Network Computingwww.networkcomputing.com

The IOLINK-LITE, like the DI-1135 is not able to filter traffic outbound to the WAN. It, too, is configured via a VT100 interface, though it will have a graphical interface by press time. The IOLINK-LITE handles only ISDN BRI on the WAN side. Otherwise its functionally equivalent to the DI-1135.

Mike Fratto can be reached at mfratto@nwc.com.

Firewall Options For The SOHO
The firewall units we tested provide connectivity to the Internet or corporate LAN via ISDN BR I in addition to providing routing and security services. If you already have ISDN installed at your SOHO (small office/home office) locations, or you're using a different WAN technology, these devices won't help you much. But there are other low-cost options for you to consider.

Matrox Graphics' iSwitch offers connectivity between a 10-port 10BASE-T switch and the Internet. It has two RS-232 ports that can be used to connect to analog modems or ISDN terminal adapters for WAN connectivity. The iSwitch also can act as a firewall, filtering outbound or inbound traffic. With built-in NAT (Network Address Translator), the iSwitch is ideal for offices with private IP addresses.

For more robust security and higher throughput, you can move up to the FireBox from WatchGuard Technologies (formally known as Seattle Software Labs). This low-cost firewall provides dynamic packet filtering and application proxy services at speeds greater than typically found in the SOHO WAN. With the FireBox, you can secure departme nts and workgroups within the corporate LAN, creating a secure and segmented networking environment.

Another firewall, Isolation Systems' InfoCrypt Enterprise, offers encrypted networking between pairs of InfoCrypt systems on an as-needed basis. Remote users can obtain secure connectivity over the Internet with InfoCrypt Solo, which runs on Windows95. This type of solution offers a higher level of functionality and security than the average firewall, as well as greater control over access to the internal network.

How We Tested Firewall Routers
We wanted a lab environment that mirrored the typical SOHO (small office/home office) environment. To accomplish this goal, we attached a couple of workstations to each of the firewall routers via a 3Com Corp. LinkBuilder hub. Each ISDN-based unit was then configured for dial-on-demand to a Madge Networks Teleos Model 60 switch, which provided ISDN signaling and call routing. A Cisco Systems' AS5300, using Multilink PPP, was employed to terminate the ISDN calls and route calls to our enterprise network.

To test security, we generated spoofing attacks using Internet Security Systems' Firewall Scanner package. All of the devices performed as advertised, allowing only the traffic we defined to pass through the firewall.

To determine how each unit pushes packets, we used Ganymede Software's Chariot to simulate HTTP traffic; compression was initially turned off during this testing. Using a Network General Corp. Sniffer, we ensured that packet sizes between the two Chariot end points were smaller than 127 bytes to maximize the amount of work each SOHO firewall router had to process. We then added filtering rules to the devices and ran the same tests.

Even with packet-filtering rules enabled, the performance hit was less than 2 percent. Finally, compression was turned on and the same tests were repeated.