Network Computingwww.networkcomputing.com

The Prestige is rather easy to configure, but the series of menus you must traverse for setup can be daunting. However, we found that with a little time, the Prestige becomes navigable for nearly anyone.

The Prestige firewall is a packet filter that supports up to 12 filter sets, each containing six rules. The rules are combined in calling profiles in banks of four. Within the filter sets, you can combine the rules for building complex filters. We set up our firewall with two filters, which specified a series of de nial and permit rules. Once the filters are defined, you add the connection profiles. Because the filters can be combined on a connection profile, the rules are entered once and recombined only as needed.

You also can create call filters that will determine when calls are placed. This feature lets you conserve bandwidth and limit connect time by enabling packets to pass based on the current state of the connection. If you want to pass SNMP traffic only while the link is up, you can configure the call filter to drop SNMP packets when the link is down. The Prestige can have up to four entries for dial out, and they can be associated with specific IP addresses.

OpenROUTE Networks GTSecure 70 Firewall Router
OpenROUTE Networks' GTSecure 70 is a strong entry in the firewall roundup, but configuring it is a chore. Once this was accomplished, however, the unit performed flawlessly. In fact, GTSecure 70 along with Chase Research's IOLINK-LITE, turned in one of best performan ces. In addition, GTSecure offers a host of debugging and tracing options.

GTSecure 70 provides a secure and robust solution for your network. With it, you can set up static filters on interfaces that block or allow traffic to pass through the firewall. You also can set up dynamic filters that install themselves only when necessary--much like Ascend's Pipeline 75. GTSecure 70 monitors and tracks traffic across the firewall and selectively opens and closes ports based on need. However, setting up filters is more complex than with other systems, such as Ascend's Secure Access.

Delivered via its Web site, OpenROUTE provides a graphical interface that eases configuration by providing all options in a step-by-step fashion. Unlike the graphical interface of Livingston's PortMaster, nearly all of the configuration options are well-marked in the OpenROUTE offering. But its GUI is strictly for configuration and offers no reporting or logging of any kind.

GTSecure 70 bundles excellent tools for problem solving via its Event Logging system, but understanding the layout of the command-line interface takes some time. We found setting up the proper debugging options difficult at first. But the difficulties were offset as virtually every aspect of the unit can be viewed, including security alerts, ISDN events and protocol negotiations. We found this very handy when trying to get GTSecure 70 to negotiate Multilink PPP. With the help of OpenROUTE Networks' technical support, we were able to trace the progress of the connection to the point of failure; GTSecure 70 didn't negotiate the appropriate Multilink PPP packet size. Once the cause was found (we had an older image that has since been updated), we were able to continue our testing.

ADC Kentrox PACESETTER SOHO
ADC Kentrox's PACESETTER SOHO is an average device that offers better-than-average reporting, a four-port internal Ethernet hub and ISDN BRI. In the area of performance, PACESETTER SOHO handled itself well: It placed third overall in compressed throughput.

PACESETTER SOHO has an upper maximum of eight filters, each of which can have up to 15 rules. If you configure the device for single BRI use, you can enable security on each BRI independently. When using Multilink PPP, however, the device has an effective rule limit of four filters. The filters are attached to an interface, and there is no guarantee that a specific ISDN interface will always be used; consequently, the same filter sets need to be assigned to both interfaces to ensure that firewall rules will be enforced.

The unit logs events, such as ISDN connects and disconnects, configuration changes, security events and general status information to a syslog facility. Oddly, common events--such as connections and disconnections and IP filter events--are sent to our syslog flagged as critical events. We would have liked to control the level of events. Also lacking is a method to trace calls in detail.