Distributed offices and fast bandwidth have pushed the corporate network perimeter out into the Internet and into employee's homes. Your company's security policy might require the use of hardware devices such as broadband routers, personal firewalls, or host-based firewall software to protect remote portals into your corporate network. Some proactive companies even specify or purchase these security measures for employees. However, many employees don't realize the importance of properly configuring and maintaining these security devices.
Most firewall vendors offer software to remotely maintain, monitor, and manage distributed firewalls. SonicWALL's Global Management System (GMS) Standard Edition 2.2 differs from the competition because it lets you centrally manage any SonicWALL security appliance—from the company's enterprise-class firewall to its entry-level TELE3 firewall, which SonicWALL markets to telecommuters. Although proprietary to SonicWALL, GMS's functionality is useful. Other vendors should consider providing centralized management (or even cross-vendor interoperability) of even their low-end security appliances.
Keeping Tabs on Your Remote Firewalls
GMS eases end users' configuration responsibilities by centralizing the configuration, logging, reporting, registration, and subscription upgrades of SonicWALL products. In addition, IT staff can perform most security-appliance maintenance from the central console (you must have access to the appliance to perform initial configuration of the interfaces, such as setting the IP address, and to use some diagnostic tools). GMS supports the use of template files, which really speeds up the repeat setup of multiple firewall devices.
GMS typically uses a two-tiered approach. Network agents gather information from the SonicWALL appliances, and a GMS console collects the information from these agents and stores it in a central database. You can direct multiple appliances at an agent, and multiple agents can communicate with the console. For small installations, you can use a one-tier model whereby the remote firewalls communicate directly with the console.
Viewing a Sample Topology
Figure 1, page 48, shows a basic topology that uses GMS to manage a distributed network. In this example, the GMS console and database are on the same computer at corporate headquarters (for the best performance, SonicWALL recommends installing the console and database on separate machines). The GMS console communicates with a SonicWALL PRO 300 firewall on the LAN; this firewall serves as the Internet gateway for the corporate network. A SonicWALL TELE3 firewall at a telecommuter's home connects to the corporate network through the SonicWALL VPN. The GMS platform lets the corporate IT staff centrally manage settings and monitor logs and events for each SonicWALL appliance. Table 1, page 48, summarizes the units used in this basic environment as well as the estimated prices.
The GMS platform lets you manage thousands of SonicWALL devices from one location. This system costs substantially more to deploy than simpler broadband routers, but the level of security and the features are on par with enterprise systems often seen in large corporate offices. GMS supports Sun Microsystems' Solaris 8, Windows XP Professional, Windows 2000, and Windows NT 4.0 Service Pack 4 (SP4) and later and requires a database (the product supports both Oracle's Oracle9i 1.6 Standard Edition and Microsoft SQL Server 2000 SP2).
Setup and documentation of the SonicWALL firewall devices are excellent. The setup wizards support various configurations (e.g., Network Address Translation—NAT—to a more complex demilitarized zone—DMZ—with one-to-one NAT) and provide good logic to walk you through your particular scenario. The online documentation includes hyperlinks for technical terms that point to a glossary to help less-experienced users. The print documentation for these devices is well organized and explains in detail all the features of the SonicWALL appliances.
Unfortunately, the GMS setup tools and documentation aren't on par with those of the appliances. The setup process is littered with minor annoyances. The setup CD-ROM doesn't support long filenames, which makes identification difficult. For example, the setup process installs webinst.rar and webins~1.rar as two files of different sizes in the same directory. Some setup instructions are vague, and the setup dialog boxes are at times cryptic. GMS relies extensively on Java for most of the application programming and requires database connectivity using Java Database Connectivity (JDBC) drivers. However, although GMS 2.2 ships with the JDBC drivers, version 2.1 does not. (The SonicWALL documentation provides a complete list of JDBC drivers that are compatible with GMS.) Furthermore, GMS installs its own Apache-based Web server, but the documentation doesn't tell you to uninstall Microsoft IIS, which Win2K installs by default.
Be sure to use the most current version of GMS, which was version 2.2 at the time of this review. I tried to install GMS 2.1, but two of the key GMS services failed to start, even after I installed the software on multiple machines. When I contacted SonicWALL technical support about the problem, the technician recommended I install GMS 2.2, which installed almost without a hitch. However, reaching a technician knowledgeable about GMS was difficult. I waited 5 days after first submitting a GMS trouble ticket to the SonicWALL Web support site. After receiving no follow-up beyond the automated "We received your ticket and will be contacting you shortly," I called SonicWALL and spoke with a Tier 1 technician who wasn't familiar with GMS (even though he answered the GMS phone queue). Eventually, I connected with a knowledgeable upper-tier technician who made the recommendation that solved the problem.
SonicWALL is still in an early phase of fine-tuning GMS. For example, in version 2.1, the GMS Setup dialog box asks you whether you have an interposed NAT device between your SonicWALL appliance and the GMS host. Although the manual includes a screen shot of this dialog box, it offers little explanation and simply instructs you to select the Interposed NAT Device check box and enter the IP address of the GMS gateway. In addition, the manual offers no sample topology diagrams—even savvy users might find themselves scratching their heads wondering what the manual is asking for. The version 2.2 manual offers clearer instructions and calls the interposed NAT device a GMS-behind-NAT device, which makes more sense. After installation, however, GMS works well.
Adding Security Appliances
After you install GMS, you must add the remote SonicWALL appliances that you want to manage through the GMS console. Setting up a remote SonicWALL appliance to communicate with the GMS server is fairly straightforward, and SonicWALL has done a good job of keeping the configuration down to one dialog box, which Figure 2 shows.
