Firewall "appliances" - low-cost, turn-key hardware solutions - promise to hide the headaches of host-based firewalls behind a sleek form factor and single-purpose hardware. But questions of integration and enterprise scalability remain.
Thus, WatchGuard Technologies, which defined the early market with its bright red signature Firebox 100, showcased its next-generation enterprise-ready system, the Firebox II, at NetWorld+ Interop last week.
The Firebox II, managed by the WatchGuard Security System software, offers a smaller, slicker form factor; slightly faster hardware; a new network flash update capability; and a direct software-update subscription service. Additionally, it's still built on a Linux kernel, eliminating the Unix and Windows NT complexity associated with installing and configuring a host-based firewall.
But although the Firebox II lives up to the promise of a simplified appliance solution - providing a unified package with most of the details hidden from the end user - I found some restrictive rough edges that will hinder smooth sailing. Tedious installation and interface weaknesses leave too much room for error and confusion.
To begin with, the installation could be streamlined significantly. A wizard running on a remote Windows PC walked me through setup, but I found it lengthy and too reliant on obscure concepts.
Compounding this, my first attempt at remotely initialising the Firebox II failed, and I was troubled to find no clear instructions on how to proceed. The remote configuration GUI, the Security Management System (SMS) Control Center, would also benefit from notification when a configuration is successful.
WatchGuard's reliance on Linux's IP masquerading created another confusing installation issue. The Firebox II uses IP masquerading to translate public IP addresses into private Request for Comments 1918 addresses. Many other firewalls use the more robust Network Address Translation (NAT). IP masquerading accomplishes primarily the same thing as NAT, but it's limited by the requirement of establishing defined ports for any inbound services offered to outside hosts (port forwarding).
Plus, the Firebox II can only be configured to forward DNS and SMTP to masqueraded hosts via the GUI - other inbound services are enabled by editing the configuration file.
The Firebox II is remotely configured and managed by SMS and a suite of 32-bit Windows-based applications, whereas other firewalls offer unified, browser-based management. Keeping tabs on these separate tools is a chore; they should be integrated into SMS. WatchGuard does offer a Global Console that attempts to unify the disparate utilities, but it is simply a shell that launches each tool.
SMS also does little to avoid the main Achilles heel of firewalls: misconfiguration. The GUI is icon-based, whereas most firewalls use an ordered rules matrix metaphor; this can lead to confusion.
The Firebox II offers both proxy and stateful inspection services: you have 36 pre-configured services to choose from when designing a security policy, three of which are true proxies (FTP, HTTP, and SMTP). You can also configure custom services and a raw packet-filtering service called "Outgoing".
The Firebox II comes equipped with three 10/100Mbps auto-sensing interfaces. Connected to our shared 10Mbps test LAN, the Firebox II easily dealt with a saturated wire. Intensive probing with Internet Security Systems' Scanner 5.0 didn't uncover any chinks in the Firebox' security armour.
The Firebox II expands its reach via some additional security capabilities: it can authenticate users with its own proprietary database, NT domains, or RADIUS; it can perform URL filtering using WebBlocker, based on Microsystems' Cyber Patrol database; and it offers IP Security Protocol virtual private network capabilities for branch offices and Point to Point Tunneling Protocol functionality for remote users (50 concurrent users maximum).
The new Security Subscription Program, also being announced at NetWorld+Interop, was unavailable for testing at press time, but this service and the beginnings of the Global Console reflect WatchGuard's plans to extend the Firebox into ISP and enterprise network operation centers.
However, the Firebox II needs polish if it is to succeed in these environments. Further refinement (especially in price) will also allow it to contend with strong appliance challengers on the lower end, such as Sonic Systems' SonicWall (see our Enterprise Networking Product Review at www.infoworld.com/printlinks).
Until the management interface shortcomings are smoothed out, the Firebox is no longer the easiest-to-use, cheapest appliance in the kitchen.
The Bottom Line
This firewall is a solid player, but it's hobbled by a cumbersome interface. It is fast and secure but priced at the high end.
Pros: Auto-sensing ports capable of 100Mbps full duplex; secure underlying platform; complexity hidden; proxy and stateful packet inspection services.
Cons: Fragmented management; IP masquerading not as flexible as Network Address Translation; high price.
Platforms: Windows 95, Windows NT.
Price: $8890 (includes branch office VPN software). Graphical monitor $890, historical monitor $990, Web blocker $1950. Enhanced management pack $2660.
(distributor for Watchguard Technologies)Tel 039 857 4544 www.watchguard.com.