CyberGuard takes the hardening of its operating system more seriously than the other proxy vendors we looked at. Its Multiple Virtual Secure Environments (MVSE) system carefully isolates all processes, files and directories, and approves only communications that are absolutely necessary among them. Like the other firewalls we tested, it has been certified by the ICSA. However, it is the only product also certified by the Department of Defense's National Computer Security Center.

The user interface consists of a full-screen console that runs only on the firewall's monitor. A menu bar on top launches all essential applications. The menu also offers easy access to general system administrative tasks, such as IP address and routing configuration, making these tasks much easier to perform than on most of the other firewalls we tested. The actual firewall policy is set up in the packet filtering window, which consists of a list of rules on the top half and an editing template on the bottom. The editing template lets you easily specify the protocols you want to allow or deny, and enables you to set logging options on a rule-by-rule basis, like FireWall-1. This is a handy feature, as logs can fill up very quickly and you may decide that there are some things that you just don't want to know about. Also like FireWall-1, CyberGuard makes use of color and graphics to make the policy more readable. You can put comment lines above and below each rule, but we found that this gets messy when there are a lot of rules involved.

Although remote management is possible from the user interface, we successfully managed the firewall remotely only with another full implementation of the firewall. Every other firewall we tested let us run management software completely independent of the actual firewall engine.

CyberGuard claims to support the IPSec standards for encryption and key management, but this application is not yet certified by the ICSA.

Secure Computing Corp. SecureZone
When we evaluated Secure Computing's Sidewinder in our previous firewall review, it lagged behind the rest of the products in performance and ease of use. SecureZone has since demonstrated great improvements in both areas. It did well in our performance tests, and its newly designed user interface turned implementation of security policies into a point-and-click operation that could be performed from any OS running a JVM (Java Virtual Machine).

SecureZone is a proxy-based firewall that provides a long list of proxies. The FTP proxy regulates create, delete and rename operations of files and directories, as well as put and get operations. The HTTP proxy filters out Java and ActiveX, and also has built-in URL filtering with the additional benefit of caching pages. SecureZone cannot scan for any virus, although this feature is planned for a future release.

Like CyberGuard, SecureZone has its own version of Unix into which the firewall software was integrated. Configuration of the firewall system functions was simple, achieved with pull-down menus on the console or from the remote interface. In contrast, Raptor and FireWall-1 require the installation and configuration of the Solaris operating system, which is not a trivial task but shouldn't be something you would have to do very often. SecureZone uses "Type Enforcement" to compartmentalize all processes and files, and it explicitly allows only access that is absolutely necessary. This decreases the possibility that someone could take over the firewall in event of a break-in.

The Java-based user interface was both quick and stable, two attributes that historically have not been synonymous with Java apps. The user interface was very different from all the others in that it used decision tree-style diagrams to build the security policy. We developed individual security policies for "regions" representing the different interfaces, networks and VPNs on the firewall. A rule is represented by a box. Another box holds all of the services allowed, and is connected by an arrow to another set of boxes that represent the regions where access is allowed "from" and "to" the different regions. Additional icons are dragged onto the screen to indicate whether access should be allowed or denied or whether NAT should be performed. This approach took some getting used to, but once we got the hang of it, we found it very easy to use. It could be especially useful if you have a lot of VPNs that require different levels of access to each other.