Stop 'em with a box
Let your remote workers set it and forget it
When most people think about protecting their network from attackers, they think of firewalls. Firewalls offer the best and most basic form of isolating internal network users from the big, bad outside world of the Internet. Of course, any solution will involve more than just firewalls - virus scanners and putting solid network security policies in place are also important. Every network needs some form of protection; the trick is to understand the balance of price, features and ease of use. And with the growing use of DSL and other 'always on- connections for corporate teleworkers and small-office, home-office (SOHO) computers, the need for simple firewalls will continue to grow.
How we did it
Frontier Defense
Interactive scorecard and NetResults
Subscribe to the Product Review e-mail newsletter
Archive of NWW Reviews
For this review, we looked at five midrange appliances: the NetFortress R-50 from Fortress Technologies, the SonicWall SOHO, WatchGuard Technologies' SOHO, the GNAT Box from Global Technology Associates and the Interceptor from Technologic/eSoft. All cost between $400 and $4,000 and are geared for network novices or for wide distribution among branch offices and remote home offices.
The SonicWall and WatchGuard units are special-purpose appliances with four-port hubs included and run an embedded operating system. The other three are built around common PC parts running some variation of the Unix operating system, and offer connections for keyboards and monitors. The Unix boxes have more features but are limited by their simplicity.
Our Blue Ribbon Award goes to the SonicWall SOHO: It contains the right mix of features, price and ease of use for this target audience. While it could still use some improvement, particularly in terms of its documentation, it's the best of the bunch. And at $495, it represents a terrific value.
Coming in a close second was WatchGuard's SOHO, a very basic unit without many features but the simplest setup around. We liked the menu layout of the Interceptor and its flexibility, although it's a chore to set up. The GNAT Box offers plenty of features and a variety of user interfaces to configure them, but you should probably wait until new firmware that offers several ease-of-use improvements is available. Finally, we would not recommend the NetFortress at all because of a combination of skimpy documentation and poorly designed menus.
There are other firewall-type products that cost less: A five-user version of the GNAT Box software is freely available from the company's Web site, and Linksys and Umax make hubs that offer some minimal network protection for a few hundred dollars. But if you want to be serious about keeping the bad guys away from your widely dispersed corporate data, then you'll probably end up considering one of the more expensive units.
Setup and configuration
Because of our focus on na•ve network users, we placed a heavy emphasis on the initial user experience out of the box. The WatchGuard SOHO firewall was the fastest to set up, taking less than 15 minutes, followed by the SonicWall SOHO. The other three were more work, requiring wading through many pages of manuals and several attempts at tackling confusing configuration screens along with numerous calls and e-mails to technical support. The Interceptor took a solid day of work to debug and get working, due to a malfunctioning unit we received.
An outstanding feature of the SonicWall SOHO is the way you first have to change the default password. This is often something many more experienced computer users overlook and one that can compromise your network security. It was also the only unit not to respond to pings from the external network, a nice touch. One drawback with the SonicWall SOHO is that you must use Netscape's browser to set it up -the Java configuration program doesn't work properly with Microsoft's Internet Explorer. Still, the setup program asks you for minimum information and can get you running in minutes. And if you want to view some of the Web management screens before you purchase the product, SonicWall has posted them on its Web site. More vendors should follow this example.
SonicWall SOHO and WatchGuard's SOHO have configuration screens with a simple check box to disable Microsoft Server Message Block protocol's network broadcasts across the firewalls, one of the biggest security hazards for small-office users who want to share files among themselves but not necessarily across the Internet. The other products could do this, but more work was involved.
Setting up the GNAT Box required us to spend time in each of its three user interfaces (Web, Windows and telnet command line), while the NetFortress required numerous e-mails and phone calls to the vendor's support staff.
Part of our issue with setting up these units is the lack of diagnostic tools if something goes wrong. If you mistype the initial IP address for the device, you almost have no recourse other than to reset the entire device back to its defaults. This is because some of the boxes don't allow access to a monitor or keyboard. Interceptor deserves last place here: The unit ships with a back faceplate that blocks access to the keyboard and video ports on the unit. We had to remove this plate with a screwdriver and plug in our monitor to determine what was going on with the unit. This isn't something you'd want an inexperienced user to fool with if something went wrong.
