SonicWall has long been well-known in the SOHO firewall market for selling simple-to-use, feature-rich, inexpensive firewalls. When combined with SonicWall Global Management System (GMS) 2.0, SonicWall's solution stands out as a solid platform to manage large numbers of firewalls. Strong centralized management, centralized logging and value-added security features, like Web blocking, make this a good choice. The one downside to SonicWall's solution is that the products have to be licensed online before use, which takes time.
GMS has some nice management features not found in the other products. Unique among the management stations is the multiple views available in GMS. Views let administrators organize their managed firewalls in different ways. For example, we created one view that organized the firewalls by product type and another that organized the firewalls according to group affiliation. By changing the views, you can customize how the firewalls are presented.
Tiered administration within the SonicWall GMS is far more detailed than in any other management station in this review. On a per-administrator basis, we could configure three choices -- no access, read access and read/write access -- for nearly every firewall configuration option. We could define which groups or even which specific firewalls an administrator had access to.
After logging into GMS, an administrator is presented with only the options to which he or she has read or read/write access. For example, we created an auditor that was able to view the GMS but not make any changes.
SonicWall's stateful packet-filtering firewall and VPN fit our basic testing criteria. Creating a firewall policy with it is no different from doing so with any other stateful packet-filtering firewall: Define the source and destination networks, and assign the services and time of day/ week, and the rule is set.
Unlike in single-firewall management, in which changes take place immediately, all configuration tasks, including policy changes, are made via a scheduler mechanism. The scheduler is somewhat crude in that you can set only one time slot for all tasks to be run, but tasks that require immediate execution can be manually triggered. We would like to be able to set start times for tasks to run dynamically.
During testing, we set firewall rule sets and created a number of VPNs between sites. We then disconnected a few firewalls and set the tasks for immediate execution. The successful tasks that ran were removed from the task list, while the failed tasks remained in the queue, and the status field showed the firewall was not available. The task will remain queued until it runs successfully. Each task status showed the changes made to the firewalls and which administrator made the change, letting us follow an audit trail of changes.
Creating a VPN is straightforward, as long as all the devices are in the same view. We created a mesh VPN between two groups by selecting their group and selecting the VPN menu item. In the summary tab, we first had to enable the VPN. Next, we configured the VPN by selecting preshared secret IKE (Internet Key Exchange) and using interconnected mode, which let us choose the destination gateways from within GMS. Because the peer SonicWall firewalls are known to GMS, it already knows the gateway addresses and the subnets protected by those peers, so we didn't have to re-enter them. If we were not using interconnected mode, we would have had to enter the IP address and the subnets protected by those peers manually. The tasks were then scheduled and run successfully.
When you install GMS, it must reside on the private side of a SonicWall Pro-VX. All management traffic passes through the Pro-VX to the remote firewalls using shared-secret IKE VPN. During the installation of the firewalls, we had to manually add each VPN encryption key by hand for each management tunnel. Why SonicWall didn't use preshared secret IKE is beyond us. Of course, management traffic passing between the GMS and the Pro-VX private side is in the clear, which is bad.
SonicWall's response when we questioned that strategy was that the GMS sits in the NOC, and that ought to be trusted traffic. We would like to see a more secure model, like WatchGuard's or Lucent's, in which all communication between management and the devices is encrypted. It's not that hard; it takes just a few function calls.
Pro-VX, $4,995; XPRS2, $1,795; SOHO2, $495; SonicWall GMS (Global Management System) 2.0, starts at $4,995. SonicWall, (408) 745-9600, (888) 557-6642; fax (408) 745-9300. www.sonicwall.com
Lucent Technologies VPN Firewall Brick and Lucent Security Management Server
Lucent's offering of LSMS and the Brick 80 and 201 delivers a range of features that will fit well into a service-provider network. More important, the LSMS has advanced features, such as tiered management, detailed status monitoring and logging tools, simple hardware recovery, and the ability to make sweeping changes to firewall policies in a central location. Add in LSMS failover for management redundancy, and you have a solid firewall management platform. The price of 1,000 Brick 20s is $747,500. That places it at the lower range, between Nortel's $503,000 and SonicWall's $1.8 million. Lucent's Brick has some unique features, such as integrated failover, transparent network integration and 802.1Q VLAN support across the entire product line.
As with the other solutions we tested, firewalls are placed into logical groups when they are installed into the management system. Since we were testing a service-provider model, we created a number of customers. Each customer had its own unique set of Bricks, policies, users and administrators. Any changes to one customer were isolated from others.
The access controls were somewhat crude when compared with SonicWall's more detailed set. Lucent has defined three broad categories for administration access control: devices, policies and VPN, and users and user groups. The possible permissions for each group are view, full or none. Lucent has defined each possible permutation except for none, none, none, which would be useless anyway. The LSMS supports split management. We added administrators who were assigned to a specific set of customer firewalls and were allowed to view and manage our firewalls.
Of the firewalls we looked at, the Bricks were by far the simplest to install. Like all firewalls, the Bricks required us to preconfigure the IP networking and install an initial policy. First, we created the Brick in the LSMS and configured the networking. Then we applied policies to the Brick. After those three steps, we created a boot disk for that specific Brick. To install the firewall, we ran cable to the network, plugged in the power, put the boot disk in the disk drive and powered it up.
When the Brick boots, it installs the software and configuration files. After a minute or two, we removed the disk and rebooted. Once the Brick is booted, it tries to connect to the LSMS and download any new policies. If successful, you're in business. If for some reason the Brick fails, new hardware can be shipped, and you can use the original boot disk to recover the system.
Managing the security policies on the Bricks is slightly out of the ordinary. The traditional single security policy per firewall doesn't work here. The Brick uses zones, which contain firewall and VPN rules. The zones are then applied to interfaces.
We created one zone for our customers in Syracuse, N.Y., and applied it to all the Syracuse firewalls. Altering the zone changes all the firewalls. Multiple zones can be applied to a single interface. We created one zone for a subnet range and a separate zone for another range. When Bricks are moved to a different customer, the zones are moved as well. If the zone doesn't exist in the new customer, it is added and the appropriate changes are made.
Of course, an audit trail is critical with any security offering. Lucent's administrative auditing function is cryptic when compared with SonicWall's Scheduler history, Nortel's Optivity NCS and WatchGuard's Editing History, but by building reports we could re-create the steps administrators took while configuring and monitoring the Lucent Bricks.
Lucent VPN Firewall Brick 20, $1,495; Brick 80, $3,995; Brick 201, $8,995 to $15,490; Lucent Security Management Server (LSMS) 6.0, starts at $5,500.
Lucent Technologies, (908) 582-8500, (888) 4-LUCENT; fax (314) 317-6480. www.lucent.com
REPORTS
ANALYTICS
Follow 
