Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
First iPhone worm spreads Rick Astley wallpaper
Four reasons to buy (and one reason to avoid) the Droid
Stimulus for tech and telecom $3B, but jobs still guesswork
Cisco MARS shuts out new third-party security devices
Verizon Droid buzz muted in Boston
Week in Google news: Google Dashboard, Droid fever, focus on e-commerce
Cloud computing, virtualization proponents getting antsy
Data center start-up offers energy saving software
Vendors scrambling to fix bug in Net's security
Judge dismisses lawsuit challenging Gartner's Magic Quadrant
Boston Celtics clamp down on spam
Cloud computing inevitable? Not so fast, educator says
Blue Coat slashes staff, buys S7 services company
Apple seeks new sheriff to lock up iPhones
/

Reviews /

Firewalls to the rescue

Today's breaking news
Send to a friendFeedback

Users look for easy installation as well as management features.

By Suzanne Gaspar
Network World Fusion, 07/19/99

Imagine your Unix administrator spending up to eight hours a week trying to protect you from hackers.

Scott Jumbeck, a network administrator at the Milwaukee School Of Engineering (MSOE), in Milwaukee, Wis., lived this nightmare. 'Kiddie-scripters', hackers typically without programming skills, were attacking the school's servers every day, sometimes 18 to 20 times a day.

The attackers never managed to gain access to the school's servers. However, they did succeed in launching two reverse mail bomb attacks that completely shut down MSOE's mail server by creating an overwhelming amount of undeliverable messages.

Jumbeck says that educational sites are popular targets for hackers because they tend to be decentralized from an administrative standpoint. "Hackers know they're a good place to start learning how to hack and play, at our expense," Jumbeck says.

Between the hack attacks and the fact that MSOE was about to embark on an infrastructure upgrade that would connect students in their dorm rooms to the campus backbone, Jumbeck decided to install a firewall.

Because Jumbeck's staff of six full-time employees and more than a dozen part-time student helpers is stretched pretty thin supporting 4,500 users, he was looking for a firewall that was easy to use and maintain.

He selected Internet Devices' Fort Knox Policy Router F-5000 (now renamed Fort Knox Policy Router Professional Series). He had discovered this router when he was looking at firewalls while in a previous job.

Jumbeck says he wanted to avoid any product that required him to set up and maintain an additional server, which is common for most Windows NT and Unix-based firewalls. The Fort Knox box runs pre-installed FreeBSD and requires minimal configuration. Current prices for the Fort Knox Policy Router Professional Series start at $1,995.

In addition to the easy set-up, Jumbeck says he likes the simplicity of the Web management interface. He also liked the firewall's transparent proxy feature that meant users didn't need to reconfigure their workstations. Jumbeck plans to utilize the product's bandwidth manager feature to allocate the student network traffic on the school's T-3 ports.

However, he would prefer that the product offer a usable command line interface. Jumbeck says there is a command-line interface on the firewall that can only be used by Internet Devices' technical support.

Jumbeck is satisfied with the firewall's features overall. He has plans to implement certain network management tools that he was hesitant to deploy previously, due to the school's completely open Internet status. He can now deploy these with an additional degree of safety.

During the firewall implementation, Jumbeck learned a lesson about customer service. While IT notified users that the firewall was going into place, a few people were surprised when services they were running on their desktop couldn't be reached from the outside any longer. The firewall did its job and blocked the services, which included faculty members running a Web server or mail server for Internet applications.

After evaluating these situations on a case-by-case basis, access was allowed if the service was important to the students or necessary to accomplish work. Jumbeck says if he had to do it all over again he would have gone beyond checking with key people and sent out e-mail to let everyone know what was happening and what services would or would not be allowed through the firewall.

Since installing the Fort Knox Policy Router, MSOE hasn't had a problem with attacks on the servers. Jumbeck can now define on a rule-by-rule basis on what port traffic will be allowed and what will be blocked. The firewall can even be set up to authenticate the 4,500 users each time they fire up their Web browser, which he feels isn't necessary.

