Great Walls of Fire
Widely touted as the ultimate security for Internet and intranet systems, firewalls are rapidly becoming the must-buy item for many users. But what are they? How can they be used? Who are the market leaders and the best of breed? Nick Farrell investigates
With tales of hackers, cyber-terrorists and virus strikes on the increase, Internet/intranet customers are feeling fairly nervous. Some are terrified about the prospect of linking up with a public networks, or even permitting the free flow of information that intranet systems allow, because they fear internal or external attacks. Such customers often outsource the production of Web pages, or do not even connect to the Net. But the majority, who see the introduction of Internet or intranet technology as inevitable, are turning to firewalls for protection.
According to Tony Stirrup, Integralis channel sales manager, the firewall market is still very young and is a growth market for dealers. Financial institutions in particular are looking for the best they can get in firewall protection. ?When high-profile cases, like the recent hacking of the Labour Party Web pages, hit the headlines, customers that want to go on to the Web know they need protection,? he says.
?We are coming out of the stage where we need to educate clients on Internet/intranet security, although obviously there are still some that need this kind of advice. The bottom line is that if a company has a Web server, or is connected to a public network like the Internet, they need some form of firewall protection.?
While most customers realise they need to protect their systems, their concept of a firewall is limited to the scant understanding that ?a firewall is the best thing in Internet security?. The complexity of what they actually want still needs to be explained to them, says Stirrup. All products pitched at screening the network are generically called firewalls, and these can range from #40 pieces of shareware to expensive ?black boxes? with more lights than the Starship Enterprise.
A firewall can be a skilfully configured router ? a software-based product that sits on a server ? like Firefox? Novix or McAfee?s Webwall, that acts as an operating system shield, or a hardware/software product like Secure Computing?s Borderware, Checkpoint?s Firewall One or Cyberguard Corporation?s Cyberguard. Stirrup says: ?These are high value-added products, and although it is a high-margin area it is difficult to drop in a shrink-wrapped product. The dealer needs to tailor a product to suit the customer more.?
He adds that dealers need to help clients develop a security policy to ensure the client is adequately protected. ?Discussions of the correct firewalling of networks with the right product are an excellent reason for dealers to revisit their customer base.?
But, says Stirrup, dealers that only sell firewall products as a tool for protection from the Internet could be missing the boat for other sales. He claims that the majority of hacks into an organisation are from inside the company, so armed with internal firewall products, a company can block illegal access by staff to parts of the network or intranet. ?Internal firewalls, particularly where firms have set up an intranet, are becoming more important.?
Although internal hackers are most likely to be disgruntled employees, some can be computer-literate staff that want a peek at the files they should not have access to. ?These are the type of people that just want to know what is going on in the organisation, and if they cannot find out by using an official route, they will try to do so through an unauthorised one,? says Stirrup.
Steve Barnett, Checkpoint MD for European operations, says that either case would be stymied by firewalls built into the network or intranet. Most firewall products provide elaborate monitoring facilities, he says, which enable network managers to detect who within an organisation is trying to get past the firewall, where they are trying to go and what they are trying to do.
Another firewall function, useful to clients that do not want their employees bringing illegal porn into the network via the Internet, is site screening. This can block access to porn or non-work related Internet sites. ?Using firewalls within a network ensures that everything is measured and nothing can escape the notice of the network manager,? says Barnett.
While Checkpoint?s Firewall One product already ships an integrated antivirus function, most firewalls include some arrangements within the network for virus checking, usually after security procedures are completed. This means that the placement of a number of firewalls within a network or Intranet can block the spread of a virus.
Information gleaned from monitoring devices on a firewall can isolate the infected machines. Technically it is possible to set up a conventional router to act as a firewall by setting up security arrangements within the TCP/IP code to route unauthorised traffic away from areas of the network.
Router configuration is the cheapest system for a company to install without buying a single product. But according to Mark Abrahams, MD of Internet service provider CCSnet, the problem with this system is that it requires experienced TCP/IP experts to be ready to reconfigure the router every time the network is changed. ?The other problem is that a hacker with TCP/IP knowledge can usually work their way around the router,? he says.
