneGate doesn't
provide an Ethernet port on its external WAN port interface.
It provides only ISDN or T-1 access to the Internet, along
with IP routing support.
Most of the appliances we tested use proprietary operating
systems. The exceptions are VPN-1 Appliance, which runs under
Microsoft Windows NT and Sun Solaris, and Firebox II, which
runs under Linux.
Safety matters
If you're planning to buy one of these devices, firewall
and VPN features are probably of equal importance to you.
Today's firewalls generally use one of three common approaches
to block or forward traffic.
Only Check Point's VPN-1 Appliance uses stateful inspection
for filtering traffic. Stateful inspection uses a combination
of packet filtering and application-layer processing to determine
if a packet should be accepted or rejected. The method provides
full application-layer awareness without requiring a separate
proxy for every service to be secured. Fort Knox Policy Router,
Interceptor, Firebox II and NetScreen-100 use a combination
of packet filtering and application proxy, while OneGate uses
standard packet filtering.
Implementing access control parameters lets you grant selective
network access to authorized users, protect communications
over untrusted public networks and detect network attacks.
VPN-1 Appliance and Fort Knox Policy Router offer the broadest
selection of services and protocols. VPN-1 Appliance has a
very clear interface; Fort Knox Policy Router uses vague icons
to describe services, which required us to repeatedly reference
the icon legend. Firebox II, Interceptor and NetScreen-100
did a good job of covering the basic services and protocols
needed to define the firewall policies. OneGate offered limited
flexibility for creating
rules; the device only provides a few predefined policies
that you can choose to activate. We used Internet Security
Systems' Internet Scanner 5.6 to find security vulnerabilities
in the test sites protected by the products. The software
tests for source porting, source routing, IP spoofing, brute
force attempts, anonymous FTP checks, and denial-of-service
attacks. Internet Scanner then issues a pass or fail report
with suggestions.
Each product passed the Internet Scanner tests, though Internet
Scanner did find minor problems based on our setup. For example,
Internet Scanner discovered traceroutes on all the boxes except
Fort Knox Policy Router. These traceroutes create a potential
backdoor for unwanted Internet traffic. To protect a network
from this vulnerability, network administrators can simply
create rules that disallow incoming User Datagram Protocol
(UDP) and Internet Control Message Protocol (ICMP) packets
with high-numbered destination ports. We'd like to see
vendors document this more clearly so that administrators
are aware of the risk.
To measure the impact the addition of one of these products
would have on network performance, we used NetBench 5.0 from
Ziff-Davis. With one client initiating a moderate level of
traffic to the server - 6M bit/sec of read/write requests
and 12M bit/sec of random read requests - we found no appreciable
differences in throughput when firewall and encryption functions
were enabled vs. when they were disabled. This result means
that the processor in each product was able to encrypt and
decrypt under moderate traffic loads without slowing throughput.
Because security standards differ, we didn't try to saturate
each connection with traffic to determine maximum throughput.
Specifically, all of the boxes we tested support 56-bit Digital
Encryption Standard (DES) encryption, while only VPN-1 Appliance,
Fort Knox Policy Router, NetScreen-100 and OneGate also support
168-bit Triple-DES encryption. In terms of throughput, 168-bit
Triple-DES requires more processing power and is necessarily
slower than 56-bit DES under heavy load. However, the added
security offsets the throughput loss.
Affordable access
The VPN capabilities in the boxes tested provide some method
of data encryption so your company's traffic cannot be read
by others while it travels over the Internet. In addition
to 56-bit DES, all six products support VPN client, VPN remote
site-to-site, network address translation and manual IP Security.
Check Point's VPN-1 Appliance supports the full range of security
standards and provides its own proprietary FWZ encryption
scheme. Also, VPN-1 Appliance does not require a second VPN-1
Appliance box to complete the secure VPN. Checkpoint's Remote
Link Module
software, Firewall-1 4.0, runs on NT- or Unix-based stations.
