Network Computingwww.networkcomputing.com

FireWall-1 has the most extensive third-party support of all the products we tested. A growing list of vendors offers enhancements such as virus scanning, URL filtering and reporting applications. This is obviously partly because of FireWall-1's market stature, as well as the fact that CheckPoint has written APIs to facilitate integration of these products. The vendor has also formed alliances with companies like Bay Networks to build CheckPoint's software into their routers; other vendors, such as Hewlett-Packard Co., Xylan Corp. and U.S. Robotics, are licensing CheckPoint's software.

In addition to a number of Unix platforms, FireWall-1 is supported on NT versions 3.51 and 4.0. We found little difference between the NT version 4.0 and the Sun Solaris versions we evaluated. The Rule Base Editor, where your security policy is built and displayed, is easy to use and understand in both versions. Some of the other configuration windows are a little different, but not by much.

We noted performance differences between the two, but they mi ght not have been so apparent had the NT version been running on faster Intel Corp. hardware than the 133-MHz Pentium. If you're trying to decide between them, base your decision on which OS your organization supports better. With all else being equal, th e NT version should be easier to administer. Although FireWall-1 does not rely on its underlying OS to implement security changes, you still have to make backups, configure IP addresses and static routes, and so forth.

The other firewalls we tested ran on a hardened OS, with CyberGuard and Sidewinder taking this to the furthest extreme. Since firewalls that run proxies allow users to talk directly to applications running on the firewall, this is an important safeguard (see "Methods of Control," www.Network Computing.com). CheckPoint's firewall tracks network activities through state tables updated by the Multilayer Stateful Inspection process. The vendor claims this process intercepts traffic before it gets near the OS or any other application running o n the firewall, thus eliminating vulnerabilities a proxy might create. We could find no evidence to contradict this claim.

Nevertheless, Multilayer Stateful Inspection can't match the functionality of some of the proxies. For instance, the CyberGuard FTP proxy can control most standard FTP commands such as PUT and GET; FireWall-1 cannot. Simple Mail Transfer Protocol (SMTP) is another example where the CyberGuard and other proxy firewalls can filter according to e-mail content, message size, type of attachment, etc., and translate mail headers to hide information about the internal network. FireWall-1 cannot do this in its current version, although some of these features are planned for the upcoming 3.0 release.

If you require this level of filtering, CyberGuard or Sidewinder might be better choices. Keep in mind, however, that if you decide you need access to any of the later Internet applications, you will have to wait for CyberGuard or Secure Computing to build a corresponding proxy application. Ch eckPoint has an established track record for providing effective filtering for new Internet applications on its Web site within days of the release of new applications.

Although CyberGuard has greatly improved its interface, FireWall-1's is still superior. The graphics are better, and you can save multiple policies and recall them later. You can also see the type of logging and alerting that is defined for each rule on the Security Policy screen, which is a logical focal point. With CyberGuard, you have to look on another page to find most of the current logging and configuration status.

On the other hand, some configuration tasks are easier with CyberGuard. Setting up logging and alerting parameters was very simple and intuitive with CyberGuard, which won't let you save a configuration until everything is set up correctly. Despite searching the manual and available screens, we could not find out how to set the name of the mail host to send mail alerts using FireWall-1. FireWall-1 let us turn on some of these options without yielding any clue as to what they were set for.