My first firewall
Web Informant #186, 1 February 2000
I have this love-hate affair with firewalls. Sure, I recognize their need and utility and why they are important and all that stuff. I know how important they are to protect my networks from evildoers or just plain curiosity seekers. But then when it comes time to get them working, it always seems to take longer than watching your average NT machine reboot. Maybe there is something about me that is just chemically different from how your average firewall works.
A firewall is simply a machine with at least two network connections, typically one to the outside world and one to your internal network. It has a list of rules to determine how to block things (such as packets, applications, or kinds
of connections) you don't want and how to allow things you do. The trick is in how you set up these rules.
Right now I use two different products for the home and the office. At home, I am running Umax' Ugate-3000, which is a very simple firewall combined with a small four-port hub, DHCP server and NAT gateway. It just works, and works well enough that I haven't messed with it since I first got it installed. The Ugate came pre-set to be a DHCP client out to
my cable modem, and a DHCP server for my home network, making the whole IP addressing thing quite easy really.
It has a Web browser interface, which every so often I bring up just to reassure myself that I can remember how to maneuver around in it. I also like the fact that it keeps the rough crowd out of my home yet allows my home machines to function just fine. And I also liked the fact that the thing's defaults out of the box were the right choices in terms of offering enough protection without a lot of hassles. I think it took about 15 minutes to configure, and that is
counting the time I took to read the slim manual that came with it.
At work I have been running the SonicWall, which is a step up in terms of complexity and features and price from the Ugate. It also has a Web browser interface to set it up and configure it, and also a DHCP server and NAT gateway. It has the best system I've seen for setting up various firewall rules and filters to block or allow various kinds of protocols, ports, applications and whatnot. It wasn't as easy to set up as the Ugate, indeed, it took me the better part of
a day to get the thing running properly, but once I have set it up I haven't touched it either, and it does a fine job.
Actually, I have two other products that can operate as firewalls in my office. One comes as part of the Cobalt Networks' Qube Web server appliance. But the setup is trouble: you have to know enough about firewalls and packet filtering rules to set them up yourself. Even though the Qube has a great Web interface for configuring its features, the firewall screens are pretty lewd and crude.
If you have lots of experience with Unix and routing commands, you'll take kindly to this approach. (Know that Web applications operate on port 80 and ftp on port 21? That's a start.) It is a pain in the neck to get this stuff configured
for the 95% of the population who doesn't fall into this category. I ended up never using the features and putting the server to use as just a Web and file server, which it performs admirably.
The other firewall is built-in to my Flowpoint DSL router. Flowpoint has been through some corporate hijinks, first being purchased by Cabletron and now landing with Efficient Networks, who makes their own line of DSL equipment. I liked the Flowpoint router until it came time to set up the firewall features.
Until recently, Flowpoint charged an extra couple of hundred bucks or so to enable its routers to act like firewalls. Last month they started giving the software away for free. A nice idea, but getting it setup will take a fair amount of work.
It is all command-line based, and any firewall will take several lines of code to setup. There are some example
scripts on the company's Web page but this isn't for first-time firewall users. Or even third-time users. And making changes is so painful that I don't want to get involved in doing them, even when I was testing a product last week that required some changes to my configuration. Like the Qube, it isn't worth trying to get this working for me.
Firewalls are good protection and make sense even for the average citizen. But until the interfaces get better and the time it takes to configure them get shorter, they will remain curiosities for most of us. Sure, most of us need locksmiths to install locks on our doors. But it would be nice to add a layer of protection to our networks without having to hire expensive professional security consultants.
Copyright © 1999, 2000 media.org.
Web Informant copyright 2000 by David Strom, Inc., reprinted by permission
Web Informant is ® registered trademark with the U.S. Patent and Trademark Office.
ISSN #1524-6353 registered with U.S. Library of Congress.