These days every organization has a firewall, and those that don't have a virtual private network (VPN) are probably planning to launch one.
To simplify security management, vendors have created a new class of equipment that combines firewall security with VPN features. Vendors market the products under various names - Internet access devices, policy routers or VPN firewalls - but the products share a single goal: to provide secure network access to legitimate remote users and keep intruders out. We looked at six such products. Our Blue Ribbon Award winner is Check Point Software's VPN-1 Appliance, a hardware and software combination that delivers comprehensive firewall and VPN features. Of the six products we tested, only VPN-1 Appliance lets you define a single integrated security policy that can be distributed across multiple firewall gateways from a central location. Plus, the second or additional gateways don't have to be dedicated firewall boxes; Check Point creates added gateways with its Remote Link Module software, called Firewall-1 4.0, that runs on Unix or Windows NT workstations. Internet Devices' Fort Knox Policy Router F-3000 placed second in our tests. Administrators who are less concerned about installing multiple access devices throughout a large enterprise will like Fort Knox Policy Router. It has a well-organized graphical user interface (GUI) with an optional bandwidth manager software module, HTTP and Domain Name System (DNS) caching, and several other useful features that make it an excellent choice for small to mid-size VPN installations. However, Fort Knox Policy Router is the only product we tested that lacks direct access for a manager's console. NetScreen Technologies' NetScreen-100, Technologic's Interceptor 4.0 and WatchGuard's Firebox II performed well but lacked many of the advanced features found in VPN-1 Appliance and Fort Knox Policy Router. FreeGate's OneGate 1000 offers a little bit of everything but at the expense of usability. On the plus side, OneGate includes a packet-filtering firewall, an IP router, two Web servers, an e-mail server and File Transfer Protocol (FTP), DNS and Dynamic Host Configuration Protocol services. OneGate includes two Ethernet ports and offers ISDN, 56K bit/sec, high-speed serial and T-1 support for WAN interfaces. On the down side, OneGate is difficult to configure and manage, and its firewall and VPN features are merely adequate. Most of the appliances we tested use proprietary operating systems. The exceptions are VPN-1 Appliance, which runs under Microsoft Windows NT and Sun Solaris, and Firebox II, which runs under Linux.Safety matters
If you're planning to buy one of these devices, firewall and VPN features are probably of equal importance to you. Today's firewalls generally use one of three common approaches to block or forward traffic. Check Point's Firewall-1 and FreeGate's OneGate 1000 use stateful inspection for filtering traffic. Stateful inspection uses a combination of packet filtering and application-layer processing to determine if a packet should be accepted or rejected. The method provides full application-layer awareness without requiring a separate proxy for every service to be secured. Fort Knox Policy Router, Interceptor, Firebox II and NetScreen-100 use a combination of packet filtering and application proxy. Implementing access control parameters lets you grant selective network access to authorized users, protect communications over untrusted public networks and detect network attacks. VPN-1 Appliance and Fort Knox Policy Router offer the broadest selection of services and protocols. VPN-1 Appliance has a very clear interface; Fort Knox Policy Router uses vague icons to describe services, which required us to repeatedly reference the icon legend. Firebox II, Interceptor and NetScreen-100 did a good job of covering the basic services and protocols needed to define the firewall policies. OneGate provides only four predefined policies that you can choose to activate. For any custom rules, OneGate users must create new policies with FreeGate's Expert GUI. However, unlike typical policy editors, the Expert GUI allows and restricts access based on source and destination address or port numbers. From an administrative point of view this is inconvenient and time consuming. In addition, allowing or disallowing packets based only on the source and destination address may compromise security by circumventing security policies on a routing level. We used Internet Security Systems' Internet Scanner 5.6 to find security vulnerabilities in the test sites protected by the products. The software tests for source porting, source routing, IP spoofing, brute force attempts, anonymous FTP checks, and denial-of-service attacks. Internet Scanner then issues a pass or fail report with suggestions. Each product passed the Internet Scanner tests, though Internet Scanner did find minor problems based on our setup. For example, Internet Scanner discovered traceroutes on all the boxes except Fort Knox Policy Router. These traceroutes create a potential backdoor for unwanted Internet traffic. To protect a network from this vulnerability, network administrators can simply create rules that disallow incoming User Datagram Protocol (UDP) and Internet Control Message Protocol (ICMP) packets with high-numbered destination ports. We'd like to see vendors document this more clearly so that administrators are aware of the risk. To measure the impact the addition of one of these products would have on network performance, we used NetBench 5.0 from Ziff-Davis. With one client initiating a moderate level of traffic to the server - 6M bit/sec of read/write requests and 12M bit/sec of random read requests - we found no appreciable differences in throughput when firewall and encryption functions were enabled vs. when they were disabled. This result means that the processor in each product was able to encrypt and decrypt under moderate traffic loads without slowing throughput. Because security standards differ, we didn't try to saturate each connection with traffic to determine maximum throughput. Specifically, all of the boxes we tested support 56-bit Digital Encryption Standard (DES) encryption, while only VPN-1 Appliance, Fort Knox Policy Router, NetScreen-100 and OneGate also support 168-bit Triple-DES encryption. In terms of throughput, 168-bit Triple-DES requires more processing power and is necessarily slower than 56-bit DES under heavy load. However, the added security offsets the throughput loss.Affordable access
