Part 3: Shrink-wrapped Firewalls?
The term "appliance" is loosely applied to a whole range of security products. Here's how to tell one from another.
When most people think of an appliance, they think of a dedicated device that has software already loaded on it. However, some software-only vendors also market their products as appliances. Adding to the confusion is the emergence of other kinds of network appliances that perform a whole range of functions. Some of these appliances come with firewalls, some dontand which is which isnt always clear.
To help understand the emergence of firewall appliances, its helpful to know something about basic firewalls. Firewalls are deployed to protect trusted computer networks from untrusted networks. Typically, this is between a LAN and the Internet or between two departments within a corporation. They act as security guards by blocking or passing network traffic using packet filters, application proxies, stateful inspection or a combination of these technologies. The first commercial firewalls were expensive boxes designed for large enterprises. Because they required in-depth knowledge of
networking and of the underlying operating system, these firewalls required highly skilled personnel to configure and maintain them.
In time, firewalls became more popular and also more specialized to meet the demands of different market segments. "Shrink-wrapped firewalls" (easily configured, often NT-based, software solutions) and firewall appliances emerged with ease-of-use in mind. There are a wide variety of products in the appliance category, and "appliance" has become a trendy term with several shades of meaning.
In general, an appliance can be defined as a product that comes pre-installed on hardware. In terms of the firewall product market, appliances can be grouped into three categories, based on the size of the networks they are meant to serve.
1. Large Enterprises (1,000+ Users)
Examples: Secure Computings Sidewinder; Lucents Managed Firewall; Cisco Systems PIX.
These are what you typically think of as "classic" firewalls, and although they have become easier to manage, they need dedicated security personnel to maintain them. I only mention them here because they ship pre-installed on a machine, and in some circles they are referred to as appliances.
2. Small to Medium-Sized Enterprises (50-1,000 Users) and Branch Offices
Examples: Technologics Interceptor; Watchguards Firebox, Internet Devices Ft. Knox Policy Router, NetScreens NetScreen-10; Sonic Systems SonicWall.
Typically plug n play, these products have fewer configuration options, and dont allow users to modify the hardened OS. The philosophy behind these appliances is that fewer choices lead to better security for those with limited skills (i.e., users cant hurt themselves by unknowingly introducing vulnerabilities). Today, vendors are offering features that vary greatly from a bare-bones firewall to products that include VPN capabilities, Web caching, content filtering, traffic management, virus scanning and even patches and advisories that are delivered automatically. Some of these products may rely on a users ISP to handle services such as DNS, and theres quite a range in the level of logging detail.
A firewall appliance of this type can be a very good fit for an organization that has limited in-house technical expertise. They are less expensive than large enterprise firewalls, and because theyre easier to manage, they should have a lower total cost of ownership. However, these are dedicated devices, so unlike a software-only solution, you wont have a PC you can recycle when the product has outlived its usefulness.
3. Small Office Home Office (SOHO) (5-50 Users)
Examples: eSofts IPAD; Freegates OneGate 150; Whistle Communications InterJet.
The newest products to arrive on the scene are designed for small networks. Typically, these appliances host multiple services on the same machinesuch as a firewall, Web server and e-mail serverand support T1 or slower connections (such as ISDN). Hence, they are not often sold primarily as firewalls, but as devices to connect a small enterprise to the Internet that happen to have a (limited) firewall built in. The customer base for these products doesnt know security very well, and probably wont anytime soon.
SOHO appliances provide an inexpensive way to connect a small LAN to the Internet, and some have decent firewall capabilities. Since these products combine many functions in one unit, however, buyers should do their homework to determine exactly how the vendor defines "firewall." Ask them what technology the firewall employs, and if it has been tested by third parties.
Most security experts do not recommend hosting any other services on a firewall machine. If you want to use a SOHO appliance, make sure the machines other hosting services can be disabled while still allowing the firewall to function properly. Another potential drawback is the fact that these products tend to lack robust security logging and reporting capabilities.
Choosing the Right Product
Its easy to get overwhelmed by the diversity and range of
todays firewall appliance offerings. So, how do you choose the right one for your setup? Start with your corporate security policy: The right product for you is one that matches your current and future business and security needs, and fits the skill sets of your IT personnel.
A properly chosen firewall appliance can be an effective part of your network security strategy. As vendors continue to offer more features, users arent nearly as limited as they were in the past. In the near future, market forces and customer demands will bring even more diversity and specialization to this growing space.
Pete Cafarchio (firstname.lastname@example.org) is the ICSA technology program manager for network security. Commercial products mentioned as examples in this sidebar are for discussion purposes only. For a listing of firewall products certified by ICSA, see www.icsa.net/html/communities/firewalls/index.shtml"
© 1999 Information Security Magazine. Used with permission.
Information Security, the official publication of the ICSA, is dedicated to the needs of all security-conscious IT professionals. Free to qualified readers, Information Security features in-depth articles, product announcements and more analysis of information security issues than any other trade magazine. Subscribe today!