Security out of the box

Network security is a priority at virtually every federal agency. Although

it used to be enough to throw up a firewall, the increasing demands of Internet

access, the constant production of new and increasingly dangerous viruses,

and the migration of many workers to more remote and less protected computing

environs is making a sense of security harder to come by.

If you have that nagging feeling of vulnerability, take a look at WatchGuard

Technologies Inc.'s LiveSecurity System 4.1. It comprises a Firebox appliance,

a suite of security applications tied to a centrally located control console

and the LiveSecurity Service. And for those who have remote workers or offices,

it offers a virtual private network (VPN) option that can tie the disparate

networks together, all managed by the same control console.

As with any system that requires hardware and software to be integrated

into a network, installing WatchGuard was a fairly tricky undertaking. Unfortunately,

neither the user's guide nor the install guide made the task much easier.

Ultimately, I had to contact technical support to achieve full installation.

A further woe: Although I found the support staff to be friendly and helpful,

it wasn't at all easy to get through.

Those problems prevent the package from receiving a score of excellent,

but everything went smoothly once I correctly installed the product, and

I was impressed with WatchGuard's powerful set of tools.

All of the security settings and related applications are accessible

through the Control Center. One of the most important is the Policy Manager.

The Policy Manager interface is icon-based and user-friendly. Double

clicking on the FTP icon, for example, gives you the ability to configure

outgoing and incoming policies. The use of enhanced Network Address Translation

gives the added ability to both conserve public IP addresses and increase

security.

In configuring the hypertext transfer protocol proxy service, I discovered

I had the added ability to employ WatchGuard's WebBlocker — a service that

registers and classifies more than 65,000 IP addresses and 40,000 directories.

For example, I was able to restrict users from accessing tobacco- and pornography-related

sites from all the machines on the network.

Other categories include intolerance, drug culture and violence/profanity.

Another useful feature is the HostWatch. As the name implies, it gives you

the ability to see what internal machine is hooked up with what external

machine. The potential for confusion is significant on a busy network, but

the graphic nature and the use of colors help you easily monitor connections

as well as see what type of services are being used.

Another application in the suite was the Firebox Monitor, which employed

2-D charts and colors to depict what type of load the network is under,

how many services are being monitored and network-related statistics to

give you a clear picture of how your bandwidth is being utilized.

Of course, logs are an important tool for not only capturing data, but also

for recognizing trends to help fine-tune security policies. Especially helpful

is the Historical Reports application, which builds organized, graphical

Web-based reports that tell you everything you want to know about your site,

including the most active host and the most popular Web page.

Although WatchGuard considers its LiveSecurity service a real value-add,

I was only mildly impressed with it. Essentially, it acts as a proprietary

browser for disseminating information and patches from WatchGuard to your

console as they become available. Unfortunately, because of the annoying

pop-up nature of much of the content, most users will probably turn off

most or all of the announcements.

What I did find compelling was the comprehensive suite of VPN applications

and new hardware devices to create secure tunnels from headquarters to remote

workers. Although I did not set up a VPN, I was able to experience the remote

administration, from one Firebox to another, and I found the system to be

a strong platform for protection of medium to small networks.

Overall, I was very pleased with the product and recommend that any agency

with small to medium networks to seriously consider WatchGuard for security.

The comprehensive package, great level of control and the ability to

tie together and administer the security of disparate networks make this

an attractive package.

—Jefferson is a freelance analyst and writer based in Honolulu. He has been

covering technology for seven years.