Reviews /
Firewall choices growing at feverish pace
|
|||
 | |||
|
New vendors, new features are heating up the competition for your security dollars.
The firewall market is whirling like a carousel. New vendors are popping up, prices are dipping down, and feature sets are becoming more ornate.
New vendors -- we found seven since last year -- are flooding the market with products and helping drive prices down. Firewalls were a $30,000 item three years ago; today, most cost less than $5,000.
It's easier to write a simple firewall than a big one, so even if they won't admit it, most of these newcomers are putting out products designed for small and midsize enterprises. And since Check Point Software Technologies, Ltd.'s FireWall-1 dominates the high-end firewall market, it makes sense for the new entrants to concentrate on low-end "appliance" firewalls that Check Point doesn't provide. Most firewalls, especially the new ones, are also aimed primarily at providing protection for Internet connections. Almost none support any protocols other than TCP/IP, although Elron Software, Inc., Bay Networks, Inc. and OneBOX Networks, Inc. are exceptions.
Small firewalls are designed for certain canned configurations and with certain assumptions; they don't have all the flexibility a high-end network security guru wants. For example, take one-time encryption for incoming telnet sessions -- many small network managers don't even know what telnet is, so there's no point in worrying about it.
Only two vendors' products -- Galea Network Security, Inc.'s Avertis and Internet Devices, Inc.'s Fort Knox Policy Router -- are stuck in the 10M bit/sec Ethernet world. Everyone else supports Fast Ethernet, and nine vendors support ATM, Gigabit Ethernet or both.
The days of the two- or three- Ethernet interface firewall are also numbered. Originally, all firewalls had two interfaces: "inside" and "outside." Then, they all added an extra one, dubbed the demilitarized zone. Now that managers of big networks have figured out that three zones are not sufficient to provide good security, they often use many more, depending on how the company is segmented. While a few products today still only allow for three interfaces, 16 of the products in our chart let you add more than three network connections.
Along with new products come new platforms. While Unix once was the standard, today half the products also support Windows NT. (In fact, LanOptics, Inc. and Internet Dynamics, Inc. support only NT.) This is a nod to an increasingly NT-centric world rather than an indication of better technology for the firewall engine.
Firewalls are also turning to NT and Windows 95 for their graphical configuration, logging and alerting functions. Thus with many products you can now run the firewall from a remote workstation. Moving the graphical user interface to a different workstation has another benefit: It lets you manage multiple firewalls from a single point. Vendors have jumped hard on this feature; only six currently fail to support some kind of centralized management and reporting.
Firewall vendors have quietly moved to a common position on the packet filter vs. proxy debate. Packet filtering (stateful or not) was formerly thought to be faster and more flexible because packets pass through packet filters based on header information at a lower level of the protocol stack. Transport and application proxies, which interpret packet information on the application level, were thought to be more secure because the firewall actually understood and retransmitted application commands.
In fact, a combination of the two is what is needed: packet filtering for speed and flexibility in applications that don't require proxying, and proxying for applications such as HTTP in which you want to look in the datastream and let some, but not all, data through. Instead of a single approach, 10 vendors offer stateful packet filtering (often called smart filtering or stateful inspection) and application-layer proxies. Bay's Extranet Switch is the only firewall based only on stateless packet filtering.
The clear benefits of packet-filtering approaches -- speed and simplicity -- are being combined with corporate requirements for certain application-layer proxies, particularly virus checking of e-mail and Web pages, filtering of Java applets and ActiveX components, and URL blocking. Sixteen vendors claim to support virus scanning and URL blocking, both features that were unheard of in firewalls only two years ago.
Some high-end options, such as failover and SNMP management, are still rare. High-availability firewalls are hard to find -- only ANS Communications, Inc., Bay, Check Point, Cisco Systems, Inc. and Radguard, Ltd. advertise their offerings as true failover-capable products. External monitoring is a little more common, with products from ANS, Bay, Check Point, Cisco, OneBOX, Trusted Information Systems, NetGuard and Technologic, Inc. connected to SNMP management agents.
Other previously high-end features, such as automated scanning of logs to identify potential security problems and time-based access controls, are becoming quite common. Twelve vendors' products intelligently scan logs, while 17 let network managers use time-based access controls.
All-in-one security?
Firewall vendors are also pushing their products as all-in-one solutions to network security. While this approach was not popular in the past, vendors are taking a slightly different tack by including features such as virtual private networks (VPN) and bandwidth management. We think creating a single point of failure for highly divergent functions is unwise, but the market will make its own decision in the coming months.VPNs are commonplace: only BDM Inter-national, Inc., CyberGuard, Galea and OneBOX don't make them available. Today there are numerous proposed security standards for VPNs. Fourteen vendors support IP Security (IPSec), three support Simple Key Management for IP (SKIP), and four support Point-to-Point Tunneling Protocol (PPTP). Key management is also still up in the air. Six support the Internet Security Association Key Management Protocol (ISAKMP/Oakley), with the rest using a variety of techniques.
Bandwidth management (also called traffic shaping) is available in seven firewalls. Look for incoming service load balancing and failover and high-end routing protocols such as Border Gateway Protocol (BGP4) and Open Shortest Path First (OSPF) to be added to many products shortly. While you might not want your firewall to take on routing chores, given the complexity of corporate networks, the firewall may have to know how to route in order to fit it in.
With so many choices and with standards still to be set, you may be tempted to wait, knowing that prices will drop. Don't give in to that temptation. Design a security policy, then find the firewall that's available today that lets you implement it best.
RELATED LINKS
Many NT firewalls flunk basic security tests, group says
Firewalls mailing list
comp.security. firewalls
Authentication, or who are you?
Yahoo's firewall products list
The Rotherwick Firewall Resource
Firewalls review
Interactive firewalls buyer's guide What they never told you about VPNs
Building VPNs as solid as Fort Knox
Snyder, a member of the Network World Test Alliance, is a senior partner at Opus One in Tucson, Ariz., where he specializes in networks and communication systems. He can be reached at jms@ opus1.com.
Network World, 3/26/98.
E-mail discussions about firewalls.
Usenet newsgroup.
Network World, 6/1/98.
Additional firewall links.
We look at offerings from eight vendors and crown Check Point the winner. Network World, 6/1/98.
Find a firewall that meets your needs.
Network World, 4/6/98.
Network World, 3/9/98.
