The Brick 1000 can run in routed or NAT mode, but it can also run completely transparent to IP networks in transparent mode. This means that it is bridging the packets instead of routing them or doing NAT. The advantage of this is that it could be easily inserted into an existing IP network without reconfiguring the network addresses. The Brick 1000 also recognizes 802.1q/p VLAN trunks in all three modes, which means you can use it to tap into a VLAN trunk without reconfiguring the VLANs on the switches. In contrast, the NetScreen device cannot handle VLANs in transparent mode. With the Brick, we were able to easily carve up each interface into multiple "zones." The zone uniquely identifies the area being protected as well as the associated VLANs and security policies. Each zone could have one or more unique VLANs associated with it, along with unique administrators with various levels of read and write access to the policies associated with the zones.

The slick and powerful Lucent LSMS software made configuration and management of the Bricks a smooth operation. LSMS consists of a server product that can run on a WindowsNT/2000 or Solaris box as well as a Java-based application called Navigator. LSMS made it a cinch to configure the Brick appliances by saving configuration to a diskette, which was used to boot the Brick. Once booted, changes could be instituted directly from the GUI. Everything from VLAN reconfiguration to security-policy updates could be managed with ease. In addition, it's possible to set up users with read- or write-access only. Individual users could be tech support employees responsible for a particular customer, or even a representative from the customer itself. In the latter case, we suggest providing read-access only -- you'll save yourself a lot of trouble later on. We liked the fact that we could save multiple configurations, which makes it possible to easily back out of a rule change that caused problems. It can also create a trail of changes, making it easier to address problems that may be reported at later date.

The LSMS came with a number of dashboards, which made it very easy for us to monitor all aspects of the firewall's performance. There were graphs and counters indicating such stats as CPU utilization, total active sessions, total packets in and out and the total megabits per second appearing on a port. We could track the number of users logged in as well as the total number of VPN tunnels.

The reporting tools provided by LSMS were superior. One thing is certain: A firewall with a gigabit interface will generate millions of log entries per day. Anything that can be done to parse the data will be invaluable. The LSMS log-viewing and reporting apps make it possible to filter the logging data based on time of day, IP address, interfaces and services. And it is possible to find entries showing dropped packets. This can be very helpful when troubleshooting access problems that are rightly or wrongly blamed on the firewall.

It was a very straightforward and intuitive process to set up and maintain rules in a security policy. Adding and inserting rules was painless, and we especially liked that we could use buttons to easily move a rule to a different place in the policy. Another very nice feature was the ability to add an 80-character description of each rule. This can be used to record date rules added or even why they were added. Our only complaint was that we didn't get more room, but because the NetScreen-500 didn't have any field for adding a description or comment, we didn't get too worked up.

In performance tests, the Brick 1000 surpassed the NetScreen-500 in raw gigabit performance (see how we tested raw gigabit performance), but the two were pretty even when it came to maintaining TCP connections.

VPN Firewall Brick Model 1000, Price: See //refer to features chart//, Lucent Technologies, (732) 615-2908, (800) 621-9578; fax: (732) 615-2776. www.lucent.com/security