Tiny firewalls fill a niche

Network security is rarely simple or inexpensive. Even the most basic firewall system typically costs $10,000 or more, and configuration nightmares can leave all but the most experienced network managers cringing.

Two vendors - Sonic Systems and Global Technology Associates - promise to change all that with their low-cost, easy-to-use firewall systems, both of which cost less than $1,000 and can be set up in one afternoon. However, would-be buyers should know that when it comes to security, you get what you pay for. These products are only suited to protecting small offices or satellite divisions. They lack features you find in high-end firewalls, such as a way to easily manage multiple firewalls, virtual private network support and integrated user authentication.

Sonic boom

Sonic Systems' SonicWALL Plus 2.0 is a tiny firewall appliance the size of a videocassette. Its list of features is impressive for a product whose price starts at less than $500: stateful inspection; full Network Address Translation (NAT); Java and ActiveX filtering; HTML content filtering; detailed logging; and Dynamic Host Configuration Protocol provisioning.

After a relatively painless installation we found most of SonicWALL's features were well-implemented. For management, the unit requires you to use a Java-enabled browser that supports HTTP uploads, namely Netscape Communications Corp. Navigator 3.0 or higher. The GUI is overloaded with features, and we found the box's security (which is also ICSA-certified) to be bulletproof against attacks generated through Internet Security Systems Inc. Internet Scanner 5.0, various port scanning apps, and other hacker tools.

However, SonicWALL's LAN and WAN ports support only 10Base-T connections, leaving users (like us) with 100M-bit/sec-only hubs and switches in a quandary over how to connect to it. We daisy-chained a 10M-bit/sec hub into the loop, but the resulting tangle of connections was not something we would approve of in a production environment. That may not be a problem in a typical small office, which may have only 10M bit/sec Ethernet hardware.

SonicWALL is a good candidate for small and mid-size networks looking for firewall functionality and bulletproof security in a relatively easy-to-use package.

A GNAT on the wall

Unlike SonicWALL, Global Technology Associates' GNAT Box 2.1.0 isn't a box at all. It's a software firewall that runs on a PC. GNAT Box's proprietary operating system requires only a machine with a 386 processor and as little as 8M bytes of RAM. At $995 for unlimited users, it's one of the least expensive firewalls you'll find.

But don't let its small size mislead you - GNAT Box boasts a feature set that would fare well in any checklist comparison. This is a full-blown proxy server, providing NAT, PPP filtering and multimedia protocol support. It also works with NetPartners Internet Solutions' WebSENSE (at additional cost) to provide Web content filtering.

You can install GNAT Box from any Windows or DOS system, most Unix flavors or even a Macintosh. From the CD-ROM or Web download, you install a simple application that configures your firewall. After that's done, the utility creates a special bootable diskette you use to run the firewall. All firewall operations are run from the diskette. There is even a Web server sitting on the diskette, so you can administer the firewall through a browser if you are so inclined.

You can also configure GNAT Box from Windows (see graphic, page 49), but it's far easier and faster to use the text-based console, which doesn't require you to boot to Windows or shut down the operating firewall.

Everything about the system, from its boot sequence to its arcane names for different vendors' network interface cards (NIC), screams Unix, so users with basic Unix familiarity will find themselves right at home.

The only configuration problem we had was that the software failed to detect the EISA NICs we installed on one machine. It isn't documented anywhere, but the company confirms that GNAT Box doesn't support EISA. Instead, we used another machine with PCI NICs, which the firewall did detect.

We found the firewall ran fairly fast on a low-end Pentium with 32M bytes of RAM. The vendor claims GNAT Box can support 32,000 simultaneous connections with that much RAM. This should be fine for most small businesses, but companies looking to serve heavy Web traffic or provide high-traffic remote office connectivity through the firewall will most likely find it insufficient.

While the firewall is certified by the International Computer Security Association, we found a minor vulnerability in the way GNAT Box performs HTTP proxy services. Outsiders might be able to penetrate the system through a hole in TCP Port 80. Otherwise, the system's security is tight.

Our only real complaint with the firewall is that it requires a hardware dongle, without which it runs for only an hour in demo mode. It's our opinion that security dongles are evil incarnate. They make it hard to move applications from one machine to another. If they go bad, you can't solve the problem with a phone call for a new key. Instead, you need to wait for the vendor to ship you new hardware. Dongles fall out, and they're easily misplaced or damaged. Any application that resorts to their use earns our immediate displeasure.

Still, we liked GNAT Box for what it is: A low-cost firewall that offers full-blown security from one diskette. Altogether it's quite an admirable system and a good choice for small shops.
RELATED LINKS Null is the co-author of the upcoming Complete Networking Desk Reference. He can be reached at null@ sirius.com.