In addition to supporting multiple encryption schemes, algorithms
and key management, VPN-1 Appliance passes digital certificates
among its VPN firewall hosts. Therefore, potential intruders
trying to pose as firewalls can be denied administrative privileges
without a certificate.
When creating a VPN, as is true with a firewall, it is important
to set up a partially protected demilitarized zone (DMZ) where
you can place public servers, such as those for Web, FTP and
e-mail. Only Technologic's Interceptor did not support the
creation of a DMZ subnet.
Central management
For products of this type - those you expect to install in
more than one spot on your local network and across multiple
sites - centralized management tools and active monitoring
capabilities are critical. All six products let you remotely
manage multiple firewalls from a single console and provide
real-time monitoring, DNS caching, URL filtering and IP traffic
shaping. Fort Knox Policy Router and Interceptor supplied
the most comprehensive real-time monitoring and reporting
tools; they are also the only products we tested that filter
e-mail to reduce spam. VPN-1 Appliance is the only product
we tested that allows you to verify your policy set after
making changes to find inconsistencies or overlapping rules.
Once verified, you can choose to install from a centralized
location the policy set on all enterprisewide firewalls or
only on specific branches. We also found VPN-1 Appliance's
logs to be helpful in understanding how the firewall was interpreting
our rule sets.
Initial installations
Check Point's VPN-1 Appliance, Technologics' Interceptor,
FreeGate's OneGate 1000 and NetScreen's NetScreen-100 allow
you to perform the initial installation process and make any
changes through a Web browser or a directly connected management
console. Fort Knox Policy Router was the easiest to configure.
The installation software downloads the VPN smart client from
the host firewall during VPN installation. We had a little
more trouble setting up Fort Knox products when we added a
branch VPN and connected the two networks. We had to set up
a VPN tunnel between two Fort Knox Policy Routers prior to
enabling encryption between them.
We installed the Fort Knox Policy Router through a Web browser.
The installation process let us choose between two different
network configurations: transparent (often called single IP
address), which allows you to install the unit without changing
the IP addresses of your intranet's
existing router; or split, in which each interface (trusted,
external and DMZ) represents a different subnet.
Fort Knox Policy Router is the only unit we tested that doesn't
provide an alternate modem or serial port for directly attaching
a management console in case you are unable to establish a
connection through a browser. We found this to be a disadvantage
rather than a physical security advantage. However, we liked
Fort Knox Policy Router's GUI best.
WatchGuard's Firebox II's installation process was the only
one that required us to upload its configuration through Ethernet
and serial cable connections concurrently. During the Firebox
II installation we came across a "Waiting for Firebox
II to boot" message that actually meant that we needed
to recycle the power on Firebox II to continue installation.
We read the manual page by page but found nothing about shutting
the Firebox II off and on during the boot process. Fortunately,
WatchGuard's tech support staff was able to provide a translation
to continue the installation. Check Point's VPN-1 Appliance
has excellent
documentation, including fairly extensive tutorials for better
understanding of the firewall and VPN principles. Other vendors
provided detailed instructions on how to perform certain tasks,
but little or no explanation of what was being created and
why.
Bottom line
All the products we tested can get the job done. But in a
feature-by-feature comparison, Check Point's VPN-1 Appliance
and Internet Devices' Fort Knox Policy Router stand out from
the
crowd.
VPN-1 Appliance's distributed firewall policy further distinguishes
it from the competition; the ability to define and distribute
a single firewall policy across multiple firewall gateways
is a big
draw for large enterprise sites.
NetScreen's NetScreen-100 and Technologic's Interceptor performed
admirably but didn't provide more than the basic firewall
and VPN features. Also, Technologic doesn't let you set up
a DMZ and lacks support for Triple-DES.
WatchGuard's Firebox II also lacks Triple-DES support in its
standard feature set and is hampered by poorly documented
installation. Difficult configuration hurt the score of FreeGate's
OneGate 1000, as did its limited selection of predefined policies.