WatchGuard Security System 2.0
Choosing a firewall for your network can be a difficult process. You need to balance security, capacity, flexibility and functionality in a mix that's unique to your particular installation. Seattle Software Labs' WatchGuard Security System 2.0 is an easy-to-configure, flexible firewall well-suited for midsize organizations and networks. Although not as functional as some other products, WatchGuard is priced right and offers a sufficient level of functionality, making it a good choice for a variety of network environments.
Keeping an Eye Out
WatchGuard consists of two components: a hardware-based packet filter, and a graphical configuration and management tool. The software component runs on Microsoft Windows95, Windows NT or Linux, and provides general administration, configuration and monitoring services. The configuration is stored on the hardware component, which acts independently of the system used for the configuration and administration tasks. Once the firewall's configuration has been defined, it is downloaded to the hardware-based packet filter, where it is executed independently of the administration program.
The hardware component—called a Firebox—can be a custom-built PC provided by the vendor or a standard PC that meets specific system requirements. The Firebox provided by Seattle Software Labs has a serial console port and three Ethernet ports. The Ethernet ports are for internal trusted, external untrusted and bastion networks, respectively. The three segments can be on different subnets or can share the same subnet if required, enabling high flexibility in subnet-constrained environments.
The software component—called the Security Management System (SMS)—provides the Firebox configuration services. The SMS program can connect to the Firebox over the serial port or over a network connection (using the internal trusted network only), allowing for a dynamic, interactive configuration of the firewall. The firebox configuration also can be saved to a floppy, which the Firebox will use to boot from.
WatchGuard's SMS comes preconfigured with packet filters for a variety of services. Each service can be configured to accept or reject requests based on source or destination network and port. You also can restrict the services so that they are limited to a single network interface.
WatchGuard's log output provides detailed exception reports, and can be configured on a per-service basis. Additionally, WatchGuard can monitor for spoofed packets and network probes. You can configure WatchGuard to send e-mail or paging alerts to administrators whenever any logging or probing conditions are encountered.
Besides the standard packet-filtering and network-monitoring functions, WatchGuard also provides transparent proxy services for a network. This feature lets clients connect to outside systems through the WatchGuard Firebox, effectively hiding your internal systems from outside agents.
The system-configuration tools are clean and straightforward. Editing system profiles is done with list boxes and easy-to-understand icons. Since the administration tool can be used to configure a Firebox via the LAN, it is possible to configure multiple systems in a single sitting. However, since each Firebox stores its profile locally, it is not possible to cluster or group multiple Fireboxes under a single configuration.