Firewalls for Safeguarding Windows Networks
By Vincent Ryan
Enterprise Windows IT

The edge of the network is extremely porous, says Fred Felman, vice president of marketing for Zone Labs. People walk by the edge of your network on a daily basis. There are huge gaping holes created by e-mail, browser traffic, and encrypted traffic.

Windows networks are ground zero for the security problems plaguing enterprises. While some experts recommend greater operating-system diversification to reduce vulnerability, that piece of advice matters little when your network is already awash in Microsoft server and client products.
But there is hope. Firewall vendors are peddling software and appliance products that provide additional layers of protection against the worms and viruses that exploit weaknesses in Windows software. The following three products all approach the problem differently -- one through personal firewall management, another through gateway enforcement of antivirus protection, and a third through actual application-level inspection.

It's Personal
The spate of attacks aimed at client software is causing many organizations to consider installing endpoint firewalls for each PC on their network. Doing so hides a PC from a port scan, reducing the risk of an attack. The edge of the network is extremely porous, said Fred Felman, vice president of marketing for Zone Labs. People walk by the edge of your network on a daily basis. There are huge gaping holes created by e-mail, browser traffic, and encrypted traffic, he told NewsFactor.

But managing all those firewalls is tedious. Zone Labs Integrity is firewall software that ties together the personal firewalls of individual Windows clients to one management point. It prevents Trojan horses and other malicious code from getting at enterprise data by restricting network access to approved applications. Integrity also enforces security policies by verifying that clients have the latest versions of OS patches, applications and antivirus signatures, Felman said.

Administrators can choose from two centrally managed security clients that offer different levels of management and user control. Integrity Agent enables central IT policy management with transparent end-user security, and Integrity Flex allows end-users to control their own security policy when disconnected from the corporate network.

Users may be roaming a hotel or using a PC at home and may need to arbitrate their own security, Felman said. But when connected to the enterprise network they need to be locked down more securely. The upcoming enhanced version of Integrity will feature the ability to lock out users from gaining access to networks unless they have the appropriate security policies in place.

The Integrity server supports Windows 2000 and Windows 2000 Advanced Server systems, and Integrity clients run on Windows 95 and above. The system is priced at US$65 per seat, and the server software is included with the license.

Virus Police

While many firewall vendors add intrusion-detection capabilities to their products, Sonic Wall, a leader in the market for firewalls for small networks, offers firewall appliances that do traditional stateful packet inspection but also provide gateway-enforced antivirus and content-filtering protection. One of the biggest problems is that antivirus solutions have no enforcement, said John Gordineer, a product manager at Sonic Wall.

The Sonic 2.0 operating system that is available with Sonic Wall firewall appliances enables policy and object-based management and support for redundant VPN gateways and hardware-accelerated AES encryption. Object-based management features allow administrators to configure multiple security zones for complex networks.

The Sonic Wall PRO 3060 appliance is the company's value play, Gordineer said. It can scale to up to six Ethernet interfaces for subsegmenting a network and features 900 MBps firewall throughput and 30 MBps of VPN throughput. The list price is $2,795.

Gordineer stresses that Sonic Wall can react quickly to widespread virus and worm attacks by pushing things like e-mail attachment signatures to users, offering reduced time to protection, Gordineer said.

Packet Opener

At the high end is Secure Computing and application-level protection. Because the latest widespread security threats have attacked specific applications, customers want more than just a stateful inspection device that examines traffic to ports or IP addresses at the network level, said Andrew Stevens, a product marketing manager at Secure Computing.

Stateful inspection doesn't stop an attack of your Web server, your videoconferencing server, or your Oracle database, Stevens told NewsFactor. Secure's Sidewinder G2 Firewall does stateful inspection and uses application-level proxies to protect a whole set of protocols, including DNS, SMTP mail, FTP and HTTP.

Secure Computing's appliance-based solutions allow enterprises to have a completely integrated solution that's easy to rack mount into a network, Stevens said. Additionally, the company's proprietary operating system that runs its appliances reduces an enterprise's security exposure.

Administrators are overwhelmed with the number of patches they have to apply for commercial OSes, Stevens said. Our network administrators have never had to apply a security patch in 10 years on the market.

The management capabilities in Sidewinder also stand out. The product has a Windows-based GUI and also performs cluster management to easily configure multiple firewalls and set them to replicate changes in configuration automatically, Stevens said.

Sidewinder Model 1000 and Model 2000 appliances are targeted at medium to large corporations and provide between 600 Mbps and 1 Gbps of throughput. The Model 1000 is priced at $23,900 and the Model 2000 at $32,900.

Unfortunately, the industry is a long way from producing cheap and readily available solutions for protecting against application-level attacks. Keeping your Microsoft OS patched is the only solid thing network administrators can do to avoid attacks, Sonic Wall's Gordineer said.











NewsFactor