HOW WE DID IT

---

By

     Before testing, we established three sample security policies that an 
organization might support. We called them loose, standard and tight.
     We attached each firewall to our lab network, which is connected to 
the Internet. And we placed two workstations and a protocol analyzer inside 
the firewall.
     We implemented as many of the policies as each firewall supported. For 
each policy, we did simple tests to ensure that the firewall was doing what 
we expected.
     In addition, we tried some basic confidence tests, such as trying to 
communicate across the firewall while it was booting.
     We also attempted to communicate outside the policy to see how well 
and how efficiently each firewall handled logging and alerting.
     In all, we looked at 16 different characteristics, including product 
philosophy and orientation, flexibility, management style, reporting, user 
interface and documentation.