EHS Company Home
Internet Core Protocols: the Definitive Guide
Reading Rooms
net.Opinion Newsletter
Our Services
About EHS Company
Search the Site
Reading Rooms
List of Rooms   Network Security Reading Room
---------------------------------------------
Internet Core Protocols: the Definitive Guide
December 22, 1997

Sonic Interpol

Sonic Systems specifically designed its Interpol firewall to address the needs of small networks, enabling smaller businesses to protect their networks from outside intruders without much cost or effort. Although the product lacks high-end functionality, its simplicity makes installation and management extraordinarily easy and solid.

The product comes in a self-contained, small-form case (no Unix scripts here) with transmit and receive LEDs for each of the network segments. The embedded browser-based configuration software consists of straightforward HTML and Java, making the setup and management of the system as configuration-proof as possible. Meanwhile, the product's embedded content-filtering tools -- crucial for litigation-prone businesses -- provide an extra incentive.

Multisegment security

Figure 1
Figure 1

Interpol comes with Ethernet ports for three distinct network segments: one for the router connection to the Internet, another for the private internal network, and a third for an external public network. Rather than acting as a router or an application-level proxy, Interpol responds to ARP requests for devices on each of the attached segments, effectively emulating an IP-only Ethernet bridge.

This means you do not need different ranges of IP addresses on each of the segments but can simply install the device on an existing network without changing any of your clients' configurations (although you will need separate Ethernet hubs for internal and external networks). Sonic even provides a 10Base-T crossover cable for connecting the firewall directly to the router.

Once Interpol is plugged into the network, any packets that are going from one segment to another must cross through it. If a user on the internal network opens a connection to a remote Web site, the firewall can keep track of that connection and allow incoming packets into the private network only when they are from that remote site and destined for the specific PC. When the HTTP session is finished, the firewall will close the hole it temporarily opened.

Because these holes are temporary, no in-bound packets will get through to the internal network unless they are an internal client's specific request. If you have a Web or mail server on the internal network, you can configure Interpol so that it will forward packets for specific TCP ports to specific hosts on the internal private network. However, this feature is limited to only a few predefined ports, so do not expect too much from it (although Sonic plans to expand this service in a future release).

Remote-access authentication

One of the problems with firewalls is that they tend to block everybody from getting into the network, including your own legitimate users. Interpol offers the ability to provide remote access through an MD5-based Java authentication system. Users can connect to the firewall's internal Web server, provide a user name and password, and then access any of the internal network's resources from the client on which they authenticated.

Because a Java applet handles the authentication, Interpol does not pass the user name and password in clear text across the Internet. But it does not encrypt the entire session, so any subsequent log-ins will be in the clear. This is not a substitute for a virtual private network solution, and Interpol would benefit much from such an add-on. The next software upgrade in 1998 should provide Point to Point Tunneling Protocol support, giving customers encrypted remote connections.

Embedded filtering

Figure 2
Figure 2

Another important component of the firewall is its embedded content filter. You can choose to block access to a variety of Internet sites by defining filters. Sonic Systems provides a free update service, so the firewall can automatically download new additions to a master list. And a local administer can easily supplement or modify the filtering system via any Java-based Web browser. You can also create user accounts that bypass the filters altogether.

Overall, Interpol's limited number of predefined TCP ports makes it inappropriate for enterprise use, but smaller businesses should appreciate the firewall's easy management and configuration.

Interpol is a solid offering for smaller shops seeking an easy-to-use and relatively inexpensive firewall and content filter. It lets you protect an entire network without changing client IP or browser configurations.

-- 30 --

Written by Eric A. Hall.
Copyright © 1997 InfoWorld Media Group, Inc. Used with permission.
---------------------------------------------