A net for the Net: Page 3

(Page 3 of 3)

Raptor Firewall 6.0

Axent Technologies
2400 Research Blvd., Rockville, MD 20850
888-44-AXENT or 301-258-5043

Key features: Raptor Firewall has integrated application-level proxies, network circuits, and packet filtering into a single architecture, which also contains hooks for third-party filtering and antivirus products.

Sergio Cortez, director of resource management at Litton: "With a virtual private network, we had to invoke some standards. Two years ago, it was a nuisance; now it's a necessity."

Raptor "hardens" existing operating systems to eliminate known weak points, rather than providing a new version of an OS. The software also monitors the OS for changes that may compromise security.

Price: $2,495 to $15,000, depending on the number of seats.

Platforms supported: Windows NT, and Solaris.

Strengths: Users like the one-stop shopping that Axent provides for security products. User interfaces are quite easy to use. Application proxies are generally more secure than stateful inspection, and Raptor has a wide range of proxies to pick from.

Weaknesses: The company had a rough time integrating Raptor products into its line. Users indicate that they could use a little more hand-holding at times. Like all application proxies, Raptor eats bandwidth.

What users say: Commercial electronics manufacturer and defense contractor Litton was drawn to Raptor by its virtual private network capabilities. "We were disengaging from one of our divisions, and that division had secure private lines. We had to replicate that cost effectively," explains Sergio Cortez, Litton's director of resource management. The company selected Raptor for its 27 divisions in the U.S. and Europe for several reasons, not the least of which was some divisions had successfully used Raptor before. "We liked the fact that it was proxy," says Cortez. "Administration was pretty good, and it was scalable across our environment." After a two-month pilot project, Litton deployed Raptor across the company over 18 months in 1996 and 1997. Imposing standards and policies--and enforcing them--proved to be the most difficult part. "With a virtual private network, if you don't have a clean setup, you're in trouble," Cortez says. "To stay on top of it, we had to invoke some standards, whether people liked it or not." He says, however, that the divisions have adjusted: "Two years ago, it was a nuisance; now it's a necessity."

PIX Firewall

Cisco Systems
170 West Tasman, San Jose, CA 95134

Key features: PIX is a stateful inspection firewall, available on two hardware platforms. The system has its own proprietary OS, running in conjunction with Windows NT and can create virtual private networks.

Price: Base list price is $9,000 for 64 sessions. PIX supports as many as 16,000 sessions.

Platforms supported: Runs a proprietary OS with Windows NT on hardware supplied by Cisco Systems.

Strengths: Users report excellent speed. There is virtually no system degradation no matter how many users are added. As part of an end-to-end program from Cisco Systems, users can get one-stop shopping not only for security, but also for virtually all their networking needs. Many give tech support and responsiveness high ratings: When problems do arise, Cisco Systems helps promptly.

Weaknesses: Because PIX is only a small part of a much larger organization, some analysts and users say the company doesn't pay enough attention to the product, or to its customers. Management and reporting functions are said to be weak compared with other vendors' products.

What users say: When IT company NCR Corp. decided to boost its Web access to 45MB per second about a year ago, it was time to revisit the firewall supplier. The company was reasonably happy with Check Point's product but decided to make the move to the PIX firewall from Cisco Systems. "We were looking for performance and scalability," says David Pike, director of global network solutions for NCR in Dayton, Ohio. "With Cisco Systems, we had no concerns about speed or about scalability."

Because NCR has all of its corporate information at a central location, the company has opted for only one firewall. That's kept its administration and maintenance costs to a minimum. "It only works when information is centralized, though," Pike says. On the outbound side, "every associate with a browser is going through the firewall," he says. Despite all the activity generated by tens of thousands of users, the company has seen little or no performance degradation on the network. Also, because NCR already had a firewall policy in place, the company had no trouble implementing PIX.

In addition to its internal users, NCR has more than 260 extranet partners with access to its corporate data, a number that will grow a exponentially within the next 12 months, according to Pike. "The Web is the best way to control outside access to our data," Pike says. "That means that the firewall is an important part of security."

A big customer--and sometime reseller--of Cisco Systems equipment, NCR has found technical support to be exemplary. "One reason we are with Cisco is that they have end-to-end coverage," Pike says. "It's an enterprise concern, and a lot of people are looking for that."

Lessons learned about firewalls

Buy before you're burned. Many organizations know this already, but it doesn't hurt to repeat. The time your company first establishes a Web presence is the time to buy a firewall product.

Set rigorous policies. Firewalls work only if you've told them what you want them to do. Setting rigorous rules for access--rules designed before the firewall goes up--is the best way to ensure security. It's time-consuming, and it's a process you'll have to go through regularly.

Allow for expansion. As far as we can tell, everyone who installs a firewall will eventually encounter equipment constraints. You'll soon outgrow your hardware, your software, your networking bandwidth, or all three. Keep an eye on usage, and make plans to change when necessary.

Expect vendors to change. The rounds of acquisitions over the last couple of years have meant users are rarely dealing with the people and companies they started with. While the current round of acquisitions seems to have stopped, some analysts think another is coming.

Plan for intra/extranets. Even if you're only setting up a simple Web site today, down the road you'll be installing firewalls in areas you might not currently dream of.

Be prepared to explain performance hits. Your firewall is going to slow network performance, even if it only slightly. Do your best to minimize the effects of this. For management, the bottom line is usually not security, but speed.

Read all about it...

Maximum Security: A Hacker's Guide to Protecting Your Internet Site and Network
Sams.net Publishing
June 1997
Written by an anonymous hacker who has seen the error of his ways, this book provides an excellent--if slightly daunting--look at today's network security issues. Only one chapter is specifically about firewalls, but it is an excellent introduction to the subject.

PC Week Intranet and Internet Firewalls Strategies
Ziff-Davis Publishing
May 1996
Read this guide to find out how firewalls work and why you need them. It shows you the essentials of firewall implementations: configurations, protocol issues, administration, and more. By identifying the real threats to your network, you can establish packet filters or application-level gateways before security is breached.

"GAO Report: Ongoing Security Issues"
(Oct. 6, 1998)
Interactive Week
The General Accounting Office has released a report (its first in a couple of years) about the state of computer security in the federal government. The news isn't good, as this synopsis indicates. Some of the problems the feds have are probably problems your site has as well.

"Seven Firewalls Fit for Your Enterprise"
(Nov. 15, 1998)
Network Computing
This is an excellent report-card-style review of a half-dozen or so firewalls. In addition to ranking the vendors' products, it also provides background information on the latest technology and marketing schemes.

"Firewall Mailing List Archive"
For six years, subscribers to firewalls@greatcircle have been sharing their firewall data with one another. At this archive you can trawl for the firewall information you need. Like all unmoderated groups, you can expect a certain amount of spamming, as well as the obligatory flame wars. (Also see the group's FAQ file at ftp://ftp.greatcircle.com/pub/firewalls/FAQ).

4Firewalls is a page of links, and although this site is not the grand collation of firewall information it purports to be, it's a good place to start for follow-up information on firewalls, such as links to vendors and consultants.

Page 3 of 3

Previous Page
1 2 3

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.



IT Management Daily
Don't miss an article. Subscribe to our newsletter below.