Network Computingwww.networkcomputing.com

RAD Data Communications' firewall is designed to pass all traffic from the LAN to the WAN while allowing WAN access to specific services, such as FTP and HTTP. Services in the firewall are predefined; all you have to do is set the IP address of your servers. You can even expand services to the firewall by adding the necessary ports and protocol types. We found this process to be simpler than setting up filtering because you only need to specify addressing and do not have to worry about port numbers, traffic type or traffic direction. For more detailed and customized security, you can define packet filters as well.

WEB RANger guides you thr ough the process of setting the filters. At every prompt, you're given choices to define each filter. However, if you make an error and go past a configuration prompt, you have to exit--losing your work--and restart. We found viewing the filters to be somewhat cumbersome. For example, in the filter screen you are given a brief description of the filters configured, but you have to go one menu deeper to see the actual rules. Trying to compare filters is difficult because you must continuously switch screens.

The lack of security event logging, such as spoofing or filter rule triggering, limits the manageability of the WEB RANger; there's no effective way to determine if you are under attack.

ADTRAN Express XLT
Express XLT, while providing packet filtering for security, lacks the reporting and logging facility of the other firewall routers we tested. Although its performance was above average and configuring the firewall was fairly easy, the unit was not very feature-r ich overall.

Once we defined our security policy, we had to enter our configurations line by line in both the filters list and the exceptions list. (Express XLT also lets you set up complex filters using boolean logic.) Packet filtering on the Express XLT is driven by a set of useful menus. With these menus, you can filter from the LAN to the WAN or vice versa. Unfortunately, your only options are to block all packets or forward all packets in either direction.

Filtering takes place in the exceptions list. This arrangement may seem complex at first, but when working through your filters on paper, it's actually quite simple. For example, if you want to give outsiders access only to your Web server, then block all traffic originating from the WAN to the LAN and add an exception rule allowing outsiders to connect to your Web server.

Express XLT's logging facility offers real-time logging for IP, ISDN and PPP calls. Unfortunately, this information can't be downloaded or logged to a network service, such as syslog; it's available only in the unit's very small buffer. We were unable to recover an entire ISDN PPP call negotiation before the buffer filled.

D-Link Systems D-LinkOFFICE DI-1135 Bridge/Router The DI-1135 is an OEM of Develcon's Orbit 3000 office router, and with the exception of wider support for WAN technologies and enhanced user authentication, the DI-1135 is functionally equivalent to Chase Research's IOLINK-LITE. Its firewall lacks the ability to filter traffic outbound to the WAN, making it far less flexible than the others we tested.

The DI-1135 does offer fast setup for commonly used services, such as DNS, FTP, HTTP and SMTP. We were able to quickly configure these services so users outside our local LAN could access them. You can limit the address range of foreign networks as well. When a local user makes a TCP connection to a server on the Internet, the DI-1135 places the request into memory and lets only TCP traffic that is bound for that connection pass. This method of security protects from attacks on the outside, but doesn't control outbound traffic. You set up custom filters for greater control and customization of the firewall.

We found the DI-1135's statistics reporting to be very useful. We were able to monitor the ISDN link and view traffic utilization, link status and quality and Stac compression statistics. Also provided is a call-trace utility, which lets you track events such as call setup, LCP (Link Control Protocol) negotiations and tear down. All of these utilities provide a wealth of information for monitoring and troubleshooting.