Michelle, I recently investigated just that and came up with only 2
products. Caveat, I needed a Windows NT based solution (I feel safer
trying to secure the crud I know than a system I don't know...)
One was Sybergen's Sygate Product , which I was already utilizing in a
relatively limited sense, and was what I was looking to replace with a
more robust system.
Sygate, bluntly, left a lot to be desired. It's a fairly decent
"straight" NAT, but the but the lack of the ability to filter on
anything other than a full IP address (I'm not even sure if I am
expressing that correctly, what I mean is that there is no concept of an
IP range - not via a NetMask, X.X.X.X/n significant digits, or
startIP-endIP !nothing! - which was so "at odds" with my concept of
TCP/IP networking I couldn't even concieve of it at first ) severely
limits its usability as a packet filter type firewall.
www.sybergen.com
The far better of the two, (lightyears!) is WinRoute Pro. Unlike
Sygate, it supports more than 2 adapters, so you can set up a DMZ. It
also has a very robust NAT engine. It operates at the IPSEC level, so
theoretically at least and as I understand it, the OS can't route if it
fails to NAT. It has decent packet filtering capabilities, and the
ability to be multihomed and to perform port mapping, which has allowed
me to move my web and mail servers to behind the firewall - something I
couldn't do with Sygate.
It worked as a straight NAT, with DHCP, as soon as it was installed.
Now to discuss shortcomings. It doesn't allow import/export of rules,
which can make setting up rulebases difficult. You also can't associate
multiline rules with any kind of a description, which would be really
nice, although using the address group functionality to help simplify
the administration of the rule base eases this. The web proxy is
flakey, if you want an web browsing proxy, buy one that works
elsewhere. I didn't mess with the mail server, so I have no comment
there. It also lacks the ability to open port ranges based upon
previous traffic (i.e. UDP on port XXX only while TCP exchange on Port
YYY is active) which was something Sygate could do.
The unlimited version cost me $1000, and I am running it on NT
Workstation on a P-III 667 box. Our network of 35 machines sometimes
hits 7 % processer utilization,
so I definately overkilled on the box (which is what I wanted.)
www.tinysoftware.com
!!! NOW!!! THE MOST IMPORTANT THING OF ALL !!!
Please, please UNDERSTAND THIS. Neither of these solutions come with ANY
support to speak of. Sybergen, when I once asked them a question
mutliple times, responded 2 weeks after the first request - and parroted
back unrelated information from the manual which made it obvious that I
knew far more than the person responding. When I needed to know what
one of the confusing options in the WinRoute interface section setup
meant, The response was again parroted almost word for word from the
manual, with no additional detail - and neither of my "does it work like
this or this?" were addressed even remotely. When I sent Tiny Software
logs and a web address that would not browse via proxy, I was emailed
back instructions for how to set up IE to directly browse sites - even
though I had stated that my goal was to force all web browsing via proxy
so I didn't have to open port 80 globally.
So, while I can't speak for the support from the hardware oriented
firewall vender, expect to be VERY MUCH ON YOUR OWN with these
solutions. And that has a cost, too. In time, in "comfort", and in
vulnerability when you misunderstand and/or make a mistake.
Good Luck!
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
