SonicWall: Combating the Barbarians

Washington Apple Pi Journal, Vol. 21, no. 5, September-October 1999, pp. 66-69.

As children, everyone at Washington Apple Pi Labs built forts or castles. These castles (or forts) were made of furniture, large boxes, unoccupied cars, and other bits and pieces of reality, reassembled with imagination to form a firm fantasy. As adults, the Lab crew credits this earlier fort-building (or castle-building) as invaluable experience, for castles and forts are still in demand.

Depending on what you do, you may find an intangible fort (or castle) all but essential. You see, there really are evil trolls out there. Plus, your castle may come with some neat secret passages. The secret passages may be more useful to some than the fortifications.

The SonicWall/10 is smaller than a hardcover book and weighs less, too. The book, A Deepness in the Sky, by Vernor Vinge, is a science fiction novel about networking that is highly recommended for all network managers and potential network managers. — The SonicWall/10 is smaller than a hardcover book and weighs less, too. The book, *A Deepness in the Sk*y, by Vernor Vinge, is a science fiction novel about networking that is highly recommended for all network managers and potential network managers.

Purging with fire

The Internet is no longer the domain of scientists and researchers. Instead, even small businesses (florists, auto mechanics, pest exterminators) have contracted for full-time Internet service, opening up their businesses to the rest of the world. At the same time telephone companies and cable TV companies are offering full-time Internet access to private individuals.

While the democratization of the Internet might be laudable, not all the changes are good. There are criminals out there, and they have computers, too. The criminals aren’t even very bright. Thanks to “consumer” hacker tools, almost anyone can download a program designed to attack entire networks or individual servers. You don’t need to be a “hacker.” You don’t even need to really understand what you’re doing. All you need to do is double-click on an application icon. And hackers, either from stupidity or laziness, are more than willing to attack small businesses, and even individuals.

The ivory towers of the past are gone, and people are discovering that their homes are not necessarily their castles, especially when you open your home to the Internet. The old safeguards — password-protected dial-up accounts, E-mail accounts and file transfer accounts — don’t do much good when the criminals are just as content to shut down your network, or computer, as they are to take it over. It is time to meet fire with fire.

In this case, it is time for a firewall.

This illustration, taken straight from the SonicWall manual, shows how the SonicWall acts as an intelligent firewall between your local network (on the right) and the vast, untamed Internet (on the left). — Thjs illustration, taken straight from the SonicWall manual, shows how the SonicWall acts as an intelligent firewall between your local network (on the right) and the vast, untamed Internet (on the left).

Deep castle moat

Sonic Systems’ SonicWall/10 is a firewall, a specialized network router that inspects information coming in to a network to see if the information is harmful or benign. It enforces network security in several different ways:

Through stateful packet inspection, it examines every packet coming in from outside the network.
Network Address Translation (NAT) masks internal, private computer addresses from the Internet, making them far less vulnerable to attacks.
Specific types of technology can be restricted, such as blocking Java, ActiveX and Web cookies.
Denial of Service (DoS) attacks are detected and blocked from disrupting the private network.
Internet content filtering can be turned on to block access to specific Web sites, or whole categories of Web sites (i.e., various types of porn, violence or drug abuse, racial intolerance, etc.)
Conversely, access can be denied to all but a specified list of approved Internet sites.

Individual workstations on the private network can have either expanded access to the Internet, or restricted access, on a workstation-by-workstation basis.

Smaller than a hardcover book, the SonicWall/10 takes up very little space, and can be administered with nothing more than a Web browser. In the recent past, firewalls cost hundreds of thousands of dollars, and required teams of expensive professionals to install and maintain. The SonicWall/10 costs less than $500, and can be installed by a network-savvy individual, or a less savvy, but very careful, novice who actually reads the 168 page, indexed manual.

The back of the SonicWall/10 is quite bare. From left to right: a tiny Reset switch, an Ethernet port for the LAN, an Ethernet port for the WAN, and the connector for the power supply.

Secret Passages

In cryptic terms, the SonicWall/10 does Network Address Translation (NAT). There are multiple options for NAT, but the one most people will find useful allows you to share one Internet account among several computers. The SonicWall/10 keeps track of the “private” addresses of all machines on your internal network, and routes requests for Internet data to the proper machine.

This bears repeating: with a properly configured SonicWall/10, you can share a single cable modem or DSL line with up to ten computers on your network. Each computer would appear to have a full-time Internet connection, but in reality they would be sharing a single Internet address. The SonicWall/10 would simultaneously protect the machines on the local network from attack as well as route information back and forth to the proper machines. From the perspective of the user, as well as your ISP, all of this is completely invisible; it just works.

You can block certain common Web technologies from entering your network, including ActiveX, Java, and cookies. More extensive filters allow you to block access to Internet sites based on their content. The content filter feature requires a subscription to Sonic's filter list service. Access can also be restricted to certain days or times of the day. — You can block certain common Web technologies from entering your network, including ActiveX, Java, and cookies. More extensive filters allow you to block access to Internet sites based on their content. The content filter feature requires a subscription to Sonic’s filter list service. Access can also be restricted to certain days or times of day.

The SonicWall/10 will mail log files of significant events (changes to the network, hacker attacks) to either an internal mail service or an external mail service. You can also set lots of different options on what actions should be logged.

Network Address Translation (NAT) allows you to set machine addresses for your internal network that differ from your public, published addresses. One particularly useful trick: you can set it up so that several machines on your internal network share a single public address. This allows an entire business or household to share a single cable modem or DSL service, with all machines boasting "full-time" Internet service using just a single address. — Network Address Translation (NAT) allows you to set machine addresses for your internal network that differ from your public, published addresses. One particularly useful trick: you can set it up so that several machines on your internal network share a single public address. This allows an entire business or household to share a single cable modem or DSL service, with all machines boasting “full-time” Internet service using just a single address.

The network address settings are done with a simple fill-in-the-blanks form. The LAN settings are under the control of the user; the WAN/DMZ and DNS Server settings require coordination with your Internet Service Provider (ISP).

Service Settings

On the left, you select what services on your LAN you want "published" to the Internet, and on the right, you specify their addresses. — On the left, you select what services on your LAN you want “published” to the Internet, and on the right you specify their addresses.

Should I care?

Earlier this year a virus named after Bill Gates’ wife, Melissa, wreaked havoc on hundreds of thousands of computers worldwide. In early summer, to the sounds of rock music in a Las Vegas convention center, hackers distributed CD-ROMs containing BackOrifice, a tool to surreptitiously gain control of Windows 95 and NT computers from remote locations. Unknown to the hackers, the CD-ROMs also contained a rather nasty virus, proving that even vandals aren’t safe from vandalism. By July 1999, there were more than twice as many documented hostile attacks on U.S. government networks than in all of 1998.

The world is now engulfed in a world-wide war. On one side, the forces of order: people trying to do useful work. On the other side are the vandals: unwilling or unable to do something creative, they disrupt, deface and destroy. Fortunately, evolution favors the energetic and creative rather than the lazy and destructive.

One tool for the good is Sonic Systems’ SonicWall/10. It won’t protect you from Windows viruses (using a Mac is protection enough), but it will help protect your castle (or fort) from attacks by the barbarians.

Of course, you may want to buy it just for the secret passages.

SonicWall/10, $499 (under $400 with aggressive shopping)

Sonic Systems, Inc.
5400 Betsy Ross Dr., Suite 206
Santa Clara, CA 95054
(408) 844-9900
http://www.sonicsys.com

Purging with fire

Deep castle moat

Secret Passages

Should I care?

Share this:

Like this: