|
|
Purpose: IP packet filter
Platform: BSDI
Vendor: SOS Corporation
ALF (Application Layer Filter) is a software package that combines kernel modifications and user level programs to provide IP filtering services to UNIX computers. It can be purchased as a standalone product for use on BSDI machines or in combination with the Brimstone firewall.
ALF permits simple but powerful configuration, allowing a site to filter packets on an extensive set of inputs such as source address, source port range, destination address, destination port range, protocol, and interface. It is a cost-effective way of enhancing a site's network security.
As each packet is received, ALF examines the fields in the packet's headers, consults an administrator-defined rules base, and then makes a decision whether to forward the packet, drop it, log it, or map either the source or destination address or ports. ALF can also cache connections, which speeds up the approval process.
There are two parts to ALF: minimal kernel code for trapping incoming packets and transmitting outgoing packets; and a user part for implementing filtering, mapping, and control. ALF runs on all systems capable of running BSDI, inc. 386, 486 and Pentium.
More information: http://www.soscorp.com/
Purpose: Firewall
Platform: UNIX
Vendor: ANS CO+RE Systems
ANS InterLock Service is an application-level service that can be used for controlling access among segments of a private IP network. This means that confidential information can be protected against unauthorised access. ANS InterLock also ensures network security whether the enterprise is using a private network or the public Internet to communicate with its remote offices, suppliers and customers.
ANS InterLock Service protects networks by the use of security-enhanced versions of the popular Internet and networking applications: Telnet, FTP, HTTP, SMTP, Gopher, NNTP, etc. It supports end-to-end encryption and is available with card key authentication. Access to services is controlled via a rules base. Users may be granted or denied access to a particular service depending on a combination of ID/password/Smartcard, time of day, day of week, inward or outward direction, private/public network, etc.
More information: http://www.ans.net/
Purpose: Firewall
Platform: Multiple hardware platforms
Vendor: Milkyway Networks Corporation
Black Hole is an application and circuit level gateway that does not require or use any form of packet filtering mechanisms. It is designed on the "prohibit everything except what is permitted" principle. It supports all Internet applications transparently, and requires no special client program or awkward user procedures.
In order to transmit information into or out of a Black Hole protected network there has to be full user authentication. This is based on service, user-ID, password and source address; destination addresses and the date and time are also required.
Because all traffic, whether inbound or outbound, has to be properly authenticated by the network administrator, Black Hole can also be used as an inter-departmental firewall. When used for Internet connectivity it creates (says the vendor) an "event horizon" (!) between your internal network and the Internet. "In a Black Hole protected network, the Private Network is completely unknown to the Internet."
Black Hole supports X11R6 with Motif extension. Black Hole can be installed in a dual firewall configuration - thereby eliminating the danger of "man-in-the-middle" attacks and system administration errors.
More information: http://www.milkyway.com/
Purpose: Firewall router
Platform: (has own single-board, single-processor platform)
Vendor: Network Systems Corporation
BorderGuard is a dynamic, application-rich, remote access connectivity platform that combines firewall routing and cryptographic capabilities with multi-protocol internetworking features and link connectivity options. In short, it is a secure internetworking platform for remote/branch office access.
Among the extensive security features offered by BorderGuard are: traffic filtering by port, address, protocol, or application; segmentation of users into closed security groups; and the ability to restrict access to certain hosts. The system gives the administrator the ability to monitor and control network conditions. Through the application of cryptography in the vendor's Data Privacy Facility (DPF, a software suite included with BorderGuard) data is protected during transit. Other facilities include authentication, integrity checking, replay prevention, and compression. The vendor says: "DPF is the first commercially available, high speed, general purpose data protection package delivering standards-based cryptography."
More information: http://www.borderguard.com/
Purpose: Firewall
Platform: UNIX, Windows, DOS
Vendor: Border Network Technologies
A high security firewall server that is easy to install and transparent to the user. It protects TCP/IP networks from unwanted access and allows a large network to integrate seamlessly with the global Internet and other external networks. It has its own set of application-level gateway servers, including a MAIL server, dual NAME servers, NEWS, and WWW.
Available in Europe from Sea Change Corporation. In a deal between BNT and Digital Equipment Corp., the BorderWare Firewall Server now represents the low-end of Digital's range of firewalls.
More information: http://www.digital.com/info/internet/firewalls.html
Purpose: Firewall
Platform: SunOS, BSDI on Intel, IRIX on INDY and Challenge, etc.
