BY JOEL SNYDER
Information Security, March 2004
Original Artcle on Information Security Web Site
Information Security invited leading firewall vendors who were moving out of the traditional mold and focusing deeply on traffic content. (Read the RFP) Although there are a number of highly specialized firewall products on the market -- such as application-layer firewalls, host-based firewall software and network firewall switches -- we wanted to focus on products that can take on the tasks of a traditional firewall, and do more.
We installed each of the participating firewalls in front of our test network, which contained a combination of Windows and Unix servers along with Macintosh, Windows and Unix clients. We configured the test firewalls with a liberal security policy, and for two weeks, explored how each one let us tighten, further secure and control the network. We also turned on IDS and IPS features in applicable products to see what they detected on the unprotected side of the firewall.
We identified three characteristics that help define advanced firewalls:
Check Point Software Technologies, WatchGuard Technologies, CyberGuard, NetScreen Technologies, Secure Computing and Symantec accepted our invitation. SonicWALL, Whale Communications, Internet Security Systems, Cisco Systems, Microsoft and Network Associates declined to participate, either by choice or, upon consideration, because they didn't meet the criteria.
Specifically, we tested the Secure Computing Sidewinder G2, Symantec Security Gateway 5460, CyberGuard Firewall, Netscreen 5GT and WatchGuard Firebox X2500 as appliances on custom-designed hardware. The Secure Computing Sidewinder G2 and CyberGuard Firewall are sold as appliances based on 1U Intel-based PC hardware customized by the vendor. For testing the Check Point SecurePlatform NG Firewall, we used both custom-designed hardware from Nortel, the Alteon Switched Firewall, and a commodity 1U Intel-based PC from Network Engines.