[$25 CASH! Get it here!]
__________________________________________________
(Go to LAN Times Home Page)
(Skip to Score Card and Summary)

Comparison: Firewalls

ANS Inc.

InterLock 3.0.6

By Kevin Tolly, John Curtis, and Elke Passarge
InterLock offers numerous application-gateway services for the most important protocols, including ftp (File Transfer Protocol) and HTTP (HyperText Transport Protocol), as well as a generic circuit-level gateway. And unlike some firewalls where certain Unix functions, such as IP forwarding, are simply disabled, ANS has completely removed many of these features to make its product more secure.

InterLock includes an MD5 packet signature, a digital signature based on a public-/private-key combination, on its ex-ecutable binary code. It performs periodic checks on the code, but if it detects tampering, it merely logs the event to a file. The unit should shut down or at least terminate services.

InterLock also has no GUI, and users must configure the firewall through not one, but two standalone applications that have character-based menu interfaces. Users cannot even run these two applications in separate terminal sessions in a Unix window system, which would at least allow both interfaces to be open simultaneously.

Furthermore, the interface is based on case-sensitive Unix. Users are prompted to select menu items with uppercase characters, but the firewall expects lowercase responses. Entering an uppercase character elicits an invalid-character response.

Possibly even more disconcerting about setting up InterLock is its lack of summary information about the configuration. When defining a rule for a user or group, for example, the interface asks for a name of the user/group, but there is no simple way to list all users within a group. In fact, obtaining a list of current users involves exiting one configuration application and launching the other. ANS tries to remedy this by offering a utility that checks whether a particular user, service, or protocol is covered by a rule in the system, but this is not nearly as effective.

Users who can get past the interface, however, will find valuable features. InterLock supports the separate configuration of ftp Put and Get commands, independent of whether a session was initiated inbound or outbound. It also supports several levels of administrative users, meaning rights and functions can vary according to the user.

Remote management is supported via telnet through an authenticated (Kerberos) and encrypted channel. Inter-Lock users can create multiple configurations offline, which lets customers prototype configurations before implementation.

InterLock's alerts and alert thresholds are preconfigured in the firewall. Alert messages can be logged to a file and then viewed through a Unix text editor or sent via E-mail. An alert condition can also trigger the execution of a user-defined application or script. Unfortunately, this is the only way to guarantee the quick notification of a problem. Even calling a pager requires that a user create a Unix script.

The only alert InterLock displays on its system console is an indication that a spoofing attempt has occurred. ANS says that a future release will support alert-notification configuration.

The firewall stores log information in separate files according to protocol. This means users cannot search a single log for all violations. By default, the log information is discarded after 10 days, but users can reconfigure this duration.

InterLock's accounting reports, which list usage statistics in several ways (by service, file-transfer activity, connection time, and so on), are valuable. The product even calculates changes in usage over time and can report activity on all open connections.

Authentication is supported through Security Dynamics Technologies Inc.'s SecurID, Enigma Logic Inc.'s DES Gold Card, and reuseable passwords, but for only three sessions: ftp, HTTP, and telnet (including telnet to the firewall for management). The firewall does support Socks, but Socks authentication is less secure than other mechanisms because identification is performed by the client.

(Note: Socks is a scheme in which a Socks-compatible client is authenticated by a Socks server. In the case of a firewall, the server usually runs on the firewall--before a session begins. One advantage to this is that noninteractive applications, which cannot prompt users for an authenticating password, can be authenticated.)

InterLock supports only firewall-to-firewall encryption using Kerberos.

INTERLOCK 3.0.6

Summary: InterLock offers a strong combination of application-gateway and circuit-level-gateway technologies, and it supports more protocols through application-gateway services than any other product we tested.

Also, while many firewalls simply disable built-in forwarding mechanisms in Unix, InterLock removes them completely.

On the downside, only Unix pros can make sense of InterLock's user interface, and the product offers limited alert management.

List price: $38,000; $19,000-$25,000, lease price, including hardware

Criterion Weight Nodes
Architecture 400 5.0
Configuration management 200 1.5
Alert management 200 2.5
Authentication 100 2.5
Encryption 50 2.5
Platform, topology, support 50 4.0
Score 3.4
How we score

Other stories in this comparison:

Individual product evaluations:

Search | Subject Index | Product Reviews | Special Reports | Buyers Directory
HOME | Subscribe | Register | Contact Us