Subscribe to Windows IT Pro
February 14, 2001 12:00 AM

Firewalls with VPN

Allen Jones
Windows IT Pro
InstantDoc ID #19686
Rating: (0)

eTrust Firewall 3.0 and eTrust VPN
CA offers eTrust as its comprehensive enterprise firewall solution. Formerly known as GuardIT, this kernel-level firewall is a powerful component of CA's Unicenter TNG family, although you can use eTrust Firewall independently of Unicenter TNG. eTrust Firewall runs primarily on NT 4.0, but I ran the management tool on Win2K Pro.

After I installed the Unicenter TNG Framework, installing eTrust was a breeze and took only a couple of minutes. When you install the firewall-administration tool, eTrust also installs a Java runtime environment. Don't be put off because the administration tool is Java-based; I installed the eTrust administrator and Java runtime tool on a Win2K client behind the firewall and found the tool to be faster and more productive than other firewall administration tools in this review.

After I started the firewall and launched the administrator for the first time, I had to bind each NIC in the firewall to its corresponding virtual network. eTrust predefines three such virtual networks: a private internal network, an exposed DMZ network, and the Internet. Figure 4 shows the intuitive network diagram eTrust provides to assist in the binding process. You drag icons that represent the appropriate NICs from the tree in the left-hand pane onto the correct VPNs in the right-hand pane. After binding the interfaces, I could begin to create firewall rules.

CA's easy-to-use Internet Wizard is by far the most comprehensive wizard that I encountered in any of the products I reviewed. It helped me set up rules for external access and configure Network Address Translation (NAT) to redirect Web, DNS, email, and other services from the firewall to an internal machine. Sending the configuration to a firewall is as simple as right-clicking the firewall listed in the administration tool's tree and selecting the Deploy option, which causes eTrust to compile the rule base and update the firewall.

eTrust's logging features are a bit different from those of the other products I tested. For any given rule, you can set up a series of alerts. You can tie the alerts to an external program or interface to use your own custom notification alternative, or you can use Unicenter TNG's alerting functions. Within eTrust, you can click the alerts icon to display a log of recent alerts. To see a history of all connections, both passed and failed, you need to run one of several reports that eTrust includes. These reports can help you troubleshoot connections.

Online Help in eTrust is scarce. Most screens are devoid of any useful information. The FAQs on CA's Web site contain much more information than the online Help file does.

eTrust is unique in that you can delegate to administrators permissions for individual firewalls. Each firewall has a separate set of rules for inbound traffic, outbound traffic, and DMZ traffic. In addition to invoking a firewall's individual rule sets, eTrust applies a set of overriding rules before and a set of baseline rules after the individual rules. You can configure and use overriding rules to enforce a corporate policy on certain protocols and baseline rules as a minimum firewall policy. Each firewall also has a vulnerability scanner that examines the firewall host for potential vulnerabilities such as services and open ports.

CA's eTrust VPN doesn't become part of the firewall; instead, you install it directly on servers that users need access to. This standalone approach to VPN services lets you restrict VPN traffic to one port. eTrust VPN runs on NT 4.0, Win9x, Solaris 2.6 and later, AIX 4.3.3 and later, and HP-UX 11 and later.

The VPN is unique in another way too: It works in conjunction with PPTP, Layer 2 Tunneling Protocol (L2TP), and the IP Security (IPSec) protocols. Consequently, if you're already using these protocols, you don't need to change your entire infrastructure to accommodate the VPN and clients can use your existing authentication methods when attaching to a VPN-enabled server. In addition, eTrust VPN supports Triple Data Encryption Standard (3DES—168-bit) encryption.

