Network Computingwww.networkcomputing.com

We also attached the filter to the destination for our Cisco 5300 (our default destination profile). When the Cisco destination was invoked, the filter rule was enforced; otherwise the filter rule was inactive. With PortMaster's graphical management interface, we could instantly see its status and gather general information and view statistics based on ports and configuration tables.

Logging is another area where the PortMaster excels. Using syslog to record security events and router events, we were easily able to capture up-to-date status information. We also were able to specify which events should be sent to the syslog and could assign priorities and custom reporting to them.

Ramp Networks WebRamp IP
Ramp Networks' WebRamp IP was one of the easiest devices to install and manage. It offers a step-by-step IP filter builder and has adequate reporting. Unfortunately, WebRamp, like 3Com's NETBuilder, doesn't offer Stac compression (only Van Jacobson header compression), which hurt it in our performance tests.

The WebRamp IP interface is well-thought-out with status reports and configuration options that are easily accessible and well-documented. This is the kind of device you could send to remote offices and rest assured that even with limited instructions, your users could install it with little effort. Especially useful are tests that verify ISDN provisioning and check IP connectivity to your ISP--two events that are crucial for connectivity. The associated logging is easy to read and understand. We found that logging covers th e most common connection problems, though it won't decode PPP/IP packets or Layer 1 or 2 traffic.

Setting up filters through WebRamp's graphical interface is relatively simple. You can set up three different filter sets, one of which can be applied to a calling profile. Each set can have a maximum of 16 rules defined (both incoming and outgoing), for a total of 32 rules per filter set. This lets you create rules that depend not only on traffic type, but on direction as well. This feature is present in most of the devices we tested, but none was as solid as Ramp Networks' implementation. On the downside, WebRamp IP doesn't let you configure filters based on fields in the IP headers, unlike OpenROUTE GTSecure 70, limiting its ability to adapt to new protocols.

3Com Corp. OfficeConnect NETBuilder
OfficeConnect NETBuilder is a flexible device with enough features to support almost any environment. But NETBuilder is hard to configure, especially because it's driven by a c ommand-line utility that uses a complex architecture and syntax. We found NETBuilder's command-line interface fairly cryptic and its wealth of configuration options will overwhelm new users--none of the commands is precise. This is the type of device that you would want to lock down when configuring centrally and deploying remotely. Once this is understood, however, NETBuilder lets you control virtually every aspect of its operation and becomes a powerful tool for connecting remote sites securely over your intranet or the Internet. If, on the other hand, your staff is familiar with the NETBuilder line of software, they will be off and running in no time.

NETBuilder offers packet filtering and NAT (Network Address Translator), which are configured via a command-line utility. Reporting and logging were on par with Pipeline 75 and PortMaster, though NETBuilder lacks PortMaster's ability to configure syslog event reporting. NETBuilder supports Stac compression, but cannot negotiate the CCP (Compression Control Protocol, RFC 1962). Hence its lackluster performance. 3Com says its next release will offer CCP negotiation.

NETBuilder's architecture virtualizes the network interface from the physical hardware. First, configure the paths (physical interfaces to the transmission media), then attach ports to them. For example, we configured the BRI on our NETBuilder as Paths 2.1 and 2.2, and assigned Port 2 to these paths. Although this ability certainly is flexible and offers many options for configuration and modification, the architecture is rather complex and difficult to configure.

The firewall filters can be built on the command line or via a text editor and then sent to NETBuilder via TFTP. This feature affords you a fine degree of control, but also increases the likelihood of error when building the rule base. Because NETBuilder defaults to deny all, we had to configure both inbound and outbound filter rules to pass traffic. We entered specific rules to pass IP traffic outbound, but without a corresponding ru le to let traffic back in, connections were denied. Some of the process is automated, letting you configure specific services, such as FTP and HTTP, with a single command.