Fortifying your Firewall CyberG uard Corp.'s CyberGuard Since our last firewall review, CyberGuard has been spun off of Harris Computer Systems into an entity called CyberGuard Corp. (see "Striking Just the Right Firewall Match," September 15, 1996, page 158). But the real news on the CyberGuard product is it performs better and is much easier to administer. For this reason, it caught up to CheckPoint's FireWall-1 Unix product in our ratings this year, in a tie for first place. CyberGuard provides proxies for all the major Internet protocols as well as RealAudio and X11. The proxies were among the most full-featured we've seen. The FTP proxy not only filters PUTs and GETs, but also allows or denies nearly every FTP command for individual sessions. The RealAudio proxy lets you control the number of RealAudio streams running through the gateway at any time. The Cyb erGuard firewall is based on the CX/SX multilevel secure operating system, which has been certified by the National Computer Security Center, a U.S. government agency that evaluates computer systems and applies ratings based on strict criteria. The firewall blocks communications between the network and operating system level, so that in the unlikely event that someone were to find a hole in one of the proxies, he or she would be prevented from exploiting it to gain control of the firewall. This puts this firewall in the same league as the Sidewinder product with its "Type Enforcement." All control of the firewall is centralized at a menu bar that runs across the top of the screen. From there, snappy, color-coded menus are pulled down to launch windows for different administrative functions. Judicious use of icons, tabs and forms greatly simplifies administrative tasks, and the menu bar anchored to the top of the screen provides a good orientation for administrative functions. The main point of control with CyberGuard is the "Packet Filtering Rules" window. From here you define your security policy one line at a time in a split window with a line for rules in the top half, and icons and pull-down menus on the bottom half that are used to build the rules. Each line starts with a Permit, Proxy, Deny or Comment icon. You click on a corresponding icon in the editing window on the bottom. Other options can be typed in manually or chosen from pull-down menus. Icons at the end of each line indicate whether a packet is audited, replied to or its source address is validated. Lines are easily moved to different positions of the screen. We especially liked the fact that you could easily comment out a line for later use, or add descriptive comments above and below each line; this is not possible with FireWall-1's interface. When a change is made, a "save" button on top immediately turns yellow. Many other administrative tasks that normally require knowledge of Unix commands and text files that vary by flavor--as is the case with FireWall-1 and Sidewinder--are easily executed from the pull-down menu. IP addresses are changed by simply filling out a form. Default routes and static routes can be entered easily as well. A handy ping utility is available, too. System usage is displayed graphically on the menu bar, as well as on a "System Activity" screen that shows disk usage and network activity for interfaces in bytes and packets per second. A third party called Information Resource Engineering provides CyberGuard's encryption options. Thanks to this arrangement, CyberGuard is the only firewall that could provide hardware encryption via a card installed on the firewall. If you need to do a lot of encryption, this might provide the performance boost that you need to make it practical. CyberGuard has a full set of auditing, reporting and alerting tools. It has the most alerting options of all the products we tested, allowing you to send alerts via Simple Network Management Protocol (SNMP), pager, e-mail and user-defin ed scripts. To set up logging and auditing, you select alerting options from a list of about a dozen types of act ivities, such as port scans and spoofing. As you check off an option such as "SNMP Traps," corresponding boxes light up with the parameters required for the option to work, such as the IP address of the SNMP manager. Another tab reveals a window that allows you to log about 20 events to separate log files. These files can be viewed from an "Alert Viewer" window, where you can specify the events you want to display. It also includes a "find string" function. This information is shown in pure text format, and lacked the text color coding and various icons that accompany the text in the FireWall-1 log viewer, making it more difficult to read. But this information can be crunched through a Perl script or shell script for further summarizing and formatting. Other features such as Network Address Translation, Socks support and split Domain Name System (DNS) support make CyberGuard a well-round ed enterprise firewall. But it's not for everyone. Outgoing FTP, for example, cannot be implemented without authentication. Some administrators may appreciate this, but it could annoy your users. Also, if you need to support recently released network protocols, you'd be out of luck until a proxy is developed, unless you can set up a packet filter that supports the application as well as your security policy.

Make Room for Frame Relay by David Willis Updated Februayr 7, 1 997