InformationWeek

Installation under Windows 2000 was slightly troublesome. A warning popped up, telling me that CyberwallPlus SV had been tested only to encryption standard RC2 (indicating a time frame of approximately last September). Cyberwall is said to pick up its speed by becoming a kernel device-ostensibly the fastest software attachment possible for this type of device-and the kernel is known to have changed in the final edition. Through the rest of the tests, I couldn't determine whether this had affected the product's operation. I ran the installation from a factory-supplied CD.

Network-1 pioneered the concept of watching network streams, called "stateful inspection." Firewalls need to view traffic to discern whether the traffic contains the signatures of harmful or potentially harmful components or hacks. This is similar to the way many virus-detection applications work, and explains why they slow down traffic.

Full-time virus-protection applications (as opposed to those versions that examine only on command) read the stream of traffic flowing in and out of a PC. These applications must compare traffic with a known pattern of virus signatures while not overly impeding or slowing down the PC. Firewalls act in similar ways-an app butts into the flow of traffic and analyzes conversations and requests to see if they're valid. Such actions tend to slow down the PC in much the same way as virus detection can slow data movement.

The stateful-inspection method used by Network-1 on CyberwallPlus gains speed in several ways, first by running as a kernel-mode application at the core of the operating system. CyberwallPlus also tracks conversations made to the host system, keeping track of the protocols used.

Instead of full-traffic filtering, analogous to tracking for viruses, CyberwallPlus tracks the relationships between network connections to determine their validity. Suspicious activities are trapped, or the packets and connections are simply dropped. Even though this looks ineffective, the nature of protocols and network conversations can be statefully tracked to the satisfaction of the ICSA, a certifying body for security products. My tests corroborated this.

CyberwallPlus SV also keeps track of network address translations that keep addresses on the secure side of a network from being discovered from outside the network on its unsecured side. This lets an organization use a single IP address for the outside world, while supporting one of several methods for using private IP addresses on its internal network.

The default setup settings used by CyberwallPlus SV will work for most installations, making CyberwallPlus SV a good choice for those who aren't experts in TCP/IP protocols and hacks. The distribution CD carries Internet requests for comments and other standards information for those who wish to delve into the granularity of connectivity.

There's a feature of CyberwallPlus called "intruder detection" that alerts you when networking conversations appear to be related to hacker activities. Settings for this feature prevent innocent activities from triggering alarms or preventing justified or normal activities. The default settings may be too low for busy networks; however, watching alarms go off and deciding via the help screens what actions might need to be taken can be a good learning experience for neophyte administrators.

I used three products to test the firewall. Network-1 includes an evaluation copy of AG Group Inc.'s EtherPeek, a protocol analyzer that can be used to track the effectiveness of the firewall, as well as to track the origins of traffic, usual or unusual. You'll need to send an E-mail to obtain a key that provides a 30-day evaluation; otherwise, the EtherPeek product works for 10 minutes and shuts down.

I've used EtherPeek before, and it's a reasonably good protocol analyzer. I've employed Triticom's LANDecod- er32, as well as the Fluke Network Inspector to monitor different types of firewall filtration. I also used LANDecoder32 to assault the server with malformed packets of the type used in denial of service attacks. The CyberwallPlus hosts didn't flinch, and CPU utilization on the protected PCs rose only nominally.

An assault weapon was also used. Internet Security Systems Inc., a competitor of Network-1, makes a product called ISS System Scanner; I used version 5.5. ISS settings range from "don't hurt me" to "take no prisoners." I used the strongest settings, which under other circumstances can blue-screen an NT server that's been installed with defaults. CyberwallPlus SV survived with only normal, nominal, low-priority concerns. It should be noted that it's possible to deliberately change SV settings to allow many types of hacks to occur. Only someone knowledgeable about the implications should change them.

The graphical user interface that controls CyberwallPlus can be used on Windows 98 and NT/2000 PCs, but not on Windows 95. The GUI isn't wizard-driven, although anyone familiar with protocols will find it easy to understand. Those less familiar with protocols will need to navigate the help screens for assistance; fortunately, these screens are well organized, though not very granular.

The hardening process starts immediately after installation. For this reason, it's recommended that the PC being hardened be temporarily removed from service and that the settings relating to network translation and specific proxies be accomplished before reintroducing the PC as a firewall. The hardening process substantially shuts down the server communications until the settings are accomplished. Turning the server's communication process back on is an iterative process for most organizations.

CyberwallPlus SV also has controls that can be attractive for some companies. Time-based rules allow a company to turn off access at specific times of day. This can be handy to keep resources free after shift changes or to keep pipes clear of activity. Logs kept by CyberwallPlus are thorough and are grouped by function.

At $995, it'll be tough to find more comprehensive firewall software. The components of CyberwallPlus SV have evolved over five years, and it's a well-thought-out example of network security. A diligent monitor and intruder detector, CyberwallPlus doesn't require tinkering. This product does its work quietly. If your network hasn't been hacked or probed, yours is one of the very few.