Published: 01 Apr 2007
GOLD | Cisco PIX Security Appliance Series
Cisco has been in business for more than 20 years and is emerging as a security powerhouse to be reckoned with, especially as security merges more with network operations in the enterprise.
"Cisco has been benefiting from recent market changes," says Jon Oltsik, a senior analyst with market research firm Enterprise Strategy Group. "The networking group is having a larger say in the purchase of security products, and that has translated into more success with its security products."
There may not be better evidence of Cisco's emergence than readers giving its PIX appliance series the gold medal in the network firewall category, a narrow victory over standby Check Point's FireWall-1.
High marks from readers were concentrated on the most important duty firewalls perform: keeping hackers outside corporate networks. Readers noted Cisco PIX's ability to block intrusions, attacks and unauthorized network traffic, in addition to its application-layer/protocol/HTTP controls. Also, Cisco scored well for its service and support; logging, monitoring and reporting; integration with other network defense/management tools; central management; and ROI. Readers weren't as complementary with the product's ease of installation, configuration and administration.
Cisco's PIX Security Appliances integrate a range of firewall services and feature stateful inspection that tracks network communications and prevents unauthorized network access. The product includes attack protection features such as TCP stream reassembly, traffic normalization, DNSGuard, FloodGuard, FragGuard, MailGuard, IPVerify and TCP intercept. The Cisco line also wards off DoS attacks, fragmented breaches, replay advances and malformed packet forays. The system provides real-time alerts to administrators, so companies can immediately take steps to oust intruders.
Recently security has been moving away from being viewed solely as a network issue and inching higher up the protocol stack; it is often viewed now as an application level problem. Cisco's PIX products deliver application layer security via intelligent, application-aware inspection engines. These gather application and protocol knowledge and use it to make decisions about providing access and information to different users and applications. The device's security enforcement technologies include protocol anomaly detection, application and protocol state tracking, network address translation (NAT) services, and attack detection and mitigation techniques, such as application/protocol command filtering, content verification and URL deobfuscation.
Corporations have a wide variety of devices connected to their networks, and managing them can be problematic. Administrators can integrate Cisco PIX security appliances into switched network environments by taking advantage of native 802.1q-based VLAN support. Cisco IP phones automatically register with Cisco's CallManager software and download needed configuration information and software images.
SILVER | Check Point FireWall-1
Price: Starts at $3,000
Check Point FireWall-1 is a fixture inside the Fortune 100, and nearly all of the Fortune 500. Readers rated highly its ability to block intrusions, attacks and unauthorized network traffic. They also noted its central management functions in this category.
FireWall-1 provides access control, attack protection, application security, intrusion prevention, content security, authentication, quality of service, and network address translation functions. In addition, Check Point developed the Open Platform for Security (OPSEC) standard so other vendors' products can be integrated into the firewall, and extend its functionality.
BRONZE | Microsoft ISA Server
Price: $5,999 per processor
Microsoft ISA Server earned the bronze medal with high marks for installation, configuration and monitoring capabilities, as well as for its integration with other security and management applications. ISA Server is now part of Microsoft's Forefront Edge Security and Access Suite, along with the Intelligent Application Gateway introduced in February at the RSA Conference. Microsoft added a bevy of features to ISA Server 2006, including new support for Exchange 2007 for enhanced remote access; a new flood resiliency feature and remediation against flood and other DDoS attacks; and support for LDAP, allowing ISA to authenticate to Active Directory without being part of the domain.
In the trenches
Users plead vendors to standardize information exchanges between disparate firewalls.
BT Radianz provides network and system outsourcing services to 200 financial institutions worldwide, meaning it works with a range of firewalls from different vendors at customer locations. This makes chief security officer Lloyd Hession's job difficult.
"Since there are no industry standards, exchanging information from one firewall to the next requires a great deal of work," Hession says.
If a company decides to connect different systems, it can be a daunting task indeed. The problem is that vendors define the way they collect security information and exchange it in their products so differently, integration has to be done on a case-by-case basis. Compounding the problem is the reality that there really are no simple export/import utilities available. In addition, vendors have not spent much time or put significant effort into developing tools to help users with the task.
The result is six months or more of work connecting two vendors' firewalls. Most companies do not have ample resources to do so.
The lack of standards is one reason why users tend to stay with the same firewall supplier. "Once a company puts a firewall in, they find it difficult to move away from it," says Eric Maiwald, senior analyst at the market research firm Burton Group. Unfortunately, problems arise even when users stick with one vendor. With the amount of reshuffling that has been taking place in the security industry, companies sometimes find themselves with incompatible products from the same supplier.
Another trend throwing light on the standards limitation is many enterprises are taking a more comprehensive look at their security needs. They are not focused solely on the functions provided by firewalls, which were designed to protect the perimeter of a company's network. "Studies have shown that internal security breaches are just as important--and often more destructive--as those occurring around the perimeter," says Spartaco Cicerchia, manager of network infrastructure at Janelia Farm Research Campus, a subsidiary of the Howard Hughes Medical Institute and a nonprofit medical research organization.
Consequently, firewalls have been evolving to support additional security functions, such as intrusion detection systems, spam filtering, and even virus protection. Eventually, all these functions could wind up in unified threat management (UTM) systems, which consolidate security functions into a single platform.
Despite the need for firewall data-collection and data-exchange standards, little progress has been made.
"Vendors are more interested in proprietary products and locking users into their systems than easing information exchange," says BT Radianz's Hession. Until such thinking stops, companies will continue to have trouble exchanging information among different firewalls.