Not long ago, installing a firewall was a long, painful process requiring an abundance of arcane technical knowledge. Installing a firewall for Windows NT is still difficult, but new products such as Sonic Systems SonicWALL Plus DMZ 2.0.4 make the process much easier, especially if your firewall needs are basic.
A Plan of Attack
The SonicWALL Plus DMZ Internet security appliance has three 10Base-T interfaces: a WAN port to connect your network to the Internet, a LAN port for a highly protected internal network, and a DMZ (demilitarized zone) port for a network of public servers that you can access from the WAN. Combining Stateful Inspection and packet filtering methods, the SonicWALL Plus DMZ can block various attacks. With Network Access Rules—similar to Cisco System’s packet-filtering access lists—you can further customize what the product lets into the DMZ and LAN networks. You can also let some users log on to the appliance to gain full access to LAN-based systems from the Internet.
By default, the SonicWALL Plus DMZ allows all traffic from the WAN to access the DMZ, but prevents WAN traffic from accessing the protected LAN segment. All LAN traffic can pass outward to the DMZ or the WAN, but only traffic originating in the DMZ or traffic that is part of a session that a LAN user initiated can enter the LAN.
I started the installation planning process by deciding which of the Windows NT Magazine Lab systems would be part of the protected LAN segment and which systems would be part of the DMZ. Using a pair of 3COM SuperStack II 10Base-T Ethernet switches, I created two network segments and I was now ready to begin installing the appliance.
Sonic Systems did a good job of documenting the installation process in the unit's accompanying manual, which steps you through the basic information necessary to get up and running. Because the SonicWALL Plus DMZ proxy becomes the address of the default gateway router on the network, you must reset the router during installation. To minimize network downtime, you can perform the initial configuration by directly connecting a computer to the unit’s LAN port, which is the method I chose to use. You configure the SonicWALL Plus DMZ using its built-in Web management interface. After configuring a computer with an IP address in the same Class C address range as the SonicWALL Plus DMZ’s default IP address, I was able to access the configuration screens. Next, I supplied a new address for the unit, and default gateway and DNS server addresses. Because I intended to use the unit’s DMZ port, I also entered the IP addresses of the systems that I wanted to be on the DMZ network segment into the DMZ Address field of the Advanced menu. At this point, you can also configure Network Address Translator (NAT) for systems on the LAN port.
The unit was now ready for installation. After turning off the router, I connected it, the LAN, and the DMZ network switches to their respective ports on the SonicWALL Plus DMZ, powered the unit on, and then turned the router back on. I was up and running!
With the default protection in place, I further restricted access to the network by blocking all WAN traffic to TCP/UDP ports 137, 138, and 139, which NT uses extensively. The SonicWALL Plus DMZ firmware predefines several protocol and port combinations that it can use for packet filtering. Additional service definitions are easy to add. After enabling logging to a Syslog server, I could monitor the type of connections the unit allowed, and set up services to block additional ports.
You can email the summarized security log of blocked traffic maintained in the appliance to an address you configure. You can also email notification of detected attacks (alerts) to a separate address. For example, you can configure the SonicWALL Plus DMZ to send your pager and logs to a standard email address.
I was surprised to see such a wide array of options that let you restrict the nature of the Web traffic you allow into your network. The SonicWALL Plus DMZ supports content filtering, which lets you block content matching any of a dozen categories in the Content Filter List (e.g., nudity, drugs, intolerance). The CyberNOT Oversight Committee, whose membership includes a broad social spectrum, manages the Content Filter List (see http://www.cyberpatrol.com for more information). You can also block cookies, Java and ActiveX page segments, and access to WAN-based proxy servers that users could use to circumvent the filtering. Content filtering is highly configurable, and a subscription-based automatic Content Filter List update keeps your list of blocked sites current.
One convenient feature is automatic email notification when new firmware updates are available. Shortly after setting up SonicWALL Plus DMZ, I received notification that an upgrade from version 2.0.4 to version 3.1.1 was available, which adds one-to-one NAT and (for a fee) VPN support. I decided to install the upgrade, which turned out to be a painless process. I restarted the appliance to make sure it was in a known state. I saved the existing configuration (preferences in SonicWALL terminology), downloaded the version 3.1.1 firmware from Sonic System's Web site, uploaded the upgrade into the SonicWALL Plus DMZ, and imported the previously saved preferences back into the appliance. The process took less than 15 minutes. I was pleased to note that restoring my saved preferences did not delete the new predefined services (protocol and port definitions for packet filtering) that the firmware upgrade added. I was also glad to see a simple upgrade process that worked as advertised.
I found the SonicWALL Plus DMZ to be a great product at a reasonable price. The unit is easy to set up and configure, and it has a broad feature set with flexible packet- and content-filtering options. With the SonicWALL Plus DMZ, implementing Internet security doesn’t have to be a formidable task.
|SonicWALL Plus DMZ|
| Contact: Sonic Systems * 1-888-557-6642 or 408-844-9900|
Price: SonicWALL Plus DMZ $1795
Content Filter Subscription $695 per year