Elron's NT firewall has it covered

With its CommandView Firewall for NT, Elron Software Inc. offers a flexible, easy-to-configure weapon in your arsenal against hackers. CommandView is a solid, software-based firewall that can be easily integrated into existing firewalled networks, or it can be used as a standalone product to protect a small- to mid-size agency's PCs and workstations. CommandView can do a lot more, too. Besides being just a full-featured firewall, it's also a remote-access solution for supporting 100 to 1,000 network clients.

Most people think that a firewall is all that's needed to stave off malicious network attacks. A firewall is actually an agency's third line of defense. The first defense is a thorough understanding of the agency's network and any potential vulnerabilities; the second is a router with an appropriately restrictive access control list (ACL); and the third is a well-understood, properly installed and properly configured firewall.

First- and second-generation firewalls are akin to a router with an ACL or a proxy-based firewall, respectively. However, these don't offer the extensive security provided by the Elron product or others like it that use the same architecture.

Elron's firewall is based on third-generation Stateful Multi-layer Inspection (SMLI) technology. SMLI-based firewalls monitor almost all the layers of a network connection and record information about who initiated the connection. If the connection was initiated from inside the protected network, the firewall will allow it to continue.

The Elron firewall isn't as easy to install and configure as, say, a hardware firewall like SonicWALL's products, but it is easier to configure than Check Point Software Tech-nol-ogies Ltd.'s FireWall-1 software-based firewall.

Starting with the installation, I liked the fact that I didn't have to worry about first hardening the operating system against attack before installation — a requirement of some firewall solutions.

Instead, I was able to get the firewall up and running on a newly installed Microsoft Corp. Windows NT 4 Server (updated with a minimum of Service Pack 3), provided that it was outfitted with at least two network interface cards. Putting in a third NIC would have allowed me to set up a "demilitarized zone" for a publicly accessible resource such as a World Wide Web server.

Configuring the Elron firewall was straightforward. You use a Windows-based management client, which can be set up on the firewall itself or on another Windows-based machine. The software comes pre- configured to allow protected access to the Internet for several common user services, such as e-mail and Web browsing. An Express Configuration Wizard set up these generic user services after asking me some simple questions. All and all, completing the initial user services configuration was relatively painless.

However, I had problems configuring Network Address Translation (NAT) software and a custom user service that required special ports in the server software to be opened. But for the most part, Elron's support for more than a hundred applications out of the box should make for a straightforward configuration of standard user services such as Real-Audio, file transfer protocol or America Online access.

Although the firewall software was relatively easy to install and configure, I would have liked more information in the documentation on setting up the firewall itself, as well as the NAT portion of the software. However, what the package lacks in documentation it makes up for in features and robustness. One of the outstanding parts of the package is logging and trap capability.

The logging portion of the management client is extensive. The log can contain critical events, noncritical events or a mix of anything in between, including informational and debug events. Real-time and e-mail notification of events, a must for this type of product, are also supported. Attacking this bridge-based firewall with common hacker tools such as Insecure.Org's nmap port-scanning tools proved fruitless. The firewall was secure against any attack that I launched against it.

Bottom line: If you're looking for a fully functional firewall for IP- and IPX-based networks with additional capabilities, such as NAT and virtual private networking, and an excellent logging feature, then Elron's NT software-based firewall is worth a look.

Garza is a freelance writer and a senior IT network engineer in Silicon Valley.