Elron's NT firewall has it covered
- By Victor R. Garza
- May 29, 2000
With its CommandView Firewall for NT, Elron Software Inc. offers a flexible,
easy-to-configure weapon in your arsenal against hackers. CommandView is
a solid, software-based firewall that can be easily integrated into existing
firewalled networks, or it can be used as a standalone product to protect
a small- to mid-size agency's PCs and workstations.
CommandView can do a lot more, too. Besides being just a full-featured firewall,
it's also a remote-access solution for supporting 100 to 1,000 network clients.
Most people think that a firewall is all that's needed to stave off
malicious network attacks. A firewall is actually an agency's third line
of defense. The first defense is a thorough understanding of the agency's
network and any potential vulnerabilities; the second is a router with an
appropriately restrictive access control list (ACL); and the third is a
well-understood, properly installed and properly configured firewall.
First- and second-generation firewalls are akin to a router with an
ACL or a proxy-based firewall, respectively. However, these don't offer
the extensive security provided by the Elron product or others like it that
use the same architecture.
Elron's firewall is based on third-generation Stateful Multi-layer Inspection
(SMLI) technology. SMLI-based firewalls monitor almost all the layers of
a network connection and record information about who initiated the connection.
If the connection was initiated from inside the protected network, the firewall
will allow it to continue.
The Elron firewall isn't as easy to install and configure as, say, a
hardware firewall like SonicWALL's products, but it is easier to configure
than Check Point Software Tech-nol-ogies Ltd.'s FireWall-1 software-based
Starting with the installation, I liked the fact that I didn't have
to worry about first hardening the operating system against attack before
installation a requirement of some firewall solutions.
Instead, I was able to get the firewall up and running on a newly installed
Microsoft Corp. Windows NT 4 Server (updated with a minimum of Service Pack
3), provided that it was outfitted with at least two network interface cards.
Putting in a third NIC would have allowed me to set up a "demilitarized
zone" for a publicly accessible resource such as a World Wide Web server.
Configuring the Elron firewall was straightforward. You use a Windows-based
management client, which can be set up on the firewall itself or on another
Windows-based machine. The software comes pre- configured to allow protected
access to the Internet for several common user services, such as e-mail
and Web browsing. An Express Configuration Wizard set up these generic user
services after asking me some simple questions. All and all, completing
the initial user services configuration was relatively painless.
However, I had problems configuring Network Address Translation (NAT)
software and a custom user service that required special ports in the server
software to be opened. But for the most part, Elron's support for more than
a hundred applications out of the box should make for a straightforward
configuration of standard user services such as Real-Audio, file transfer
protocol or America Online access.
Although the firewall software was relatively easy to install and configure,
I would have liked more information in the documentation on setting up the
firewall itself, as well as the NAT portion of the software. However, what
the package lacks in documentation it makes up for in features and robustness.
One of the outstanding parts of the package is logging and trap capability.
The logging portion of the management client is extensive. The log can
contain critical events, noncritical events or a mix of anything in between,
including informational and debug events. Real-time and e-mail notification
of events, a must for this type of product, are also supported. Attacking
this bridge-based firewall with common hacker tools such as Insecure.Org's
nmap port-scanning tools proved fruitless. The firewall
was secure against any attack that I launched against it.
Bottom line: If you're looking for a fully functional firewall for IP-
and IPX-based networks with additional capabilities, such as NAT and virtual
private networking, and an excellent logging feature, then Elron's NT software-based
firewall is worth a look.
Garza is a freelance writer and a senior IT network
engineer in Silicon Valley.