Vendor: SOS Corporation
Brimstone is an Internet firewall - a "hybrid" type (as defined by Cheswick and Bellovin in Firewalls and Internet Security). It can be purchased as a standalone product or in combination with the ALF packet filter.
Brimstone's many features include: multiple mutually secured interfaces, client/server mode for centralised administration, and (optional) GUI for access control administration. It supports most popular access control mechanisms on a per-user basis, including: time of day, day of week, date, source address, source port, destination address, destination service, etc. It supports popular interactive protocols with application gateways (telnet, FTP, SMTP, X11) and other protocols with session relays (HTTP, NNTP, gopher, generic UDP and TCP).
Brimstone also supports unencumbered access to all protocols from internal networks with Socks, and unmodified unencumbered access with ALF (see above). It supports most popular authenticators, including SafeWord AccessCard (etc.), SecureNet Key, and WatchWord. It has full logging and reporting facilities.
More information: http://www.soscorp.com/
Purpose: Firewall
Platform: SunOS, Solaris, HP-UX, AIX and BSDI
Vendor: Cohesive Systems
Centri is an Internet security product that allows a corporate network to connect with the Internet while assuring full data protection. Designed for easy installation and configuration, it offers facilities beyond those of packet filtering (the traditional technique used in firewalls). Centri uses application-level proxy services - a very advanced form of security - with IP address translation. Communications to and from the Internet are conducted via a single IP address.
The vendor recognises that security is one of the main concerns when a corporation connects to the Internet. For this reason, Centri has many security features, together with tools that allow the company to take a proactive approach when necessary.
Centri has logging and auditing capabilities, enabling companies to keep an accurate account of their data traffic to and from the Internet. Among the many additional security features are the external Domain Name Service, secure mail, secure anonymous FTP, user authentication, and end-to-end encryption.
Centri incorporates technology from Trusted Information Systems.
More information: http://www.cohesive.com/
Purpose: Security solution
Platform: Intel, SPARC
Vendor: CheckPoint Software Technologies
CheckPoint FireWall-1 is a security solution that protects an organisation's internal network while at the same time providing transparent access to the Internet. Based on multi-layer inspection technology, it is a protocol-independent system that ensures security for existing and future Internet protocols, services, and applications. As the vendor says: "By using FireWall-1, an entire enterprise's network security policy can be created, monitored and maintained from a single workstation."
The latest version of CheckPoint FireWall-1 introduces levels of security that meet the needs of those who wish to conduct business on the Internet. For example, it features user authentication, and it recognises SecureID, S/Key, and UNIX Password authentication schemes. Its address translation feature helps to overcome the limitations of IP addressing by distributed control and allocation of IP addresses. Above all, it conceals internal addresses from the Internet, keeping this information strictly within the organisation.
CheckPoint FireWall-1 provides an easy-to-use router management tool, enabling routers to be configured and managed through the FireWall-1 GUI.
More information: http://www.checkpoint.com/
Purpose: Firewall
Platform: UNIX
Vendor: Sterling Software
The CONNECT Firewall is an application-level security program that integrates many different levels of gateway management. It has a real-time notification feature that draws the system administrator's immediate attention to unauthorised access requests. It also has facilities for preventing intruders from gaining machine addresses and account names. CONNECT comes with enterprise-wide email administration, installation tools and training.
More information: http://www.wji.com/sterling.software/
Purpose: Firewall
Platform: RISC hardware, plus own UNIX OS
Vendor: Harris Computer Systems Corporation
CyberGuard Firewall is an off-the-shelf solution that includes a RISC-based hardware platform, a secure UNIX operating system (CX/SX), and an integrated networking product (LAN/SX). It provides a fully integrated, highly configurable security solution that (says the vendor) achieves "impenetrable, multi-level security" in distributed network environments. Both the operating system and the networking product have been evaluated by the National Computer Security Centre at the B1-level of trust.
The CyberGuard Firewall solution provides a bastion host with filtering, dual-homed gateway, circuit gateway, and application gateway - or a combination of all of these. It can be set up to allow two-way communication - blocking only high risk commands; or it can be customised to allow only out-bound communication with no in-bound access. A further option is to set up the firewall to allow only incoming communication with no outgoing access.
