CyberGuard offers a range of firewall/VPN appliances with specifications ranging from three Ethernet interfaces and 125Mbits/ sec throughput to 21 Ethernet interfaces and 2Gbits/sec throughput. All have an integrated VPN, run the same firewall software, and have the same configuration GUI. We tested model KS1500, which can have up to 18 Ethernet interfaces, of which two are gigabit-over-copper as standard.
Performance is the strength of the KS1500, which is designed to cope with 1.5 Gbits/sec throughput and up to 1.2 million simultaneous connections. The firewall boasts a host of certification standards including Common Criteria Eval uation Assurance Level 4+ (EAL4+), ICSA, ITSEC E3, Checkmark, etc. The secure operating system was designed to meet TCSEC/NCSC criteria at the 'Orange-book' B2 level.
Physically, the KS1500 is housed in a 2U-high standard 19-inch rack-mounted enclosure. Internally, it is based on the Intel x86 PC architecture running a secure Unix operating system, which is hardened to the kernel level; this then has multi-level shell security to stop unauthorized root access. Externally, it has all the usual ports you would associate with a PC, so you must connect your own keyboard, mouse and monitor for initial configuration, which is done using a floppy disk that you must create on a standard Windows PC using software supplied on a CD-ROM.
During first boot-up, the CyberGuard firewall console requests that you insert this floppy disk, which you will have already created and which contains the initial configuration parameters, such as IP address, administrator's password, etc. Then CyberGuard's own GUI appears on the console and you can continue configuration from there. And, of course, the configuration and management interface can subsequently be accessed remotely also, using a web-browser.
Installation and set-up are therefore particularly easy and all that remains to be done is to configure the firewall functions. This involves configuring the multiple Ethernet interfaces (which may also be configured for link aggregation and fail-over) and selecting firewall policies, which sensibly defaults to 'deny everything.'
Obviously, it has all the usual features you would expect from a modern sophisticated firewall: static and stateful packet filtering, network address translation, IPsec VPN, routing and proxies. As it has been designed for an enterprise environment, central management, centralized log storage, and centralized authentication are provided, plus configuration tracking.
The KS1500 supports third-party virus scanning via the content vectoring protocol, and there is GUI-based PKI support for Baltimore's Unicert CA. Extra-cost options include hardware acceleration of cryptographic VPN processing, dual redundant power supplies, RAID to protect against internal hard disk failure, high-availability software (which means that it can operate in redundant failover mode with another CyberGuard firewall), URL filtering, and reporting tools.
Proxies are particularly generously provided for with a wide range of what CyberGuard calls SmartProxies for FTP, Gopher, HTTP, NNTP, Rlogin, SSL, SMTP, Telnet, X-Windows, SOCKS, LDAP and many more.
CyberGuard implements a split domain name system to guard against the fact that DNS can be used to probe a network and gain useful information about it. This involves running two name servers on the CyberGuard firewall: one name server for the external interfaces and one name server for the internal interfaces. Packet-filtering rules allow the inside network to talk only to the internal name server and the outside network to talk only to the external name server. Thus the firewall prevents anyone on the outside from talking to the internal name server, so that only the public DNS information is seen outside the firewall.
A recovery CD-ROM is supplied and, when this is inserted and then the firewall powered up, it boots up off this CD automatically and completely reloads the entire operating system and firewall software in about 20 minutes. This is intended for emergency use only, if the hard disk becomes corrupted or has to be replaced - physical access to the hard disk (or disks, if using the RAID option) is easy from the front panel as removable hard disk carriers are used.
Ease of configuration is an important factor in choosing a firewall, not just to reduce management costs, but also because, if the configuration is difficult, there is a greater chance of making a mistake. A firewall is there for security reasons, so any failure to configure the unit correctly has serious consequences in weakening security. In this regard we found the KS1500 excellent as the browser-based GUI makes set-up easy and intuitive, leading to secure working practices when configuring firewalls. The central management features also help to avoid the risk of making mistakes when configuration has to be repeated on many firewalls.
One small criticism, we do not really understand why licensing procedures are necessary for hardware - it's not as if it's to stop copying, as with software. So we asked CyberGuard to clarify and apparently it is necessary to enforce export controls.
CyberGuard has taken the 'appliance' route to providing a firewall, and this ensures a turnkey solution that can be up and running within 30 minutes of opening the box. It also means that the hardened operating system and firewall software - and thus technical support - does not have to cope with hardware compatibility issues, and that the hardware/software combination can be properly optimized for high performance. Upgrades and enhancements can usually be provided directly over the internet with a single mouse click, unless additional hardware options are involved.
A turnkey appliance that can be up and running with a minimum of configuration.
Unnecessarily complex licensing procedure.
A full-featured enterprise-class firewall whose performance has been properly scaled to require no compromise of security versus throughput.