Remember that in our corporate-telecommuter example, we have two SonicWALL security appliances—one at corporate headquarters and one at a telecommuter's home. Because no NAT devices exist between the corporate firewall and the GMS console, you can add IP addresses without the use of a VPN. However, to manage the telecommuter's firewall, you must enter both the IP address of the WAN gateway (i.e., the external interface of the PRO 300) and the private IP address of the GMS console.
To securely manage your SonicWALL security appliances across the Internet, you need to create a SonicWALL VPN tunnel and configure GMS to use that tunnel to communicate with your remote devices. To create the management tunnel that will encrypt all traffic between a SonicWALL appliance and the GMS console, you must specify a security association (SA). The SA consists of a 16-hexadecimal character-encryption key and a 32-hex character-authentication key. These keys must match on the SonicWALL security appliance and at the GMS console. Figure 2 shows the configuration for the telecommuter's firewall. The configuration similarity between this device, a TELE3 firewall, and the gateway device, a PRO 300 firewall, makes configuration a snap across different firewall models. As with any VPN or network architecture and design, developing a good plan of your existing and proposed topology will help ease setup and keep tabs on the different appliance configurations. To manage your secure devices, you might choose to create a new VPN management tunnel (as I've described), use an existing VPN tunnel, or connect directly to the device without encapsulation or encryption.
To configure GMS, you access a Web page (by default, http://sgmsserver/sgms) that the GMS console serves. From the console, you can configure policies, view reports, or access a separate console for each appliance.
SonicWALL policies define configuration information for your appliances. You define these configuration policies based on groups of SonicWALL appliances. GMS provides an array of options for configuring SonicWALL remote security appliances, including performing remote restarts and selecting which services (e.g., HTTP, FTP, DNS) can travel across remote SonicWALL appliances. To add a custom service for a proprietary application, you specify a service name, port range, and protocol for the service to use. GMS also supports a variety of logging formats and output, including SNMP, syslog, and email to forward alerts and log files.
SonicWALL offers a variety of subscription-based features for its appliances, and these features require activation. Fortunately, GMS supports centralized management and registration for many of these subscription-based add-ons, including antivirus, Web filtering, and VPN. However, some diagnostic tools (e.g., Ping, DNS Lookup) that you can easily access by logging directly into a SonicWALL firewall aren't available through the GMS console.
Grouping Security Appliances
Much of GMS's power comes from its ability to logically group several SonicWALL units into views. For example, you can create views based on several categories, including geography, department, model, and firmware version. This granularity lets you easily select all units that satisfy certain criteria (e.g., firmware version). Because most SonicWALL security appliances use a similar (if not identical) feature set, using GMS views to group and configure multiple units at the same time is easy.
To manage your remote firewalls, simply make changes at the GMS Web front end and click update to apply the changes. For example, Figure 3 shows the settings for configuring the logs for the example corporate and telecommuter firewalls. When you click update, GMS queues individual tasks for each appliance that's a member of the specified group. Figure 4, page 50, shows the scheduled tasks that will update the logging changes for the remote firewalls.
Gathering Log Files
GMS comes with SonicWALL's ViewPoint software, an event aggregator and reporting engine that extends the basic logging and reporting utility that comes with some SonicWALL appliances. ViewPoint shares the GMS database and combines a Web server and a proprietary syslog service to collect event-log information from the SonicWALL appliances. GMS uses this information to create various realtime and historical system usage reports and graphs. Reports include Admin logon, failed logon, IP traffic by service, top Web sites and users, FTP and mail usage, and detected attacks. Like GMS, ViewPoint uses the Apache Tomcat Web servlet (http://jakarta.apache.org/tomcat) container to process JavaServer Pages (JSP)—IIS isn't required. Although ViewPoint doesn't offer as much customization as other third-party reporting tools, it does offer a consolidated view of traffic that you can slice enough ways to be useful.
ViewPoint makes summarizing and viewing aggregated attack or Internet-usage data easy. For example, you can create a view called Engineering, click Reports, and view all detected attacks on those units. Figure 5 shows the number of attacks for all nodes within our sample network. Although the graph in Figure 5 shows the overall number of attacks, you must select an individual node to get more detail about the attacks on the node.
Furthermore, you can use ViewPoint to create scheduled reports that email summary data (e.g., bandwidth, Web filter, attacks, FTP usage, Web usage, dropped packets) about your security appliances to recipients based on the groups you create. Extending the previous example, you could email the engineering manager with logs and reports of units within the engineering group, and email a regional manager a different report based on all groups within the region.
Ready for Prime Time?
Most SonicWALL products have strong ties to the SonicWALL company Web site; you must register many of the products at the Web site, and you must activate several product features (e.g., Web filtering, VPN, antivirus) at the Web site before first use. Several of the appliance-configuration pages for features that you haven't purchased warn you that either the feature isn't activated or it has expired. Although this model is an efficient means to control licensing, it might make you feel as though you're missing out on a lot of the product if you choose not to subscribe to those features.
Centralized management of enterprise firewalls isn't a new concept, but SonicWALL lets you remotely manage much less-expensive devices than most competing products. Although the GMS development cycle is still in its infancy, it delivers on its promise to effectively manage multiple distributed security devices. GMS offers a compelling solution for centralized management of a complex process. As a security manager, I was excited about the prospect of defending the corporate perimeter at all points of ingress, including extending that perimeter to the employee's home. Ultimately, however, the adoption of a fully distributed corporate firewall system might be slow in coming. Employers will need to gain the trust of their employees, who might be cautious (or worse, defiant) toward their company controlling the gateway to their home Internet traffic.
|SonicWALL Global Management System
Standard Edition 2.2
Contact: SonicWALL * (408) 745-9600 or (888) 557-6442
Price: $4495 (25-node license)