CyberGuard offers filtering on Source Address, Destination Address and Service. Permission or denial can be specified either by explicit host number or name, or by subnet specifications. High risk commands such as rlogin, telnet and ftp can be disallowed or limited.
CyberGuard keeps an audit trail of all relevant events. The system also makes extensive use of proxies for frequently used services.
More information: http://www.hcsc.com/trusted/
Purpose: Firewall
Platform: Digital Alpha
Vendor: Digital Equipment Corporation
Digital Firewall for UNIX provides secure access to Internet services while preventing any unauthorised connection to or from the Internet. It examines every packet of data, rejecting those that do not conform to the specifications of the systems administrator. Customer installable on Alpha workstations running Digital UNIX, Digital Firewall for UNIX provides "packet level, circuit level and application level security." It also provides comprehensive logging and a GUI - all in a pre-configured software package.
More information: http://www.digital.com/info/internet/firewalls.html
Purpose: Firewall
Vendor: Raptor Systems
Eagle Enterprise is a sophisticated firewall that offers Raptor's Virtual Private Networking (VPN) technology as a standard feature. VPN allows companies to construct virtual networks via the Internet rather than by dedicated leased lines.
Eagle Enterprise, with its GUI and S-Key authentication, is state-of-the-art in providing features for the control of access to and from the network. It can also be used in conjunction with another product, Eagle Remote Firewall, which is intended to be used in remote offices - but which is configured and controlled by Eagle Enterprise.
More information: http://www.raptor.com
Purpose: Firewall
Vendor: Raptor Systems
The Eagle Lite Firewall is intended for relatively small LANs where fewer than 100 users wish to connect to the Internet. However, it has a graphical user interface and many of the features of the more expensive Eagle Enterprise. Raptor's Virtual Private Networking (VPN) technology is also available as an option, allowing a company to build a virtual network at low cost via the Internet instead of dedicated leased lines.
More information: http://www.raptor.com
Platform: DOS, MS-Windows
Vendor: Alliance Sales
Originally a security program that prevented a standalone or networked PC from being booted from the floppy drive, Dialock Boot has some added Internet-related features which monitor the incoming data stream. Being (in the UK) a sub-£50 package for single machines it is not intended to be a comprehensive firewall - but it does provide a good measure of protection.
Dialock Boot records all attempts to access protected files. It allows users to encrypt sensitive data, provides a fully auditing facility, and allows users to make tagged diskettes that can be used only on one or more specified machines
More information: tel: +44 1794 518183 fax: +44 1794 518490
Purpose: Firewall
Platform: Digital
Vendor: Digital Equipment Corporation
Digital's Firewall Service provides an Internet connection via an "intelligent" gateway using special security clearance to determine accessibility. The intelligent gateway gives a great measure of control over which machines on the Internet can be accessed and which applications (email, FTP, etc.) can be used. The Firewall shields the network from possible malicious attack from external users.
Digital offers full consultancy, installation, training, etc., regarding firewalls.
More information: http://www.digital.com/info/internet/firewalls.html
Purpose: Packet Filtering Router
Vendor: Livingston
Livingston's Firewall IRX Router gives local networks secure connectivity to remote networks including the Internet. A proven system, in wide use around the world, it separates Internet accessible hosts from the private network and conducts packet filtering and logging for each of them.
Firewall IRX can also be configured to help with network management and to reduce network traffic. It supports dial-up internetworking for Switched 56 and ISDN common carrier service. It also supports a very wide range of networking protocols. Its PMconsole administration software has an interface for X-Windows and a full screen interface for character-based terminals and DOS systems.
More information: http://www.livingston.com/
Purpose: Firewall
Platform: MS-DOS
Vendor: Network-1 Software & Technology
FireWall/Plus is a frame, packet and application filtering network security firewall. It can be used to provide a high level of security between corporate networks as well as controlling access to and from the Internet.
Via a sophisticated GUI, a system or security manager can easily define security policies or rules. This process requires no knowledge of scripting languages or any need for in-depth technical training on rule definitions.
FireWall/Plus provides a complete range of filtering, together with some pre-defined filters to enable the speedy implementation of common security policies. The firewall defeats a wide variety of common IP attacks, including IP spoof attempts. It also has facilities for mobile users who travel or move around the corporate network.
There are full reporting facilities in FireWall/Plus, including detailed event logs and event notification. A system or security manager can generate report files for export to other products such as databases, spreadsheets and billing systems.
