Nortel's Contivity product line is best known for VPN. But the Contivity products also have a built-in stateful packet-filtering firewall, as well as optional support for a Check Point FireWall-1 enforcement module. Nortel chose to activate just the Contivity firewall.
We found adequate management via the Optivity NCS management station. Unfortunately, the Contivitys don't offer the additional security features found in SonicWall's products, such as content and URL filtering, nor was the network installation as seamless as with Lucent's Brick. If you have experience with other Nortel products managed via NCS, you're one leg up.
As with the SonicWall product, we placed NCS behind a Contivity, which encrypted all management traffic to other Contivitys, but management traffic between the NCS and the Contivity passed in the clear. If you want to have the traffic encrypted, you can place Optivity NCS outside the VPN and install a VPN client on the host machine. We placed Optivity on the inside.
Installing a new device into Optivity is straightforward. On the Contivity, we connected a serial cable and set basic IP addressing information. For each Contivity, you need two IP addresses on the same subnet. One IP is the device address, while the second is used exclusively for management. Next we connected via a Web browser and created a VPN between the SOHO and the central-site Contivitys and set it as a control channel, meaning we could talk only to the management IP address.
Once that was completed, we imported the Contivity into Optivity. The import brings in all the current configuration data. Any configuration changes that are made are likewise exported to the Contivity. Exports can be run immediately or scheduled for later.
Unlike the other products we tested, Nortel's solution offers no online status console. The closest we got were the Health-Check pages that you could bring up one device at a time. Split management is similar to WatchGuard's, in which access control is targeted at the management server and not at the devices.
Contivity 600, $2,400; Optivity NCS, $6,995 (250 elements), $6,000 (2,500 elements upgrade). Nortel Networks, (800) 466-7835. www.nortelnetworks.com
WatchGuard Technologies Firebox 1000/2500 and WatchGuard NOC Security Software
WatchGuard was one of the first firewall vendors to go after the managed firewall market. At the time, MSS was cutting edge because of its distributed approach. The firewalls themselves are feature-rich, proxy-based units, unique among the products in this review. The added support for URL blocking, content filtering and e-mail-attachment stripping clearly adds to a more controllable security stance. However, the MSS management station has some odd quirks that contribute to the workload, and tiered management is not available. Each administrator maintains the local configuration database. MSS has a robust reporting feature, and policy changes do require the administrator to enter text, ostensibly to document the change. However, with a price nearly 10 times higher than the cost of the lowest-priced competitor, WatchGuard's solution requires some serious justification.
Adding the firewalls to the network is a multistep process not unlike those for SonicWall and Nortel. Through the use of policy templates, we needed to choose only the template and enter in the addressing information. Once configured, the Firebox was ready to be shipped out.
However, we had to add the firewall objects into MSS twice -- once to manage and configure the firewall and a second time to configure the VPN facilities. Twice the work means twice the opportunity for error. Additionally, every configuration change to the Firebox requires a reboot, which is disruptive to the end user.
WatchGuard's VPN manager is probably one of the simplest on the planet. We opened the VPN manager and, with a quick drag-and-drop, created a VPN between devices and groups of devices. It was that simple. WatchGuard's Global Policy Manager (GPM) sent the configuration changes to the Fireboxes, and we were done.
Firebox 2500, $7,490; Firebox 1000, $4,990; WatchGuard NOC Security Software, $83,395. WatchGuard Technologies, (206) 521-8340, (877) 232-3531; fax (206) 521-8342. www.watchguard.com
Mike Fratto is a senior technology editor based in Network Computing's Syracuse University Real-World Labs® and covers all security-related topics. Prior to joining Network Computing, he worked as an independent consultant in central New York. Send your comments on this article to him at mfratto@nwc.com.
REPORTS
ANALYTICS
Follow 
