Whether a campus computer network is large or small, it needs security that blocks unauthorized access and intrusion. On large networks, the increasing diversification of network activity—including wireless access, telecommuters, and virtual private network (VPN) connections—complicates the issue. In order to ensure security, therefore, it's best to implement various solutions, including antivirus protection, intrusion detection software, and firewalls.

Firewalls are the front line of defense, the border guards against unauthorized movements of users into or out of the network. Firewalls don't analyze messages but instead simply prohibit access to anything that doesn't meet specified criteria. There are many kinds of firewall products: personal firewalls, which reside on one specific computer, as well as enterprise-level network firewalls. Software firewalls are less expensive and more available than hardware solutions. However, hardware firewalls are always on and don't interfere with other software running on the computer. We've surveyed several of the top enterprise firewall products in this issue, from Microsoft Corp. Windows NT products to Linux and Apple Computer Inc. Macintosh devices.

For Windows NT


The Cisco Systems Inc. Secure PIX 500 series is one of the leading Windows NT firewall products on the market. The series encompasses five models scaled for a variety of customer needs and network sizes, from the enterprise market all the way down to the small office environment. At the enterprise level, the PIX 535 provides a throughput of 1 gigabit/sec with the ability to handle up to 500,000 connections concurrently. Administrators of a smaller network may prefer the PIX 525, which delivers 370 megabits/sec and 280,000 simultaneous sessions. Each model has built-in IPSec encryption, allowing both site-to-site and remote access VPN deployments for off-campus users. Each model features an easy-to-install, integrated hardware/software appliance that uses a non-UNIX, secure, real-time, embedded system. The PIX firewalls may be managed by the PIX Configuration Manager or centrally managed by the Cisco Secure Policy Manager, which can manage up to 500 PIX firewalls, integrated software deployments, and site-to-site VPN installations. Contact: Cisco Systems, Santa Clara, Calif., (800) 553-NETS, www.cisco.com.


Designed to protect Windows NT/2000 systems and enterprise computer networks, the Cyberwall system consists of a central management system (called CyberWallPLUS-CM) and a family of four firewalls that secure desktops, servers, Internet access, and enterprise networks. Cyberwall's approach layers a packet filter firewall and packet inspection with an active intrusion protection system. This combination gives the administrator fine-grain access control at the host level. CyberwallPLUS features pre-configured security templates that help administrators install the product quickly, regardless of their security experience level. The workstation version of the product also includes the ability to limit or forbid access to particular applications, such as Napster or Doom. Contact: Network-1 Security Solutions, Waltham, Mass., (800) NETWRK1, www.network-1.com.

Symantec Enterprise Firewall 6.5

Symantec Corp. Enterprise Firewall (formerly known as the Raptor firewall) features a unique hybrid architecture designed to provide transparent firewall protection without slowing approved traffic. Its support for a broad selection of user authentication methods such as RADIUS, digital certificates, Lightweight Directory Access Protocol, and NT domain authentication gives administrators the flexibility to use existing security databases in the users' environment. Symantec's product is, above all, flexible. Users can choose between a hardware- or software-based solution for high availability and load balancing as well as integrated Web and Usenet content filtering. Developed for the Windows NT/2000 and Sun Microsystems Inc. Solaris platforms, Symantec touts an intuitive interface and range of easy-to-use tools for configuring, managing, and maintaining the firewall. From a central console, administrators can manage security policies for both local and remote firewalls and obtain a variety of security logs and management reports. An optional Symantec Enterprise VPN (formerly called the PowerVPN) can be combined with a personal firewall product and the Symantec Enterprise Firewall to extend the corporate perimeter to provide secure, low-cost connectivity for remote offices and telecommuters. Contact: Symantec, Cupertino, Calif., (408) 517-8000, www.symantec.com.

SonicWALL GX 2500 and 6500

The SonicWALL GX 2500 and 6500 Internet security appliances deliver an integrated security solution, combining a high-bandwidth firewall and VPN hardware for large enterprise institutions. With application-specific integrated circuit security architecture, ICSA-certified packet inspection technology, and the inclusion of 100 VPN clients for secure connectivity of dial-up users connecting from off campus, the GX products compete with other firewall packages in this class. Administrators can manage the GX 2500 or 6500 using a variety of local and remote options, including CLI, a Web management interface, and Simple Network Management Protocol. Also included is SonicWALL ViewPoint, a Web-based, graphical reporting tool for managing and monitoring network security. For mission-critical security, users can install two SonicWALL GXs, as primary and secondary appliances, creating a redundant pair. There is even a built-in redundant power supply. The scalable design accommodates future upgrades and interface types. The product supports seamless integration of other SonicWALL security appliances, such as Network Anti-Virus and Internet Content Filtering, to provide all-in-one security. Contact: SonicWALL, Sunnyvale, Calif., (888) 222-6563, www.sonicwall.com.

For Mac OS X

DoorStop Server Edition

Open Door Networks sells two products that work in combination to provide security for Macintosh-based servers. The first, a firewall called DoorStop Server Edition, includes advanced, server-specific security features and is specifically intended to run with such servers as AppleShare IP, WebSTAR, and ShareWay IP Professional. The second, Who's There Firewall Advisor, works with DoorStop to analyze each attack. Who's There provides administrators with critical information, including access attempts by service type and accessor IP address, built-in information about the most common attacks and their applicability to the specific Mac OS environment under which Who's There is running, and an automated "Whois" lookup to determine details of the accessor's network. The system can also automatically draft an e-mail that can be used to notify the administrator of the access attempt and provide him or her with details that may be useful in tracking the attempt. Who's There works with DoorStop as well as Symantec and IPNetSecurity products for the Macintosh. Contact: Open Door Networks, Ashland, Ore., (541) 488-4127, www.opendoor.com.