BUYER'S GUIDE

Most firewalls have logging features that provide recording and m onitoring functions to document activities by time of day and IP address. In some cases, if a pattern develops that is characteristic of a break-in attempt, all communications to the host involved can be automatically or manually turned off. Many firewalls are also capable of sending an e-mail or dialing a pager under certain conditions to alert a manager. The log can be used as evidence if you attempt to prosecute a suspected hacker.

Logging also can be used to ensure that corporate resources are used more efficiently. You may want to see which Web sites are most commonly accessed during the day and determine which employees are doing this during business hours. If you discover that much time is being spent accessing a site that is not work-related, access to that particular site can be restricted with a simple IP filter. This is not a foolproof control method. IP addresses change and thousands of sites are constantly being added. But it can be a way to control some of the more obvious diversions.

A nother option on some firewalls is called Network Address Translation (NAT). As the name implies, this feature translates the IP address on the internal network to another IP address for communications on the other side of the network. This feature can hide a network on one side of the firewall from a network on the other side. However, it also allows those on the protected network to initiate communications to the other side. The firewall keeps track of the communications so the return traffic can be directed to the correct node. Another advantage of this feature is that devices behind the firewall can use IP addresses that are not approved for use on the Internet. In addition, if there is a device that you want to have accessible from the Internet, you can map its internal address to a valid external address. Once you provide this access, however, you will want to take precautions to ensure that these hosts cannot be used to infiltrate your network.

Decoder Rings Come of Age Those who want to use the Internet for private communications can use a virtual private network (VPN) feature being implemented by many vendors. When taking advantage of this feature, communications are encrypted as they leave the firewall so they cannot be intercepted on the Internet. This requires another firewall or software at the other end to decrypt the message. One plus is that this method of encryption can be centrally controlled. Instead of installing client software to perform the encryption and relying on users to take advantage of it, you virtually can guarantee that certain communications based on port number or IP number always will be encrypted.

Until recently this has taken place using proprietary techniques, requiring that the same vendor be used at both ends of the communication. But RSA Data Security has been sponsoring an initiative, called S/WAN, that standardizes VPN communications. The company recently published the results of interoperability testing done between participating vendors. You may w ant to ask firewall vendors if they are participating or planning to participate in this initiative. You also can check for the latest results at www.rsa.com.

Firewalls traditionally have been built on the Unix operating system. This can add further administrative burdens to organizations that aren't equipped to handle this platform. Some vendors have responded to this with support for Microsoft Windows NT. There also are firewalls available that run on Novell NetWare servers and support clients running IPX, eliminating the need to install IP for access to the Internet. However, you still need to install either IP applications or a driver that allows you to run third-party WinSock applications on the client machines. The NetWare Loadable Module (NLM), which runs on the server, translates from the IPX to TCP/IP, which is necessary for Internet access. It also provides many other basic firewalling functions, such as filtering by IP address and port number.

Peter Morrissey is a network systems progr ammer at Syracuse University. He can be reached at ppmorris@syr.edu.