Not long ago, installing a
firewall was a long, painful process requiring an abundance of arcane technical knowledge.
Installing a firewall for Windows NT is still difficult, but new products such as Sonic
Systems SonicWALL Plus DMZ 2.0.4 make the process much easier, especially if your firewall
needs are basic.
SonicWALL Plus DMZ Internet security appliance has three 10Base-T interfaces. A WAN port
to connect your network to the Internet, a LAN port for a highly protected internal
network and a DMZ (demilitarised zone) port for a network of public servers that can be
accessed from the WAN. Combining Stateful Inspection and packet filtering methods, the
SonicWALL Plus DMZ can block various attacks. With Network Access Rules - similar to Cisco
System’s packet-filtering access lists - you can further customise what the product
lets into the DMZ and LAN networks. You can also let some users log on to the appliance to
gain full access to LAN-based systems from the Internet. By default, the SonicWALL Plus
DMZ allows all traffic from the WAN to access the DMZ, but prevents WAN traffic from
accessing the protected LAN segment. All LAN traffic can pass outward to the DMZ or the
WAN, but only traffic originating in the DMZ or traffic that is part of a session that a
LAN user initiated can enter the LAN.
I started the installation planning process by deciding which of the Windows NT Magazine
Lab systems would be part of the protected LAN segment and which systems would be part of
the DMZ. Using a pair of 3COM SuperStack II 10Base-T Ethernet switches, I created two
network segments and I was now ready to begin installing the appliance.
Installation
Sonic Systems did a good job of documenting the installation process in the unit's
accompanying manual, which takes you through the basic information necessary to get up and
running. Because the SonicWALL Plus DMZ proxy becomes the address of the default gateway
router on the network, you must reset the router during installation. To minimise network
downtime, you can perform the initial configuration by directly connecting a computer to
the unit’s LAN port, which is the method I chose to use. You configure the SonicWALL
Plus DMZ using its built-in Web management interface. After configuring a computer with an
IP address in the same Class C address range as the SonicWALL Plus DMZ’s default IP
address, I was able to access the configuration screens. Next, I supplied a new address
for the unit, and default gateway and DNS server addresses. As I intended to use the
unit’s DMZ port, I also entered the IP addresses of the systems that I wanted to be
on the DMZ network segment into the DMZ Address field of the Advanced menu. At this point,
you can also configure Network Address Translator (NAT) for systems on the LAN port.
The unit was now ready for installation. After turning off the router, I connected it, the
LAN, and the DMZ network switches to their respective ports on the SonicWALL Plus DMZ,
powered the unit on, and then turned the router back on. I was up and running!
Configuration
With the default protection in place, I further restricted access to the network by
blocking all WAN traffic to TCP/UDP ports 137, 138, and 139, which NT uses extensively.
The SonicWALL Plus DMZ firmware predefines several protocol and port combinations that it
can use for packet filtering. Additional service definitions are easy to add. After
enabling logging to a Syslog server, I could monitor the type of connections the unit
allowed, and set up services to block additional ports.
You can email the summarised security log of blocked traffic maintained in the appliance
to an address you configure. You can also email notification of detected attacks (alerts)
to a separate address. For example, you can configure the SonicWALL Plus DMZ to send your
pager and logs to a standard email address.
I was surprised to see such a wide array of options that let you restrict the nature of
the Web traffic you allow into your network. The SonicWALL Plus DMZ supports content
filtering, which lets you block content matching any of a dozen categories in the Content
Filter List (e.g., nudity, drugs, intolerance). The CyberNOT Oversight Committee, whose
membership includes a broad social spectrum, manages the Content Filter List (see
http://www.cyberpatrol.com for more information). You can also block cookies, Java and
ActiveX page segments and have access to WAN-based proxy servers that users could use to
circumvent the filtering. Content filtering is highly configurable and a
subscription-based automatic Content Filter List update keeps your list of blocked sites
current.
One convenient feature is automatic email notification when new firmware updates are
available. Shortly after setting up SonicWALL Plus DMZ, I received notification that an
upgrade from version 2.0.4 to version 3.1.1 was available, which adds one-to-one NAT and
(for a fee) VPN support. I decided to install the upgrade, which turned out to be a
painless process. I restarted the appliance to make sure it was in a known state. I saved
the existing configuration (preferences in SonicWALL terminology), downloaded the
version 3.1.1 firmware from Sonic System's Web site, uploaded the upgrade into the
SonicWALL Plus DMZ, and imported the previously saved preferences back into the appliance.
The process took less than 15 minutes. I was pleased to note that restoring my saved
preferences did not delete the new predefined services (protocol and port definitions for
packet filtering) that the firmware upgrade added. I was also glad to see a simple upgrade
process that worked as advertised.
Summary
I found the SonicWALL Plus DMZ to be a great product at a reasonable price. The unit is
easy to set up and configure, and it has a broad feature set with flexible packet and
content-filtering options.  With the SonicWALL Plus DMZ, implementing Internet security doesn’t have
to be a formidable task.. |
|