Overall, eTrust Firewall is easy to use. Administrators thinking about deploying their first firewall or those who already have a Unicenter TNG deployment should seriously consider eTrust if its price is within their budget. The flexibility of the rule base combined with the Internet Wizard and the interaction with other CA components makes this a simple and wise choice for many enterprise environments.

eTrust Firewall 3.0 and eTrust VPN
Contact: Computer Associates * 631-342-5224
or 800-225-5224
Web: http://www.ca.com
Price: Firewall: $2999 for unlimited users and sessions; VPN: starts at $4000 per server administrator
Decision Summary:
Pros: Integrates with Unicenter TNG Framework; fast, Java-based management client; excellent configuration wizard; flexible rules
Cons: Poor online Help

A Couple Standouts
Each firewall I tested appears to adequately protect the internal network, and each product has its strong points. Table 1 shows a feature comparison of the four products. The four vendors take slightly different approaches to VPNs. You can use Symantec's software-based VPN with Raptor or another firewall running on a separate machine. NetGuard offers a hardware-based VPN in the form of a PCI accelerator card that you add to the firewall system; this approach helps free up system resources. Check Point integrates its software-based VPN directly into the firewall for access to systems on the internal network and offers a VPN accelerator card. CA designed eTrust VPN not to give clients access to the entire network but rather to give them access to specific systems on which the VPN is installed. This approach might appeal to shops that need a high level of control, but the base price of $4000 for one server is on the high side.

Symantec has clearly put a lot of effort into Raptor's daily management features. Raptor was an easy and fun product to use. eTrust offers a good management interface, an excellent configuration wizard, and a flexible rules approach.

VPN-1 Gateway is a solid product with a very attractive VPN client solution. VPN-1 SecureClient should meet with warm approval from security administrators. Throw in VPN-1 Gateway's high-availability feature and flexible rules, and this product stands tall. But GuardianPro really shines with its logging and alerting features, which make the life of a firewall administrator much easier.

Of the firewalls I tested for this review, my favorite is GuardianPro and Guardian IPSec VPN, with VPN-1 Gateway a close second. The Guardian solution does cost a bit more than VPN-1 Gateway, but I think its monitoring capabilities are worth the extra money. If the two firewalls' architectures fit your environment, be sure to give them both a close look.

Related Content:

ARTICLE TOOLS

Comments
Add A Comment
  • Sergey
    9 years ago
    Nov 07, 2003

    It nor work under win2k server!

  • Allen Jones
    11 years ago
    Jun 06, 2001


    Early in the review process, I had to define exactly what category of products to test so that I could be sure I was comparing apples to apples. I decided to highlight four popular software-based network firewalls whose vendors also offered a VPN that integrated with the firewall. I'd gladly review UNIX products and appliance-based solutions, but reviewing them all in one article wasn't an option.


    --Allen Jones,/i>

  • Phil Wells
    11 years ago
    Jun 06, 2001


    Articles and reviews about firewalls always seem to lump products by platform. For example, an article about Windows NT firewalls won't include standalone boxes such
    as the products that WatchGuard Technologies and SonicWALL offer; UNIX products also get left out. Can an NT-based network use a UNIX firewall or a SonicWALL appliance? Of course it can. Consider expanding Allen Jones's Lab Reports: "Firewalls with VPN" (March 2001) to include other firewall platforms.

  • David McKinney
    11 years ago
    Mar 01, 2001

    A good review except you don't really discuss the overall security of the products short of the mention of Checkpoint's secureclient.

    You should have at least discussed the varieties of mechanisms of the various firewalls, application proxy, stateful inspection, etc.

    I must admit I am biased to the Raptor product. It's a tough cookie to break into. I do not beliecve that there is one case where a hacker broke the security of a Raptor firewall. The same can not be said for the market leader, Checkpoint. Your article shed no light on this complex subject.

    My $.02,

  • Gregor Munro
    11 years ago
    Feb 21, 2001

    I took a few seconds to review your article. In your assessment of FireWall-1/VPN-1 you are wrong on a number of points.
    Check Point does indeed include wizards for defining rulebases. If you click on File, New Policy and enter a policy name, click on security and address translation, on the right hand side of the dialog box, you will see "helpers" including Wizard, Template and empty policy.
    You also fail to point out that the standard remote client SecuRemote is $FREE$.
    Performance of the Log viewer is greatly dependent upon you hardware and address resolution capabilities. If your firewall machine is the same as your management machine then performance will be adversly effected. Secondly if you have "options, resolve addresses" turned on, then the performance of the log viewer is directly relational to the speed of your management servers DNS resolution capabilities. Besides which would you rather have performance and security or near-real-time reporting???

You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

Dev Pro Left-Brain SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.