The next level of firewall is software-based ? typically called a proxy server. This is software which analyses traffic as it comes into the network and decides if it will be sent on or bounced. Abrahams says these are ideal for smaller networks, and cites Firefox? Novix product as his personal choice. Marketing manager of International Data Security (IDS) Bob Birtles, says his favourite software-based firewall is McAfee?s Webwall, part of McAfee?s Secure Web range, because he believes it is cheaper and more flexible.
The key problem with proxy servers is speed and the fact that they do not offer the full level of security of separate black box firewalls. Abrahams says: ?The problem is that because they are software-based, a hacker who knows the language the code is written in can get around them. They are also installed on the server so that the hacker is already in the network by the time they encounter the firewall.?
Stirrup says that, depending on the amount of traffic on any given network, a proxy server can become so slow as to be unusable. The more security checks a network manager expects the server to make before it allows the system to be entered, the slower it becomes.
The most secure approach is the black box, which sits between the outside world and the network. Someone entering the system can only see the black box and not what is behind it. Since the internal workings of the firewall are generally proprietary, there is very little chance that a hacker could work their way around it.
According to a recent IDC report, Firewall One is the market leader in Europe, commanding 40 per cent of all firewall sales. The product is sold through Integralis, Sunsoft (which offers the product as Solstice Firewall One) and Hewlett Packard.
So what exactly is its pulling power? Well, Firewall One offers protection for all protocols, as well as multi-gateway support, real-time auditing, alerting and log-viewing enable the system administrator to monitor network security. It also supports 120 applications and services and is very good at extending its capabilities.
In addition, unlike proxy servers, Firewall One has only a tiny amount of network performance degradation (the manufacturers make the unlikely claim that there is none), so the network can still work at full bandwidth speeds. It is more transparent for the users in the network, as they need to go through additional steps in order to access the Internet.
Oracle and Checkpoint have got together to design an enhanced connectivity for the SQL Net product, which will enable the firewall to check data content. Checkpoint has also been working with Cheyenne Software and integrated Cheyenne?s Inoculan virus detection software into Firewall One. This has created what the two companies believe is the first firewall with integrated virus protection. The product is shipping this month.
Barnett says this move alone is very important in the history of firewall technology. It means that real-time virus protection can be performed transparently outside the main network for the first time. ?I have had a lot of dealers ringing me up about this aspect as 40 per cent of viruses come into a network via the Internet.?
Barnett claims that Firewall One scores over its nearest rival, Secure Computing?s Borderware firewall, because it is tuned to a PC environment. He says Borderware is better pitched towards Unix-based networks and larger enterprises.
Secure Computing?s offering has Web-based remote management, advanced virtual private network functions and secure server network enhancements. The firm claims it has the only turnkey, plug-and-play firewall and Net gateway system in a single box. The product uses a Java-based platform with a graphical user interface that enables customers to manage and configure firewalls anywhere on the network from their own management stations.
Next up among the market leaders is Trusted Information System?s Gauntlet Internet Firewall. Its main claim to fame is that it can integrate Web and FTP servers within the firewall rather than force them to sit behind it. Fred Avolio, vice president of TIS network product marketing, says: ?This approach means companies can more safely deploy information servers, while secure points-of-presence mail and printer services for remote access enable companies to create virtual private networks and virtual network perimeters that extend to mobile workers.
?This approach minimises unauthorised access, both through the firewall itself or from unauthorised users entering the network from a different location. This makes it ideal for small to medium-sized sites.?
The Gauntlet Firewall is available for BSD/OS, HP-UX and Sun OS platforms, with prices starting at about $15,000 for a Pentium-based system.
So what does all this competition mean for customers? In effect, it means that prices in this increasingly lucrative sector are coming down all the time. Once the domain of the enterprise organisations that could afford them, black boxes are finally falling in price as bulk sales allow production costs to be reduced.
For Internet dealers, says Stirrup, this could mean the sale of firewalls will become a common part of sales to small and medium-sized firms, with more internal black boxes on the networks and intranets of enterprise-size companies.