A net for the Net: Page 2

(Page 2 of 3)

"There were a lot of growing pains," he reports. "We had some problems finding the right network administrator; I ended up adding about one and a half heads to the staff." This may sound excessive to run a firewall, but Litton has a virtual private network operating over 27 divisions.

On the other hand, Libbey's Reed, although handling a somewhat smaller network, reports that his company's firewall has been "fire and forget."

Proxies vs. stateful inspection: Is there a clear winner?

Among firewall vendors and their adherents, there's a great rift between two technology camps. "It's almost a religious thing," says Kurt Kruger, manager of security products marketing for Cisco Systems. Two technologies--techniques, really--dominate the marketplace: proxies and stateful inspection.

Proxies stop applications at the firewall, inspect them, and pass a proxy to the other side of the wall. Since the actual message doesn't pass through the firewall, proxies are viewed as more secure than stateful inspections. But because firewalls have to do a lot of work, they're viewed as drains on a system that can quickly degrade network performance.

"If you run the two different technologies on the same hardware under a small number of users and clock straight bandwidth, it's a modest performance penalty," says Michael Zboray, vice president, research director for GartnerGroup of Stamford, Conn. The Raptor Firewall 6.0 is an example of a mostly proxy-based firewall.

In a stateful inspection, firewalls look at the application data by scanning the packet and by setting up state tables to track information over multiple packets. Stateful inspection is much faster than proxies and imposes less of a performance drag on the network. However, because some data passes through the wall, stateful inspection is, theoretically, not as secure as proxies. Cisco Systems's firewall is an example of a stateful inspection firewall.

The lines are blurring, however. "There are some protocols that work better if they are proxied," says Gartner's Zboray. "FTP [and] H323 videoconferencing need proxy technology--companies like Check Point [Software] end up building a little proxy technology to handle protocols that need a little more intelligence," he adds. Similarly, proxy companies are including some stateful inspection to ease pressure on networks. "Your best bet is a relatively flexible mix," Zboray says.

Network Associates has recently adopted a scheme it calls adaptive proxy architecture. The scheme aims to make the best of both worlds: comparing the first packet of a message via proxy but passing the balance of a long message through a filtering scheme.

Regardless of whether or not your firewall runs out of the box, companies will almost inevitably encounter a few equipment problems as firewall use increases. At Litton, adding the firewall overloaded the whole network, resulting in performance degradation. "We had some small bandwidth lines. Since Raptor encrypts everything, performance became an issue, and some of our divisions were forced to upgrade," Cortez says.

At Libbey, Reed says the firewall is starting to outgrow his hardware. "We're running it on NT, sitting on a Pentium 166," he says. "It was fine when we started, but demands have gone up, and we haven't updated the machines. It's not exactly a bottleneck, but the machine is starting to breathe heavy."

Indeed, as companies begin relying more on exchanging data with customers and partners, the need for extranets grows. "Extranet firewalls should be part of the overall security policy," advises Check Point's Smith. "There are many applications where the public Internet is not involved...there are private IP networks where you might connect to business partners. The trouble is you're trusting the security of the other party's network."

Extranets, additional firewalls, or at least additional policy modifications, mean more work for the network administrator. But it's an increase in the volume of work, not in the kind of work that has to be done.

Once more into the breach

Horror stories drive customers to buy firewalls in the first place. "There's widespread awareness that security is a key," says Smith. "But there are always those who will wait until they are attacked. It should be a concern for every corporation--any corporation that is dependent on its network."

Has your company decided on a particular firewall technology? Proxies or stately inspection? E-mail us and tell us what influenced your decision.
Since a firewall is the first security product most people think of, there's a consistent demand for a low-end, turnkey product such as that offered by Cisco Systems. But as users grow more sophisticated, they try to upgrade their gear, leading to a demand for a second tier of full-function, firewall plus additional security products, according to a report published by IDC.

"In the future, the real debate will be whether security is part of networking or part of software," says Cowen's Reamer. "That will bear watching." //

Gerald Lazar is a freelance writer in Tenafly, N.J., and a contributor to a book on network security issues (as yet unpublished). He can be reached at jl4hire@ix.netcom.com.


Check Point Software Technologies
Three Lagoon Dr., Suite 400, Redwood City, CA 94065
800-429-4391 or 650-628-2000

Key features: Check Point is one of the oldest firewall vendors. Its products are now part of a suite of security offerings that includes access control, authentication, encryption, and network and address translation. It's primarily a stateful inspection product, although it has incorporated some proxies for some communication. (See sidebar, "Proxies vs. stateful inspection: Is there a clear winner?")

Price: Determined by number of nodes. Prices range from $2,995 (for 25 nodes or fewer) to $18,995 (for unlimited nodes).

Platforms supported: Available on Hewlett-Packard, IBM, and Sun UNIX-based systems, Windows NT, Bay Networks routers, Nokia (Ipsilon), and Xylan switches, and 3Com (U.S. Robotics) remote access servers.

Strengths: Users find the firewall easy to configure, and the user interface gets praise from several quarters. Administrative overhead is relatively small, and the initial policy can be implemented quickly. Also, Check Point is responsive.

Weaknesses: The company had to add proxy capabilities to shore up technology. Some pieces of the product suite seem less robust--"hacked together," as one user put it. Software may eventually strain the capacity of low-end servers. Check Point's status as industry leader makes it a tempting takeover target.

What users say: Check Point's firewall serves as the front door of Libbey's security system. The Toledo, Ohio-based glassware manufacturer had little Web presence until recently, but network administrator Phil Reed spotted some weaknesses in the company's network and sought out a firewall product. "We've got about 300 users authorized for Web access," he says. "We need to isolate the internal network from the Internet except for a few well-defined points." Reed was attracted by Check Point's dynamic address translation feature, as well as by the firewall's ease of configuration. "The user interface for defining access rules is marvelous," he says. "The stuff that I need to get at is all there, and it's easy to drive." Reed likes the fact that, although Check Point's products are offered as part of a suite, he's still able to pick and choose the products he incorporates into his security scheme. "I am still able to buy best of breed," he says.

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.