CheckPoint Software Technologies Inc.
Firewall-1 2.0By kevin Tolly, John Curtis, and Elke Passarge
Firewall-1 combines the standard application-gateway function, a circuit-level gateway, and a streamlined application-gateway equivalent--which CheckPoint terms stateful inspection. The product ships with stateful-inspection proxies for more than 100 IP services and provides an IP proxy with dynamic address assignment.
Most of CheckPoint's application- and protocol-recognition functions occur in the firewall kernel and not in user mode, where application gateways typically operate. This means data doesn't have to transfer among OS layers during processing.
CheckPoint claims this gives Firewall-1 a performance advantage because the firewall examines only the protocol-security portion of each packet. In other words, the firewall acts as a sophisticated circuit-level gateway with some application recognition. According to the company, under this architecture the product retains all of the necessary components of protocol analysis.
If Firewall-1 crashes, IP forwarding is turned off during rebooting. Once the configuration has been verified, IP forwarding will be turned on again. This ensures that the internal network remains protected if a system crash somehow alters the firewall's operational status.
Another plus is Firewall-1's user interface. It features a central rule base, which is used to configure services for forwarding or blocking, and a verification function, which checks the setup of the rule base for possible holes or user-configuration errors. And because it includes icons for most features, the product is difficult to misconfigure. The only thing the interface seems to lack is online, context-sensitive help, although a complete online manual is included.
The interface's central rule base is based on objects, which can represent such things as hosts, networks, protocols, user groups, and individual users. Network administrators must first create an object to symbolize the host or network by its IP address and then create a rule for that object. This seems like extra work, but the advantage is that administrators can directly specify a device by IP address or network.
Most firewalls allow users to access services by configuring a single message for a successful ftp connection and for a failed ftp attempt. However, Firewall-1 configures network responses by protocol--meaning users can enable or disable the response to any failed attempt in the rule for a particular protocol.
Although we tested a system with the firewall and configuration application running on the same platform, CheckPoint offers remote management over an encrypted channel authenticated with Bellcore Inc.'s S/Key. This configuration lets users manage multiple firewalls from one location. Firewall-1 also lets users create multiple configurations offline and save them for later prototyping.
For alert management, Firewall-1 offers a generous selection of user-configureable logging and alerting features. Log entries provide descriptive and thorough information. Also, the Firewall-1 log viewer lets users search the log information by criterion--no Unix scripts need to be written.
Users can program the firewall to send alerts via an SNMP trap, an E-mail message, or a message to the system console. The on-screen alerts are cryptic, however, and users might have to read the log files to understand certain events. CheckPoint also includes user-defined alerts and a script for pager support. Curiously, the firewall can enable only one alert method per alert.
For authentication, Firewall-1 supports SecurID, S/Key, internal Firewall-1 password authentication, and reuseable passwords. It also provides the unique cap-ability to authenticate a session before it begins. So once a circuit is opened for a specified connection, a user can connect through the firewall without further interaction with the authentication process.
Firewall-1 offers more encryption options than many of the other products we tested. Digital Encryption Standard (DES) technology is provided for firewall-to-firewall encryption, as well as a proprietary Firewall Zone-1 encryption. And support for IPsec, an IP encryption scheme under development, is planned for a future release. PC-to-firewall encryption will soon be available for Firewall-1.
Summary: Firewall-1 combines the standard application gateway, a circuit-level gateway, and a streamlined application-gateway equivalent, known as stateful inspection, running in the system kernel. The product offers stateful-inspection proxies for more than 100 IP services, an IP proxy with dynamic address assignment, and one of best GUIs.
However, its lack of online help and nonstandard terminology can confuse even a seasoned firewall user.
A Microsoft Windows NT/Intel version of Firewall-1 is expected soon.
List prices: $4,990, fewer than 50 users; $9,990, 50-250 users; $18,900, unlimited
Criterion Weight Nodes Architecture 400 4.5 Configuration management 200 3.0 Alert management 200 4.0 Authentication 100 4.0 Encryption 50 3.0 Platform, topology, support 50 4.0 Score 4.0 How we score
Other stories in this comparison:
- Overview: Defending the Front Line
- Executive Summary
- Test Methodology
- Score Card
- Firewall Design Glossary
Individual product evaluations:
- ANS Inc. InterLock 3.0.6
- Digital Firewall for Unix 1.0
- IBM Secured Network Gateway for AIX V2R1
- Raptor Systems Inc. Eagle 3.1
- Secure Computing Corp. Sidewinder 2.2
- Trusted Information Systems Inc. Gauntlet 3.1
Search | Subject Index | Product Reviews | Special Reports | Buyers Directory
HOME | Subscribe | Register | Contact Us