Do firewalls really work?

How secure is your network? Two Australian experts -- Sven Radavics, country manager, WatchGuard Australia and Tim Dickinson, country manager, SonicWALL Australia -- compare notes on their offerings.

Sven Radavics, Country manager, WatchGuard Australia About Watchguard WatchGuard was founded in 1996 with the goal of meeting the security needs of small- to mid-sized businesses with solutions built around proactive protection. The company introduced the Firebox firewall, an integrated platform designed to handle extensions for future needs.

Radavics: What do you believe are the key limitations of today's firewall solutions?
Dickinson: These days having a firewall is simply not enough and when it comes to choosing a security solution provider, we strongly encourage customers to focus on the convergent elements offered by vendors and to have something that can support key business applications. That means making sure their solution:

• supports VoIP
• provides deep packet inspection (being able to interrogate the whole data packet not just the headers)
• is easy to manage
• has no limitation on throughput
• ensures low total cost of ownership
• offers the option to outsource security management to a specialist provider.

Dickinson: In a total security solution, what would WatchGuard recommend as the key elements to provide a customer with full network security protection?
Radavics: Everything should always start with a solid security policy whose goal is to support the network and IT business requirements. Without this you are only buying product, not a solution.
At the gateway, we recommend using a fully integrated security appliance with zero-day protection and intelligent layered security. Many SMBs try to implement security systems by mixing disparate point solutions from several vendors. These products must all be purchased, installed, managed, and updated separately.

This approach generates difficulties with interoperability, incomplete protection, and time-consuming testing and verifying patches across multiple technologies, all of which can slow a network's response to attacks. Organisations should also implement architectures that incorporate intrusion prevention to inspect and block traffic at the application layer, and enable access and activity to be controlled by the user and not just by the IP address.

Customers should implement a solution which provides rich reporting, real-time monitoring, and multi-box management. For example, historical HTML-based reports can provide analysis of trends, while interactive, real-time monitoring tools allow IT managers to instantly identify problems and take preventive or corrective action to stop network threats.

Radavics: What prevents SonicWALL from closing a sale?
Dickinson: Our biggest challenge is getting potential customers to understand the full extent of dynamic threats and to accept that having a firewall is not enough. Once they appreciate this, they understand the importance of choosing a vendor like SonicWALL, which has built its product set around dynamic security management.
Dickinson: How does WatchGuard protect customers using VoIP from things like spam over Internet telephony?
Radavics: The issue of spam over Internet telephony is today largely a theoretical one as VoIP right now is primarily deployed within companies rather than being used for external communications. While development of additional security for VoIP is important for us, WatchGuard prefers to concentrate in the short term on the larger problem of zero-day protection. Our Deep Application Inspection technology achieves this while the majority of our competitors rely solely on reactive signature-based technologies which leave the user unprotected for the critical first few hours of an outbreak.
Radavics: In the late 1990s, there was a cliché that no MIS manager ever got fired for buying Cisco. Do you believe the situation has changed since then?
Dickinson: IT managers typically work for companies on a two to three year cycle. When they move to a new company they conduct an assessment to determine the best network security solution to meet a company's needs. At that time they tend to choose the best product for the job. In network security it's not about buying a brand, it's about buying the best solution to meet the current security threats and business operation requirements of the company. A well-known brand doesn't stop your company being under threat and IT managers are far more discerning about the choices they make these days.

Tim Dickinson, Country manager, SonicWALL Australia About SonicWALL Founded in 1991, SonicWALL designs, develops, and manufactures Internet security solutions to protect networks and provide secure remote access connectivity. The company offers both appliance-based products as well as value-added security services.

Dickinson: How does WatchGuard ensure it provides flexible security options that suit a range of different types of customer business models?
Radavics: Our three product lines meet a wide range of business needs with strong security built on a solid, trusted firewall and VPN foundation; Firebox X Peak for advanced network environments; Firebox X Core for corporate and branch offices; and the Firebox X Edge for small businesses, remote offices, and telecommuters.
Firebox X Peak is capable of gigabit throughput and has the reliability, redundancy, traffic management, and port density that demanding, high-speed networks require.
Firebox X Core customers can purchase model upgrades as their security needs change and obtain all the performance and functionality of the higher model in the line just as if they had purchased it originally.
Firebox X Edge appliances integrate with Firebox X Core and Firebox X Peak appliances to extend perimeter security to the furthest points of the corporate network.
Radavics: What do you see as the return on investment from a firewall solution?
Dickinson: This is an excellent question. In response to customer demand, we have developed a dedicated security management solution -- our Content Security Manager -- that allows companies to optimise productivity when providing employees with access to the Internet for work purposes. Time and again our customers have told us that when deploying our Content Filtering Solution to restrict employees' access to particular sites at particular times of the working day, on a case-by-case or group basis, their productivity is maximised. They see this as a real, tangible return on their investment.
This helps them understand that a security solution can be a productivity and enablement tool. It is not just about stopping attacks -- it's about ensuring the uptime and availability of networks around the clock.
Dickinson: How is WatchGuard guaranteeing that it has a depth and breadth of quality engineers available through channel partners locally to serve the needs of customers who want to outsource their network security?
Radavics: Our channel partners in Australia include Firewall Systems, LAN Systems, and WhiteGold Solutions. Firewall Systems runs training certification courses throughout the country while our systems engineers provide regular, local quick-start and advanced training.

