I have this love-hate affair with firewalls. Sure, I recognize their need and utility and why they are important and all that stuff. I know how important they are to protect my networks from evildoers or just plain curiosity seekers. But then when it comes time to get them working, it always seems to take longer than watching your average NT machine reboot.
A firewall is simply a machine with at least two network connections, typically one to the outside world and one to your internal network. It has a list of rules to determine how to block things (such as packets, applications, or kinds of connections) you don’t want and how to allow things you do. The trick is in how you set up these rules.
Right now I use two different products for the home and the office. At home, I am running UMax’s Ugate-3000, which is a very simple firewall combined with a small four-port hub, DHCP server, and NAT gateway. It works well enough that I haven’t messed with it since I first got it installed. The UGate came preset to be a DHCP client out to my cable modem, and a DHCP server for my home network, making the whole IP addressing thing quite easy.
It has a Web browser interface, which every so often I bring up just to reassure myself that I can remember how to maneuver around in it. I also like the fact that it keeps the rough crowd out of my home yet allows my home machines to function just fine. And I also like the fact that the thing’s defaults out of the box were the right choices in terms of offering enough protection without a lot of hassles. I think it took about 15 minutes to configure, and that is counting the time I took to read the slim manual that came with it.
At work I have been running the SonicWall, which is a step up in terms of complexity and features and price from the UGate. It also has a Web browser interface to set it up and configure it, and also a DHCP server and NAT gateway. It has the best system I’ve seen for setting up various firewall rules and filters to block or allow various kinds of protocols, ports, applications, and whatnot. It wasn’t as easy to set up as the Ugate — indeed, it took me the better part of a day to get the thing running properly, but once I had set it up, I haven’t touched it either, and it does a fine job.
Actually, I have two other products that can operate as firewalls in my office. One comes as part of the Cobalt Networks’ Qube Web server appliance. But the setup is trouble: You have to know enough about firewalls and packet filtering rules to set them up yourself. Even though the Qube has a great Web interface for configuring its features, the firewall screens are pretty crude.
If you have lots of experience with Unix and routing commands, you’ll take kindly to this approach. (Know that Web applications operate on port 80 and FTP on port 21? That’s a start.) It is a pain in the neck to get this stuff configured for the 95% of the population who doesn’t fall into this category. I ended up never using the features and putting the server to use as just a Web and file server, which it performs admirably.
The other firewall is built into my FlowPoint DSL router. FlowPoint has been through some corporate hijinks, first being purchased by Cabletron and now landing with Efficient Networks, who makes its own line of DSL equipment. I liked the FlowPoint router until it came time to set up the firewall features.
Until recently, FlowPoint charged an extra few hundred bucks to enable its routers to act like firewalls. Last month it started giving the software away for free. A nice idea, but getting it set up will take a fair amount of work. It is all command line based, and any firewall will take several lines of code to set up. There are some example scripts on the company’s Web page, but this isn’t for first-time firewall users. Or even third-time users. And making changes is so painful that I don’t want to get involved in doing them, even when I was testing a product last week that required some changes to my configuration. Like the Qube, it isn’t worth trying to get this working for me.
Firewalls are good protection and make sense even for the average citizen. But until the interfaces get better and the time it takes to configure them get shorter, they will remain curiosities for most of us. Sure, most of us need locksmiths to install locks on our doors. But it would be nice to add a layer of protection to our networks without having to hire expensive professional security consultants.
Here are the links to each vendor’s site and typical prices:
- UGate 3000, http://maxgate.net/product.htm, $369
- SonicWall, http://www.sonicwall.com/, $420
- Cobalt Qube, http://www.sun.com/hardware/serverappliances/qube3/, $1,500
- FlowPoint 2200, http://www.flowpoint.com/products/, $600
David Strom is one of the leading experts on network and Internet technologies and has written extensively on the topic for more than 13 years for a variety of publications. His firm, David Strom Inc., began operations in December 1992. Since September 1995, he has self-published a weekly series of essays called Web Informant, from which this essay is taken. © 2000 David Strom Inc., and reprinted with permission. Read Strom’s other articles at http://www.strom.com.