Network security begins with an effective firewall. If you are a network administrator, you know that firewalls are a hot commodity, and there are plenty to choose from. But selecting which product is right for your network can be difficult.
If you are looking for a flexible, mid-priced firewall that is well-suited to an all-TCP/IP network, then I recommend the latest release of IBM eNetwork Firewall, Version 3.3. This release is a good solution that can fit into a diverse array of network environments; I found it to be a fine upgrade from the previous version. The virtual private network (VPN) technology and Configuration Wizard add significantly to the product's ease of use and overall functionality.
Although the product is not well-suited for multiprotocol environments and is not as diverse as a product such as CyberPlus from Network-1, eNetwork Firewall is a good choice for an all-IP network.
The eNetwork Firewall uses a hybrid architecture that consists of filtering, application proxies, and circuit-level gateways. With this version, IBM has added support for VPN, a Configuration Wizard, and expanded language support for German speakers. In addition, Version 3.3 sports a completely redesigned e-mail interface, now called Secure Mail Proxy, which replaces the previous Safemail technology. IBM said the Secure Mail Proxy will lay the foundation for significant mail-security features to be added in the future, such as anti-spamming and anti-mail-spoofing capabilities. IBM also plans to release an update to the built-in HTML proxy in the near future.
Version 3.3 also ships with some neat add-ons, such as a two-user copy of Security Dynamics' Ace Server, used for authenticating connections. IBM also provides an application-programming interface that aids in the development of custom authentication techniques.
The newfound VPN technology is a welcome addition to the product. eNetwork Firewall users can now build encrypted tunnels to and from remote sites using the Triple-DES and IPSec security standards. The product also supports DES and Cryptographic Data Masking Facility encryption as well as the Message Digest Version 5 and Secure Hash Algorithm authentication schemes. IBM has included a key recovery feature that permits recovery of encrypted data as it flows over the network. The product ships with a Windows 95 IPSec client, but it is supported only in conjunction with the AIX version of the firewall.
The Configuration Wizard is a welcome addition. I found that by using the wizard I saved a lot of time and effort in getting the firewall up quickly. The wizard launched itself automatically the first time I logged on to the firewall, and it guided me through several common tasks, including the selection of network interfaces, Domain Name System (DNS) configuration, mail, and the log setup. In addition, I could establish basic security policies and configure authentication methods for users based on the services that I enabled on the firewall.
Standard features found in this release, as well as previous releases, include support for centralised firewall management of multiple firewalls from AIX, Windows 9x, and Windows NT clients. Other standard features include Version 4 of Socks for AIX, Version 5 of Socks for NT, Socks monitor, automatic security alerts via e-mail and pager, OS hardening, logging and reporting, and a network security auditor. The product's documentation is HTML-based and works with any frames-enabled browser.
I installed eNetwork Firewall on a Windows NT Server 4.0 and used an NT Workstation 4.0 for installing the management interface. The management client installed quickly, and required only that I supply an installation directory path.
Installing the firewall was more involved. Beforehand, I had to install IBM's Intermediate Support Device Driver, which installed like any other network driver. I also had to enable NT's built-in IP Forwarding feature, which serves to move packets between two or more installed network cards. With that complete, I installed the firewall itself.
During the initial phase of firewall installation, the setup program checked to ensure that I had Service Pack 3 (SP3) or later loaded, as well as four post-SP3 hot fixes, which included ndis-fix, teardrop2-fix, dns-fix, and the simptcp-fix. IBM forces the installation of these hot fixes prior to firewall installation, but I did not see the need for the last two, since they serve to correct problems with Microsoft's DNS and Simple TCP/IP services, which I did not have loaded.
During the installation process, I chose to perform operating system hardening, which conducted a series of checks and changes to the system's security. This process included disabling log-ins for all users other than the administrator and disabling NT services not required for firewall operation.
Once the firewall software was installed, I performed a quick reboot and performed the initial configuration using the wizard. With the configuration complete, I started the remote configuration client to test its ease of use. The client was easy to navigate and presented information in an easy-to-read format using a standard Explorer layout. The left pane presented a tree view where items could be selected; their associated data was then displayed in the right pane.
The eNetwork Firewall is an impressive, easy-to-use system, with the advantages of a VPN and a useful Configuration Wizard. If you administer an all-IP network and do not require support for many non-IP protocols, I recommend this product.
(Mark Joseph Edwards (firstname.lastname@example.org) is a writer and network security consultant for Netropolis Technology Group and has more than 17 years experience.)The bottom line: very goodIBM eNetwork Firewall, Version 3.3Summary: This firewall is well-suited for any TCP/IP-based network. With its built-in virtual private network (VPN) technology, proxies, and flexible rules configuration, integrating the product doesn't require third-party add-ons to gain well-rounded functionality for use in most network environments.
Business Case: eNetwork Firewall is a competitively priced, cost-effective solution, capable of preventing significant business losses by protecting your network from malicious attacks.
+ VPN support
+ Mail Proxy
+ OS hardening
+ Flexible Java-based administration
+ Centralized management
- Supports only TCP/IP
Platforms: Intel systems running Windows NT Server 4.0 with Service Pack 3 or later; IBM AIX