Security out of the box
- By Steve Jefferson
- Sep 18, 2000
Network security is a priority at virtually every federal agency. Although
it used to be enough to throw up a firewall, the increasing demands of Internet
access, the constant production of new and increasingly dangerous viruses,
and the migration of many workers to more remote and less protected computing
environs is making a sense of security harder to come by.
If you have that nagging feeling of vulnerability, take a look at WatchGuard
Technologies Inc.'s LiveSecurity System 4.1. It comprises a Firebox appliance,
a suite of security applications tied to a centrally located control console
and the LiveSecurity Service. And for those who have remote workers or offices,
it offers a virtual private network (VPN) option that can tie the disparate
networks together, all managed by the same control console.
As with any system that requires hardware and software to be integrated
into a network, installing WatchGuard was a fairly tricky undertaking. Unfortunately,
neither the user's guide nor the install guide made the task much easier.
Ultimately, I had to contact technical support to achieve full installation.
A further woe: Although I found the support staff to be friendly and helpful,
it wasn't at all easy to get through.
Those problems prevent the package from receiving a score of excellent,
but everything went smoothly once I correctly installed the product, and
I was impressed with WatchGuard's powerful set of tools.
All of the security settings and related applications are accessible
through the Control Center. One of the most important is the Policy Manager.
The Policy Manager interface is icon-based and user-friendly. Double
clicking on the FTP icon, for example, gives you the ability to configure
outgoing and incoming policies. The use of enhanced Network Address Translation
gives the added ability to both conserve public IP addresses and increase
In configuring the hypertext transfer protocol proxy service, I discovered
I had the added ability to employ WatchGuard's WebBlocker — a service that
registers and classifies more than 65,000 IP addresses and 40,000 directories.
For example, I was able to restrict users from accessing tobacco- and pornography-related
sites from all the machines on the network.
Other categories include intolerance, drug culture and violence/profanity.
Another useful feature is the HostWatch. As the name implies, it gives you
the ability to see what internal machine is hooked up with what external
machine. The potential for confusion is significant on a busy network, but
the graphic nature and the use of colors help you easily monitor connections
as well as see what type of services are being used.
Another application in the suite was the Firebox Monitor, which employed
2-D charts and colors to depict what type of load the network is under,
how many services are being monitored and network-related statistics to
give you a clear picture of how your bandwidth is being utilized.
Of course, logs are an important tool for not only capturing data, but also
for recognizing trends to help fine-tune security policies. Especially helpful
is the Historical Reports application, which builds organized, graphical
Web-based reports that tell you everything you want to know about your site,
including the most active host and the most popular Web page.
Although WatchGuard considers its LiveSecurity service a real value-add,
I was only mildly impressed with it. Essentially, it acts as a proprietary
browser for disseminating information and patches from WatchGuard to your
console as they become available. Unfortunately, because of the annoying
pop-up nature of much of the content, most users will probably turn off
most or all of the announcements.
What I did find compelling was the comprehensive suite of VPN applications
and new hardware devices to create secure tunnels from headquarters to remote
workers. Although I did not set up a VPN, I was able to experience the remote
administration, from one Firebox to another, and I found the system to be
a strong platform for protection of medium to small networks.
Overall, I was very pleased with the product and recommend that any agency
with small to medium networks to seriously consider WatchGuard for security.
The comprehensive package, great level of control and the ability to
tie together and administer the security of disparate networks make this
an attractive package.
—Jefferson is a freelance analyst and writer based in Honolulu. He has been
covering technology for seven years.