As firewalls go, the CyberGuard SL3200 is a monster: a huge, noisy beast with performance that matches its rugged looks. The name denotes its capacity - 3.2 gigabits of total throughput, shared among a maximum of 26 Ethernet ports. Even more notably, it is able to multiplex several interfaces into a small number of very high-capacity pipes, all secured at wire speed.
Designed for high-demand environments, the box has all the HA features you'd expect - hot-swappable fans and power supplies, as well as RAID 5 storage, with an internal layout designed for maximum airflow and heat dissipation. Fail-over between two boxes is available if you have an extended license.
The security features are comprehensive. Full filtering right up to Layer 7 for several core services and limited, but neat, application proxying: you can proxy web traffic, doing basic URL filtering and forwarding traffic to an external content filter for a final yes/no decision. Similarly, SMTP can be integrated with an external AV server and the box can do its own basic content examinations with regular expressions and implement a blacklist for types of attachments.
There is standard VPN support, and strong PKI, but it does not offer a certificate-authority service.
There even used to be IDS integration: CyberGuard had signed up to integrate with Symantec's NetProwler, but that product was discontinued, so the SL's IDS integration is defunct. The company says it is looking at other options.
The management interface is great, if you have a Unix background. Running X Windows with a custom window manager, a spartan menu interface offers quick, easy access to all the features of the box.
While utilitarian, there are some useful gimmicks, such as menus and submenus that can be "torn off" to stay open on the desktop, keeping common functions close at hand.
Management is role-based: users are assigned roles that can restrict access to read-only monitoring. Changes are logged, and can be clearly examined against the running state of the machine to see what was changed, and by whom.
We'd like to have the ability to annotate changes, to correlate them against support tickets or SLA requirements, say. Although there is no specific rollback function, it is easy to export "known-good" configurations in toto and restore them again. This can be done by ftp, which is obviously insecure.
CyberGuard will introduce SCP shortly. Until then you can encrypt the files using some homegrown crypto, but you can't decrypt and edit the configs remotely.
Although tasks are controlled by user-level access, one potential vulnerability turned up during tests. Tasks can be scheduled to run against triggers ("After three incorrect logins, run this command..."), but they always run as root, regardless of which user configures the task. CyberGuard claims its MultiLevel Secure operating system OS prevents abuse, but we copied an encrypted password file onto a floppy disk with very little effort. A competent attacker (albeit only one with a valid login to the console) could possibly escalate his privileges to a full-blown exploit.
In best Unix fashion, the various utility interfaces are wildly inconsistent, but all very useable. Some, like the PKI certification management, offer slick wizard interfaces. Others, such as the LDAP configuration tool, are Tcl/Tk- text interfaces. This is hardly a problem, but might intimidate administrators with a Windows dependency.
Some of the inconsistencies persist into the applets themselves - you can still select some "disabled" tabs if you tinker with the window layout. The controls remain disabled, but might yield information to a user not authorised to view it.
A shell window lets you get to grips with the underlying SCO Unix OS, which CyberGuard has hardened for the firewall, including a role-based access control mechanism in the spirit of type-enforcement security. This is a lot more secure, but does mean that a lot of basic Unix tools perform in unexpected ways, limiting output to only material authorised for that user.
Remote access is primarily via ssh, and the GUI can be run on a remote system using ssh X-Windows session forwarding. This worked flawlessly from a test console running Linux. Windows users would need to source X client software or resort to the web interface.
Managing the system online is not particularly easy. In theory, it should be seamless - Tarantella services on the system present the X GUI via an encrypted connection to a Java front end. In practice, the web service crashed during testing and could not be restarted. Later, running successfully, the interface functioned as expected, but still hung periodically.
Even if it worked perfectly, we would like a simple web interface offering basic reporting and controls. Extending the GUI is clever, but overkill for many functions.
The reporting functions are excellent. There are a lot of trend-analysis options, which are easy to use to identify anomalies and usage patterns - essential for an environment beholden to an SLA. The SL3200 integrates with WebTrends, and can mangle its logs into formats to comply with different systems.
In contrast, the GUI network monitoring tools are very limited. Pings that fail do not say why they failed, and packet capturing (via tcpdump) is limited to 999 packets. On a saturated 3.2 gigabit pipe, 999 ping packets would arrive in about two-ten-thousandths of a second. However via the command line interface, tcpdump is not restricted to a specific number of packets.
Online help is thorough: the full manual is available, but the interface is lacking basic navigation stuff like bookmarks. But the information itself is excellent.
Overall, the complaints against the system are far outweighed by its outstanding performance and excellent breadth of security tools. For high-capacity environments needing top-notch security, the SL3200 is well worth considering.
Enormous throughput, range of features.
Some GUI inconsistencies, poor web management.
For service providers and large organisations needing to secure backbone connections, you can't do much better than this.