Management features
We attempted to do several typical management tasks on each device: upgrade the firmware, change the network configuration to let incoming requests be directed to a specific Web server on the protected network, review reports and reset the unit back to its factory settings.
Firmware upgrades are important, particularly as vendors improve their products, close potential security loopholes and add new features. The easiest upgrade was the WatchGuard SOHO, which tells you with some clever HTML programming on the unit's home page whether or not its firmware is still current. Second prize goes to Interceptor, which had a simple menu choice (once you registered with the vendor and received a user name and password) to perform the upgrades. SonicWall SOHO's upgrade walks you through the process, but you first have to locate the new firmware file on the company's Web site, download it to your PC and then upload it to the unit. The GNAT Box is more complex and cumbersome, involving creating boot images on floppies (the next version of the firmware, 3.1.0, will offer improvements, according to the vendor). NetFortress can only be upgraded by company technicians, a major drawback.
With WatchGuard SOHO and SonicWall SOHO it was very easy to set up a public Web server on the protected network (meaning you could access it from the Internet). This can be handy in cases where workgroups wish to share documents among each other temporarily or to set up a permanent Web server in a remote branch office location.
This was more difficult to set up on the other units, in some cases requiring a call to technical support to determine the sequence and location of several commands. An alternative is to use a third network interface card attached to a separate network expressly for shared services, something that can be accomplished with the GNAT Box or the Interceptor, both of which come with this interface.
Each firewall had a variety of reports, some useful and some not. The best reports are those that indicate potential security problems. WatchGuard's and SonicWall's home pages tell you what they're protecting and what they're not. Both also warn you if you have set up a configuration that can compromise your security (such as giving all external users full access to the resources on the protected network). WatchGuard SOHO can send its logs to a remote log host, but they are very basic (and because the unit was behind our DSL router, its time-stamp routine didn't work properly). SonicWall SOHO can be set up to e-mail your log files to any Internet e-mail address on a regular basis. This is helpful to remind you to examine these logs and determine any irregularities.
The Interceptor and GNAT Box have numerous reports, but most won't be of much use to anyone but the experienced Unix administrator. Both devices can be configured to send alerts to pagers as well as regular e-mail accounts when certain conditions have occurred, such as detecting a port scan or a series of failed logons. Company technicians set up the NetFortress reporting feature based on your needs.
Finally, WatchGuard SOHO, GNAT Box and SonicWall SOHO were the easiest to set back to their factory defaults -useful when a user messes up the initial configuration or for a technician to debug problems. Interceptor and NetFortress can't be reset, a real issue.
A final administration issue concerns password management. The Interceptor and NetFortress boxes require different, multiple passwords to be entered as you navigate around the various menu screens. That should be simplified. The others require a single administrative ID and password -a much better situation.
Security and network features
SonicWall SOHO was bested in terms of overall security features by Interceptor and GNAT Box, which offer many more options to customize your firewall. The weakest unit in terms of features was WatchGuard SOHO, followed by NetFortress. While they do block outside network traffic -such as setting up specific network ports to allow or create specific firewall filter rules, something that is readily done on the other three boxes -you can't do much customization with either.
SonicWall does have a feature that works in conjunction with myCIO.com's antivirus scanning. With the latest firmware, Version 5.0, you can enable every computer on your protected network to scan for viruses through the firewall, a nice feature that removes the need to install specific antivirus software on each individual computer.
While we tested the dual-Ethernet units only, the three PC/Unix-based vendors (Interceptor, NetFortress and GNAT Box) offer a variety of flexible interface configuration options, such as token ring, frame relay, T-1 and ISDN.
