Introduction
The opportunities offered by the Internet are too good to ignore for most businesses - doing so only ensuring that a company's competitors take the lead. However, connecting to the Internet poses a series of dilemmas for the systems administrator who has to ensure the communications are maintained whist retaining the integrity of the system for all of its users. A firewall can keep out all but the most knowledgeable and determined hacker yet allow the users all the access to which they are authorised in a way that is largely transparent to them.
Many firewalls cost between $5,000 and $20,000 and offer businesses that can afford that level of investment the protection that they deserve. However, this part of the market represents only a small section of the total user population, many of which are schools, libraries, small businesses or remote offices of larger businesses that require Internet access and exposure but also need the same protection from the potential dangers that go with that exposure - spending $10,000 on each branch office in order to prevent them from becoming the point of access in a planned attack via a VPN can become very costly.
Sonic Systems has addressed this problem by producing a small, easy to configure, fast, lightweight firewall which, at less than the cost of a PC is affordable even to an Internet Cafe.
Products
Firewalls have only one job to do - to decide whether or not to allow each packet of data to pass from one network into another. Working from a set of rules called a security policy, the firewall makes these decisions based upon which type of firewall it is.
Generally speaking, firewalls may be grouped into three generations:
- First generation or packet filters - these simply look at the header information and make a decision based upon the source and destination of each packet with a security policy based upon IP addresses. These firewalls are generally difficult to configure properly and incorrect configurations can lead to the vulnerabilities in the firewall. However, with little checking going on for each packet that goes through the firewall, a first generation firewall is very fast;
- Second generation application gateways and circuit level gateways - The data part of the packet is reassembled and the firewall checks to see that it conforms to a set of definitions according to the type of traffic. Different types of traffic have different content and each set of packets is assembled into its final form and tested for conformity before it is allowed to pass through the firewall. This type of rebuilding is costly in computer resources and time and can make the firewall slow; and,
- Third generation SMLI or Stateful Multi-Layer Inspection firewalls - these look at all of the information in the packet header (although not the data part of the packet unless specifically required to do so), rebuilding the headers from the packets of each communication and checking to make sure that they are as they should be at each layer of the OSI model. The data for this process is only small and is stored in RAM so, like the first generation firewall, it is quick because most of the packet, the data itself, is not checked.
SonicWALL
SonicWALL comes in three main forms with variations that suit each user's circumstances. The basic SonicWALL firewall has 2 network connections (LAN and WAN - the latter normally representing the connection to the Internet although there is no reason why this should not be another internal network should you require an inter LAN gateway to control traffic between departments such as wages and personnel) and can accommodate 10 nodes on the LAN side. The number of nodes can be increased to 50 or an unlimited number in the SonicWALL Plus version. The SonicWALL DMZ has a third network connection allowing a third network or DeMilitarised Zone to be connected to the system. Visible from the WAN, the DMZ allows public services to be protected from external attacks by a full firewall yet still remain visible. In addition to this, if a hacker does manage to break into the DMZ, he still has a full firewall to break through to get to the LAN. Both the SonicWALL and the SonicWALL DMZ can be upgraded to include a VPN; and, with a VPN as standard, the SonicWALL PRO uses a faster processor to provide a higher throughput.
The SonicWALL firewall is small (20 x 10.6 x 3.8cm - 8 x 4.25 x 1.5 inches) and lightweight (0.45kg - 1lb) with no moving parts. There is no hard disc drive to malfunction as everything, from the operating system to the firewall and its data are all stored in RAM. Without the relatively slow access times of a hard disc to slow down the process, booting up takes only a few tens of seconds.
The operating system is proprietary with only the bare essentials required in order to run, manage and administer the firewall thus reducing to a minimum the possibility of hackers exploiting vulnerabilities in superfluous executables left on the firewall machine as in the case with many other firewalls.
Security policy management is performed using a Java enabled browser with authentication being established using an MD5-based encrypted security mechanism. This means that the computer used to configure the firewall can be any type of machine and the person who is required to configure it is already familiar with the overall interface thus cutting down on the training required. The default configuration of the firewall is sensible and in most cases, only a few IP addresses and network masks that the Systems Administrator should already be familiar with are required in order to configure the firewall. It takes literally only five minutes to set up SonicWALL from plugging it into the power supply and networks, to completion of the configuration process.
If circumstances dictate that greater complexity is required, rules may be created or modified to allow or deny access to different types of traffic in different directions. For example, Internet Relay Chat (IRC) may be blocked from the LAN to the WAN thus precluding wasteful use of bandwidth and employee time (whether it is the new man in accounts or the managing director), or access may be granted from the WAN to the company's web server on the HTTP port (80). Further, access may be granted to some services based upon time of day or day of week thus allowing employees some controlled recreational use of the Internet.