The VPN capabilities in the boxes tested provide some method of data encryption so your company's traffic cannot be read by others while it travels over the Internet. In addition to 56-bit DES, all six products support VPN client, VPN remote site-to-site, network address translation and manual IP Security. Check Point's VPN-1 Appliance supports the full range of security standards and provides its own proprietary FWZ encryption scheme. Also, VPN-1 Appliance does not require a second VPN-1 Appliance box to complete the secure VPN. Checkpoint's Remote Link Module software, Firewall-1 4.0, runs on NT- or Unix-based stations. In addition to supporting multiple encryption schemes, algorithms and key management, VPN-1 Appliance passes digital certificates among its VPN firewall hosts. Therefore, potential intruders trying to pose as firewalls can be denied administrative privileges without a certificate. When creating a VPN, as is true with a firewall, it is important to set up a partially protected demilitarized zone (DMZ) where you can place public servers, such as those for Web, FTP and e-mail. Only Technologic's Interceptor did not support the creation of a DMZ subnet.Central management
For products of this type - those you expect to install in more than one spot on your local network and across multiple sites - centralized management tools and active monitoring capabilities are critical. All six products let you remotely manage multiple firewalls from a single console and provide real-time monitoring, DNS caching, URL filtering and IP traffic shaping. Fort Knox Policy Router and Interceptor supplied the most comprehensive real-time monitoring and reporting tools; they are also the only products we tested that filter e-mail to reduce spam. VPN-1 Appliance is the only product we tested that allows you to verify your policy set after making changes to find inconsistencies or overlapping rules. Once verified, you can choose to install from a centralized location the policy set on all enterprisewide firewalls or only on specific branches. We also found VPN-1 Appliance's logs to be helpful in understanding how the firewall was interpreting our rule sets.Initial installations
Check Point's VPN-1 Appliance, Technologics' Interceptor, FreeGate's OneGate 1000 and NetScreen's NetScreen-100 allow you to perform the initial installation process and make any changes through a Web browser or a directly connected management console. Fort Knox Policy Router was the easiest to configure. The installation software downloads the VPN smart client from the host firewall during VPN installation. We had a little more trouble setting up Fort Knox products when we added a branch VPN and connected the two networks. We had to set up a VPN tunnel between two Fort Knox Policy Routers prior to enabling encryption between them. We installed the Fort Knox Policy Router through a Web browser. The installation process let us choose between two different network configurations: transparent (often called single IP address), which allows you to install the unit without changing the IP addresses of your intranet's existing router; or split, in which each interface (trusted, external and DMZ) represents a different subnet. Fort Knox Policy Router is the only unit we tested that doesn't provide an alternate modem or serial port for directly attaching a management console in case you are unable to establish a connection through a browser. We found this to be a disadvantage rather than a physical security advantage. However, we liked Fort Knox Policy Router's GUI best. WatchGuard's Firebox II's installation process was the only one that required us to upload its configuration through Ethernet and serial cable connections concurrently. During the Firebox II installation we came across a "Waiting for Firebox II to boot" message that actually meant that we needed to recycle the power on Firebox II to continue installation. We read the manual page by page but found nothing about shutting the Firebox II off and on during the boot process. Fortunately, WatchGuard's tech support staff was able to provide a translation to continue the installation. Check Point's VPN-1 Appliance has excellent documentation, including fairly extensive tutorials for better understanding of the firewall and VPN principles. Other vendors provided detailed instructions on how to perform certain tasks, but little or no explanation of what was being created and why.Bottom line
All the products we tested can get the job done. But in a feature-by-feature comparison, Check Point's VPN-1 Appliance and Internet Devices' Fort Knox Policy Router stand out from the crowd. VPN-1 Appliance's distributed firewall policy further distinguishes it from the competition; the ability to define and distribute a single firewall policy across multiple firewall gateways is a big draw for large enterprise sites. NetScreen's NetScreen-100 and Technologic's Interceptor performed admirably but didn't provide more than the basic firewall and VPN features. Also, Technologic doesn't let you set up a DMZ and lacks support for Triple-DES. WatchGuard's Firebox II also lacks Triple-DES support in its standard feature set and is hampered by poorly documented installation. Difficult configuration hurt the score of FreeGate's OneGate 1000, as did its limited selection of predefined policies. RELATED LINKS Scorecard, NetResults and feature comparisonHow we ranked them in several categories, vendor contact info and a table comparing their features.
Review: SonicWALL Plus and GNAT Box
Network World, 11/30/98.
Review and buyer's guide: Firewalls
We review eight firewalls and let you drill through details specs on 35 firewalls. Network World, 6/1/98.
Virtual reality
Virtual private network vendors promise the world, but just what are VPNs and which kind is best? Network World, 9/28/98.
VPN vendors to put on a big show
Network World, 1/25/99.
The year of the VPN... no, really
Fred McClimans on why VPNs will be big this year. Network World Fusion, 2/22/99.
Very promising networks
A contented crop of early adopters makes the case for VPNs. Network World, 1/25/99.
VPN roundtable
Transcript and streaming audio of a discussion by early VPN adopters on how they did it.
Bunic is a network test engineer responsible for hands-on testing and James is a vice president of lab services at LANQuest Labs, an independent test lab specializing in network quality assurance, certification and performance testing. They can be reached at miryana @lanquest.com and gjames @ lanquest.com, respectively.