We think most users will want to run Dynamic Host Configuration Protocol (DHCP) servers on their firewalls, making it easier to dole out IP addresses to the rest of their network. Both the SonicWall SOHO and WatchGuard SOHO have DHCP servers that were simple to set up. Unfortunately, the Interceptor box doesn't let you initially set it up this way. You first have to choose a fixed IP address with the Windows-based wizard and then, when the box is up and running, enable the DHCP server with the Web interface. That isn't very nice. Getting the NetFortress DHCP server to work took numerous support calls. And GNAT Box won't include a DHCP server until its next version, 3.1.0, available later this summer.
All of the firewalls enabled Network Address Translation (NAT), perhaps one of the best things you can do to protect your local network from attack. NAT sets up private IP addresses behind your firewall and maps all of these addresses to a single IP address so hackers can't easily figure out what machines originate specific traffic. It is also a nice way to conserve on IP address space for your company. And if you're planning to send out numerous firewalls to support branch offices and home networks, they each can have the same internal IP address range without having any conflicts.
All of the units worked well to protect our internal test network from outside access. Once they were set up, by default they prevent all external access and allow all internal users full access to the outside. You can set up additional rules on each product using their Web interface, and the setup screens and documentation for SonicWall SOHO and Interceptor are better than the others. This is the heart of the firewall's operations, and any prospective buyer should spend some time here to understand how to set this up.
We didn't test the support for VPN features, but they are available on SonicWall SOHO, Interceptor and GNAT Box. We also didn't test support for routing IPX packets, something supported by NetFortress.
We also should mention that Interceptor, Sonic Wall SOHO and GNAT Box all include support for blocking access to particular Web sites by specific URL lists input by administrators. For an additional fee, these three also enable the use of a blocking service to set up this feature by particular site category (Interceptor works with Secure Computing's SiteFilter and GNAT Box with Websense.com). However, we don't think much of this feature, as it is cumbersome to maintain and can be easily circumvented by more knowledgeable users.
Documentation
By far the best documentation was from WatchGuard -a single printed page. Everything else comes from the company's Web site, including careful and concise instructions with plenty of screen shots to guide even the most inexperienced user through the process. WatchGuard can get away with this because the product has a limited number of features and options. This is perhaps one of the smoothest and best uses of the Web to deliver documentation and deserves high praise.
The worst was from NetFortress. It contained incorrect hardware diagrams and inadequate information to really make sense of its features. It was filled with references to things like eth0 for the network interface, which could be intimidating for network newbies.
In between were the three others. SonicWall's documentation is to the point but spans several different manuals (for VPNs, basic firewall functions and a new update on virus scanning). These should be consolidated into a single manual and could go into more details about setup options. GNAT Box has the best explanation for beginners on routing, security policies and other terms. But because the unit has three very different interfaces (Web, Windows and console), it can be confusing describing the features of each one. It is also not much of a step up from reading Unix manual pages, in terms of the wording of command-line examples and in their lack of clarity. It also suffers from a very terse table of contents and lacks an index. The Interceptor manual at least is better organized than the GNAT Box's, but some of the concepts could use a better explanation, and some of the examples will be difficult for inexperienced users to follow.
The quick-start brochure that comes with SonicWall SOHO is far superior to the one from Interceptor. It is clearer and has actual illustrations to show you how to set up the various pieces of your network and what to plug in where.
One other point we should mention when it comes to documentation is how the various network ports and cables on each unit are labeled -or not, as the case may be. WatchGuard SOHO and SonicWall SOHO are superior to the other three. The GNAT Box and NetFortress don't indicate anywhere on the device what network connection is for the protected inside network, and which one is for the external network. And while Interceptor labels its ports, these labels don't match the menu setup screens on its Web interface. They also include a variety of different-colored cables in its unit. There was some confusion over two red cables -one a regular Ethernet cable and the other a crossover cable. A better solution would be just to make the crossover cable an entirely different color. These seem like small points, but both can be big stumbling blocks when supporting remote users who have to take instructions from network administrators via e-mail and the phone.
|
RELATED LINKS
Frontier Defense
Firewall software: Keep the Bad guys away from your remote outposts.
Network World, 08/07/00.
Interactive scorecard and NetResults
