Timothy Parker Consulting Incorporated

A survey of firewalls

As a last look at firewalls in this series of Help Desk, I’ll answer a bunch of e-mail previous columns have generated that ask which firewall is best. There is no "best". Next subject.

Seriously, there are lots of firewalls on the market and as my last column explained, choosing the right one for a customer is much harder than most people think, because it’s a balancing act between requirements, convenience, and cost. Usually the latter is the overwhelming concern for companies, even at the expense of the other two considerations. So, to try and give you an idea of the firewall products on the market and their strengths and weaknesses, here’s a run-down of those products I’ve either tested or have direct experience with at a customer site. Keep in mind this is not a rigorous survey and the opinions are mine!

Probably the most popular firewall among UNIX users is Check Point Software’s Firewall-1, a version of which is distributed by SunSoft for their workstations and servers. Firewall-1 uses a different approach to firewalls developed by Check Point (http://www.checkpoint.com) that provides a very high level of protection for machines inside the network. All packets entering the firewall are inspected and screened. The system can learn about new protocols and application packets once installed, which makes Firewall-1 flexible for the future. As a full-featured firewall, Firewall-1 is a superb product with almost no impact on the host server. Since the firewall software is part of the operating system kernel, it is near-impossible to hack, and the system is fast. Administration requires practice, and the software is not cheap, but Firewall-1 got to be the dominant firewall because of its strengths, not a savvy marketing campaign.

I’ve mentioned my favorite firewall, CyberGuard’s CyberGuard (http://www.cyberguard.com) several times before. This remains my favorite because of its ease of installation, light load on a UNIX or Windows NT server, and maintenance simplicity. Since CyberGuard can be loaded from a CD-ROM onto any supported machine, it is simple to add to existing networks without requiring more hardware or hardware upgrades. CyberGuard is priced competitively and while there are other firewalls that equal it in many aspects (such as Firewall-1), I haven’t found any reason to switch yet. Personal preference, yes, but one borne out by years of firewall work.

For Windows NT users, a leading firewall product is NetGuard’s Guardian (http://www.ntguard.com). Guardian is recommended by Microsoft as a firewall for NT systems. One of the strengths of Guardian is the ease with which it can be installed and configured. Routine maintenance is trivial too, leading to a low profile on the network and less work for the administrator. While Guardian is a fairly straight-forward firewall product the management aspect is what sells most people. Reports and real-time status windows are attractive, customizable, and useful.

Milkyway’s SecurIT is for those who want a traditional UNIX firewall. SecurIT is based on a rebuilt and security-oriented UNIX kernel from BSD. SecurIT has been tested by our own CSE (Communications Security Establishment) and found secure. Milkyway is an Ottawa based company (http://www.milkyway.com). Milkyway’s approach to a firewall is that not only must the firewall protect the network, but it must also protect itself, so SecurIT is very difficult to hack.

CYCON’s Labyrinth (http://www.cycon.com) is an interesting firewall product because it provides bi-directional network address translation with a connection tracking method that offers both firewall and network management capabilities. The true strengths of Labyrinth are difficult to appreciate if you are not a UNIX guru or heavily into network management, so suffice it to say this is an impressive product. There’s a demo version available for free from the Web site, along with lots of descriptions of the product. As with the other firewalls mentioned, Labyrinth isn’t cheap, but it offers lots of protection for the money.

Raptor System’s Eagle suite of firewall software (http:/www.raptor.com) is an application-level firewall. A complete family of products, the Eagle products allow you to choose which components of a firewall are to be installed and used, and can be expanded to handle remote and mobile computing easily. The Eagle Firewall is the main product in the family, providing traditional firewall capabilities. Add-ons provide other features, such as remote site and workgroup security.

Advanced Network & Services Inc (ANS) offers InterLock, a firewall produced by a not-for-profit consortium of US universities and industry partners like IBM, MCI, and Nortel Networks. ANS was purchased by AOL in 1995 and now protects AOL’s huge membership network. While designed for customization to meet each network’s requirements, InterLock is available as a stand-alone solution. More information is available from their Web site, http://www.ans.net.

Want simplicity? How about Global Technology’s GNAT Box. The software can even be shipped on a floppy, to show how small and trim it is. GNAT Box (http://www.gnatbox.com) is designed to be a simple, fast, unobtrusive firewall that eliminates lots of the features of other firewalls that users don’t necessarily need (like the ability to telnet into the firewall or use it as a mail server). Surprisingly, GNAT Box is effective, inexpensive, easy to work with, and worth looking into.

Send mail to tparker@tpci.com with questions or comments about this web site.
Copyright © 1995-2007 Timothy Parker Consulting Incorporated
Last modified: January 23, 2007