"A firewall is no guarantee of safety, nothing is, but it is an additional level of security that should be taken when you're connected to a public network," Jumbeck says.

Jumbeck advises colleagues to plan well in advance when implementing a new firewall. Know what applications and ports are in use, what must be allowed to pass and what can be cut off. Know your staff's skill level and choose a product that closely matches your needs and your staff's ability to install and support it over the long haul.

Brian Davids, director of computer operations for NFL Publishing, in Los Angeles, also selected a firewall product that offered a simple interface for ease of management. Davids installed Elron's Firewall Secure 320S (previously named Elron Firewall 2.5c) to protect the company's two Web servers used to distribute logos to licensees and teams worldwide.

Davids selection was driven by a prior firewall experience. NFL Publishing's original firewall was a Gauntlet from Trusted Information Systems that ran on a Unix box. One day, the Gauntlet crashed and Davids says that he would have needed a tech support person to fly in to fix it, for a fee.

Fortunately, Davids had an evaluation copy of Elron's Firewall sitting on his desk. "I saw the product at an Internet show and immediately fell in love. Nice clean interface, easy to manage and free technical support," he says.

Davids was able to call Elron's tech support and have a working firewall in just a few hours. First, he installed the Elron secure proprietary operating system on an available 486MHz machine. He then added the two network interface cards provided by Elron, one required for traffic coming in from the Internet, the other for traffic going out from the LAN. After installing the firewall management software to run on his NT workstation, configuration of the firewall to define traffic types and port use was a snap using the GUI provided.

Besides being impressed with the free tech support, Davids likes the product's ease of use. Moving his Web servers behind the firewall took about 10 minutes each, and now he can easily upgrade the files on those servers while maintaining a higher level of security. He recommends picking a firewall based on the product's features rather than the brand name of the company that makes the product. Current prices for the Firewall Secure 320S start at $1,995.

Steve Krems, IT Manager for O2Micro, headquartered in Santa Clara, Calif., selected the company's first firewall product after researching several companies. He based his selection on a list of requirements including features, support, implementation costs, management and performance. He also utilized an accurate network diagram depicting O2Micro's LAN/WAN IP addresses. Krems found it and a statistical network traffic report to be invaluable in planning his needs.

He decided that a hardware-based firewall would be best. He says there is less to go wrong with a hardware-based product as opposed to a software-based firewall sitting on top of another operating system.

Krems selected NetScreen Technologies' NetScreen-100 with VPN and the NetScreen-10s for remote offices. He wanted a basic security device, but planned to use the additional features, including VPN, in the near future. He has since implemented the VPN to support two Taiwan office locations and this has resulted in savings on international frame relay costs.

Krems found NetScreen's traffic shaping to be an added benefit as well. Netscreen's scheduling feature allows him to prioritize services based on time of day, etc. He can now guarantee 75% of available bandwidth to the terminal server applications during working hours and give a higher priority for email after hours.

Krems is also impressed with NetScreen's manageability. He can use the VPN client to dial in from home to dynamically change settings remotely. Using the monitoring statistics collected from the log, Krems can identify whom the high-usage Internet and mail users are so he can change settings to restrict usage, ensuring available bandwidth to others.

"The VPN client is something we did not see as an important requirement until we actually tried it out, and now we plan to install it for several of our traveling employees," Krems says.

Current prices for NetScreen Technologies' NetScreen-100 with VPN is $9,995 and the NetScreen-10 is priced at $3,995.

RELATED LINKS

Contact Associate Features Editor Suzanne Gaspar

Review: Firewalls
Raptor Firewall 6.0 takes top honors in our testing. Network World, 7/19/99.

Interactive buyer's guide
Detailed specs on 52 models. Find the one that meets your criteria or compare two or more models on different specs.

Issues and trends
Where the firewall market is headed and what to look for. Network World, 7/19/99.

Firewall RFP
Sample firewall RFP and vendor responses.

Forum: Firewalls
Post your firewalls questions and discuss their use in this forum.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.