The firewall manages network addresses such that all connections on the outside/WAN side of the firewall only see one IP address - traffic being sorted and sent to the correct machine on the inside of the firewall. One of the advantages of Network Address Translation (NAT) is that the company using the firewall only needs the one address that its Internet Service Provider allocates to it thus cutting on overheads even further by allowing the use of low cost Internet accounts. In addition to this, DHCP (Dynamic Host Configuration Protocol) Server and Client provide centralised management of TCP/IP configurations and the ability to acquire settings from the Internet service provider. The DHCP configures the PCs on the LAN with an IP address range for assignment to the PCs, Static IP addresses, Lease times, Subnet masks allowing mapping of LAN addresses to IP addresses, Default gateway and upto three DNSs.
Checking that network traffic originated from where it was supposed to is only part of the problem and great importance is given to being able to show that a company is taking reasonable steps to make sure that its employees are not downloading the latest entertainment from questionable sites in parts of the world where there are less effective restrictions on what gets published. A 30 day free trial subscription to the CyberNOT categorised list of tens of thousands of URLs is included. This list is automatically updated each week and is grouped by subject so that racial, pornographic, hate, irrelevant sites and so on may be selected and kept up to date. In addition to this, the firewall itself is able to allow or deny access to up to 256 sites through trusted or forbidden domain filtering.
As new methods of attack manifest themselves, the firewall needs to be able to detect and preclude the success of an attack. A firewall that could detect all methods of attack and stop them all is an impossibility so the firewall is kept up to date with updates that it can download securely form the Sonic Systems site. The simple nature of SMLI means that it is relatively quick and easy to make alterations to the firewall which are done by Sonic as each new method of attack manifests itself - the firewall simply querying the Sonic Systems site to see if it has the latest version of the firewall. The new firewall is downloaded into the firewall's flash ROM and the machine rebooted, which again only takes seconds.
The firewall's log may be configured so that any level of detail is recorded. If all traffic was to be logged, the log would fill up very quickly so a set of rules may be applied such that particular types of traffic or traffic originating from a particular place at certain times may be recorded. In addition, system maintenance, system errors, attempts to access blocked websites, blocked Java, ActiveX or Cookies, attacks, dropped TCP, UDP and ICMP packets and network debugging are all logged.
The log or a summary of it (top 25 users according to accessed sites and bandwidth usage by IP address or service) may be emailed to various parties on a weekly basis and should the log actually fill, there are options to shut down, overwrite the log, copy the log and start again and so on - all configurable from the Java based firewall management front end. In the event of an attack, system error or attempt to access a blocked website, emails may be sent to particular individuals and so on.
One of the advances in firewall technology is that of local caching - storing locally, on the secure side of the firewall, data that has already been retrieved from the Internet. SonicWALL supports Web Proxy Relay as it calls it and in the case where bandwidth is close to fully consumed or there is a natural delay in the retrieval of information, local caching can make a great deal of impact on the apparent performance of the firewall - there being no reason to process repeatedly the same information. Without local caching, the throughput rates are 7Mbps for the standard and DMZ models (running on a 33MHz Motorola CPU) and 80Mbps for the PRO version (running on a 233MHz RISC (Reduced Instruction Set Chip) StrongArm processor).
As an option in the SonicWALL and SonicWALL DMZ, a VPN (Virtual Private Network) is available - this being provided as standard in the SonicWALL PRO. This VPN is IPSEC compliant and is compatible with Checkpoint Software's Firewall-1 VPN along with a number of other manufacturer's VPNs. The VPN operates using 168 bit triple DES, 56 bit DES and 56 bit ARC4. The SonicWALL PRO is due to have an accelerator card for heavy VPN use which clears up the firewall's processor for firewall data processing. The VPN card gives throughput figures of: 10Mbps for 56 bit DES; 25Mbps for 56 bit ARC4; and, 4Mbps for 168 bit Triple DES.
Platforms
The SonicWALL is completely self contained and requires only 2 10Base-T connections or 3 for the DMZ and PRO models
Pricing
| SonicWALL /10 - 10 user, 2 port version |
$495, £495 |
| SonicWALL /50 - 50 user, 2 port version |
$995, £995 |
| SonicWALL Plus - unlimited user, 2 port version |
$1,795, £1,495 |
| SonicWALL DMZ - 3 port version |
$1,795, £1,795 |
| SonicWALL Content Filter Subscription - Microsystems CyberNOT URL list |
$175 - $695 per year |
| SonicWALL VPN Upgrade - Optional VPN upgrade for SonicWALL products |
$495 - $695 |
| SonicWALL PRO - 10/100 fast ethernet, VPN as standard |
$2,995, £2,995 |
