Evaluating Management Interface and GUI

Firewalls have come a long way from the first Unix-based conglomerations. Sophisticated security policies can now be created with relative ease—on some systems. A good configuration interface is an important part of a firewall because few organizations set a security policy that never changes.

Having a pretty GUI is no guarantee of configuration ease, though. For example, Network-1’s Firewall/Plus has a GUI that handles all configuration issues, yet is completely unusable. For example, there is no simple way to say “let this range of ports through in both directions.”

As far as installation goes, the firewalls most people will feel most comfortable configuring include LSLI’s PORTUS, Raptor’s Eagle, Milkyway’s Black Hole, and Digital’s AltaVista Firewall. For all of these, even a clumsy network manager would have a hard time making an error that would allow unintended access.

Both Raptor’s Eagle and Milkyway’s Black Hole do a good job of simplifying the firewall environment so that a network manager can easily implement the security policy without worrying about whether they are making an error that will allow insecure access. Check Point’s Firewall-1 also has a well-designed GUI, but the oversimplification of certain concepts implemented as check boxes in Firewall-1 can have enormous repercussions. Configuration confusion in Firewall-1 is actually more of a documentation than a GUI issue, as Firewall-1’s online documentation is exceptionally poor.

However, Firewall-1’s configuration has something that no other firewall in this chapter offers—the capability to configure a group of firewalls as a single entity. Using the GUI, the network manager can build rules that are installed on multiple firewalls and packet filtering routers (Cisco Systems and Bay Networks routers are supported) within an enterprise. Keeping cooperating security domains consistent with each other is easy with Firewall-1, which makes it an excellent choice for enterprises that need multiple internal firewalls.

Digital’s AltaVista Firewall also has a nicely designed user interface that complements the relative simplicity of the product. AltaVista Firewall is the easiest to configure and control of all the firewalls in this chapter.

Mired in the world of editing text files are LSLI’s PORTUS and TIS’ Gauntlet. To build or change configurations on either of these requires a text editor and knowledge of which configuration files must be changed. PORTUS, which is a relatively simple firewall, does not suffer too much from its minimalist management interface. Gauntlet, however, has no excuse. As one of the oldest and most featureful of the firewalls, it more resembles a Unix-based Erector set than an integrated firewall. TIS provides a screen-based GUI that manages some files, but even a simple customization requires groveling through additional configuration files using the complex syntax and semantics built into the product. Some network managers will enjoy having the internals so exposed for poking and prodding, but when contrasted with Black Hole or Eagle, the Gauntlet has a long way to go.

The strangest GUI and management style in any firewall is in Network-1’s Firewall/Plus GUI. As a firewall vendor, Network-1 has chosen an approach that resembles a network protocol analyzer more than a firewall. The software reaches into each frame, pokes around, and decides whether to pass it or not. The nice part of this approach is that Firewall/Plus can handle non-IP protocols, such as IPX, AppleTalk, or DECnet.

Unfortunately, Network-1 hides none of this complexity from the network manager. Making simple changes to the Firewall/Plus configuration is beyond the ken of any but the most determined and educated security manager. By contrast, Check Point’s Firewall-1 has the same amount of power (which equates to complexity) to reach into the network and watch bits and bytes, but this flexibility is internal and well-hidden, so the security manager need uncover it only when necessary. In both Firewall/Plus and Firewall-1, the GUI is really a high-level interface to a much lower-level language.

While Firewall/Plus starts with a Configuration Wizard, which sets up a basic configuration based on an undocumented set of generic policies (such as “liberal outgoing”), touching an existing policy is asking for trouble. In testing at Opus One, the Firewall/Plus took longer to modify for testing purposes than any other product in this chapter.