Channel partner engineers also have access to the WatchGuard LiveSecurity Service, a renewable subscription to a suite of services, including access to security experts, threat alerts, software updates, technical support, and security broadcasts. Channel partners can share this information with their customers, as an added benefit to them.

Another partner, VOIP, also provides their security expertise through the channel through their managed security service based on WatchGuard products.

Radavics: What trends do you see in cybercrime?
Dickinson: The biggest concern is the evolution of malicious threats such as trojans, viruses, and spyware, which can be deployed in a manner of ways. You simply don't know where these threats are going to originate from or what's around the corner. That means companies need to be more careful than ever to ensure they have dynamic security protection in place. Time and again we tell our customers that merely having a firewall in place is not enough. But too often it seems customers want to keep their head in the sand, and then suffer the consequences.
Dynamic protection should be the phrase used by every IT manager in today's environment.
Dickinson: What is WatchGuard doing to make it easy for customers to manage network security?
Radavics: The secret of network security is that it's not rocket science. Our firewall solutions control both inbound and outbound traffic, authenticate connections, and include powerful processors that don't degrade network performance. This type of solution is designed specifically for ease of management.
We offer a proprietary layered defense architecture that compared to traditional systems delivers stronger, more dependable network security.
Our intuitive interface called the WatchGuard System Manager provides customers with a single view into their entire security systems.
In addition, our LiveSecurity team has been publishing content since 1999 that is geared primarily toward supporting organisations with limited resources or expertise dedicated to network security. Subscribers have access to the LiveSecurity archives and receive regular broadcasts via e-mail alerting them to vulnerabilities and offering practical advice on how to prioritise threats and secure against the latest worms and viruses.
Radavics: How do you think organisations can develop an effective culture of security?
Dickinson: At a high level it's a simple three-step approach: (1) develop a comprehensive network security policy for the company and employees. You have a procurement policy, why not a security policy? (2) Apply it throughout the organisation, educating your staff as to why it is critically important. (3) Ensure it is supported by dynamic technology that enables you to fulfill your security policy.
Above all it is critically important that employees from the top down understand why network security is so important and that means committing to ongoing education around these issues.

Dickinson: Given the majority of businesses in Australia are SMBs -- how is WatchGuard ensuring that these types of businesses enjoy secure networks and optimal productivity?
Radavics: WatchGuard pioneered the "firewall appliance" concept to address the need for a high-performance, easy-to-use, robust Internet security solution that SMEs could afford and manage. Our Intelligent Layered Security architecture protects against emerging threats effectively and efficiently, and provides the flexibility to affordably upgrade and integrate additional security functionality as a business grows. This is how we help small businesses to enhance their initial security investment and realise a much lower total cost of ownership (TCO). In addition, an intuitive Web-based user interface and quick-start wizards make it easy to set up and configure. Dynamic stateful packet inspection delivers SMEs commercial-grade security that protects networks while managed desktop antivirus provides centrally managed desktop protection against known viruses, Web attacks, and WAN failover.
Radavics: Are there any benefits to be had from outsourcing IT security?
Dickinson: "Security without hassle" is a winning proposition for customers and the growing trend is for SMEs to outsource this specialist area. According to IDC this is a fast-growing global trend and it is certainly hugely popular in the local SME market, as SonicWALL has seen. Threats to network security are becoming increasingly complex, and companies need to be on security alert if their data and voice networks are to remain uncompromised. With the outsourced model they have 24x7 access to the breadth and depth of engineering specialist expertise their network requires but at a fraction of what it would cost to employ this specialist in-house.

Dickinson: How does WatchGuard feel about using Linux as its operating system now that the Fortinet GPL violations have gone to litigation?

Radavics: We have been using Linux since 1996. The WatchGuard design process releases all modifications to the operating system kernel back into the public domain. This process enables the Linux development community to scrutinise the changes we have made to ensure that the modifications are stable and reliable. The WatchGuard Firebox System software code that runs on the modified kernel remains proprietary to WatchGuard Technologies. This design approach allows WatchGuard to deploy a secure appliance over an aggressively debugged operating system at a fraction of the total cost of other network security approaches.

Radavics: What is your opinion of the recent discussion regarding an Australian Government-sponsored IT Security Certification scheme?
Dickinson: A minimum standard for security does make sense and can only benefit the customer. However SonicWALL believes it is important that each vendor properly trains and certifies its people because network security is so dynamic. SonicWALL certainly does this and our company has invested thousands of dollars into developing training for our engineers, end users, and partners.
Dickinson: Does WatchGuard intend introducing a common user interface across their product line? When or why not?

Radavics: We already have a common management tool for our Firebox X range of products which our customers love. We also have a simpler Web-based interface for organisations who choose our Firebox X Edge for standalone/SOHO-type deployments. Our GUI is our strength.

Radavics: What has been the greatest risk you have taken and what did you do to survive?
Dickinson: It didn't seem risky at the time, but as a novice taking on the Maui surf and totally underestimating just how gnarly it was. It was a case of survive or bail so I shut my eyes, gritted my teeth, and hoped my number was not up... and thankfully, it wasn't!
Dickinson: What keeps Sven awake at night?
Radavics: Trying to avoid fear, uncertainty, and doubt (FUD) among end users about IT security while trying to educate them about how crucial it is and how most businesses don't have enough.
This article was first published in Technology & Business magazine.
Click here for subscription information.