FireWall/Plus requires a 486 or better, running at 50 MHz or greater.
More information: http://www.iu.net/
Purpose: Firewall
Platform: UNIX
Vendor: Trusted Information Systems
The Gauntlet Firewall ensures that authorised employees can gain the right level of access to the Internet, while also keeping hackers at bay with various levels of monitoring and security. It is provided either as software, or preloaded onto Sun Sparc5. In Europe, Gauntlet Firewall is available from Pipex International and its distributors.
More information: http://www.tis.com/
Purpose: Firewall family
Platform: UNIX
Vendor: Global Technology Associates
GFX-94 is a range of firewalls designed to isolate and protect internal networks from unauthorised access. All members of the family use the same software technology, but the individual systems address different needs and performance. They all have what the developer calls "double wall" construction: two physical systems connected by a private DMZ network. If the outer wall were compromised, the inner wall would shut down the DMZ network, although this would be a very rare occurrence.
Models range from the small footprint GFX-94E, to the standard GFX-94S and the rack-mounted GFX-94R. Each system has Ethernet interfaces, and a DAT tape drive for backup and logging. Network access remains transparent. One very important feature is the use of one-time passwords which ensures that even if a password is captured it cannot be reused. GFX has been tested by SATAN and found to be secure.
More information: http://www.gta.com/
Purpose: Firewall
Platform: AIX
Vendor: IBM
IBM's Secured Network Gateway is a firewall that was formerly part of the NetSP product family. It operates on an AIX platform to protect a corporation's internal enterprise network resources from Internet intruders, while allowing legitimate traffic to flow through.
Secured Network Gateway offers a number of advanced features, including: proxy server, SOCKS servers, filters and domain name service. One feature that has been more recently added is support for AIX version 4.13 in addition to 3.25. The new operating system support offers customers the option to run the Secured Network Gateway on PowerPC hardware.
Another key feature is data encryption. Data can safely flow between two firewalls across a public network. The firewall encrypts IP data packets, creating a private "IP tunnel" from one secure internal network to another. The new secure IP tunnels could be used - the vendor says - for a company with the Secured Network Gateway installed at its various sites to transmit sensitive financial data from a branch office over the Internet to corporate headquarters. Customers could also use this feature to administer a firewall from a remote location with complete security.
More information: http://www.ibm.com/
Purpose: Firewall
Platform: Intel, Sun
Vendor: Technologic
Interceptor provides a sole path for data between a corporation's network and the global Internet. Used in conjunction with effective security policies and procedures it ensures a secure Internet connection, safeguarding the private network from penetration or compromise.
Interceptor runs on a dedicated host processor and provides network access control, proxy services and mail forwarding. Its Network Access Controller (NAC) represents the first level of protection, accepting or rejecting connections based on the type of request and the source IP addresses. The NAC logs all connections.
Interceptor's proxy services provide seamless support for accessing Internet-based information from corporate networks without risk. Proxy services allow the user to interact with Internet-based services without disclosing specific information about an organisation's network that could later be used to compromise its security.
Secure handling of Email is handled through a multi-step process. All SMTP connections are answered by a program which receives and examines each message and records it in a file. A continuously running process scans for message files and passes the messages onto a mail routing program. Finally, the mail routing program performs the delivery. In this way, potentially malicious clients are prevented from connecting directly to the corporate mail router.
More information: http://www.tlogic.com/
Purpose: Bridge with firewall filtering
Platform: (demonstration software on MS-DOS)
Vendor: KarlNet
The KarlBridge is a high performance but relatively low-cost bridge with security firewall filtering and reporting capabilities. It filters packets by any address or protocol, and also IP socket/address/subnet, AppleTalk server name, AppleTalk Zone name, Novell server name, Novell service type, DECnet Object and DECnet address.
KarlBridge provides upgradeable Ethernet bridging and can encrypt Ethernet or TCP/IP data between specified LANs. It supports Ethernet-to-Ethernet, WaveLan, wireless, 56k/64/T1/E1 and async interfaces. It also has complete SNMP support, including a network monitoring MIB.
Distributed in Europe by: Sherwood Data Systems
More information: http://www.gbnet.net/kbridge
Purpose: Firewall
Platform: UNIX
Vendor: Livermore Software Laboratories
Developed originally at IBM Thomas J. Watson Research Centre, PORTUS has been enhanced by both IBM and LSLI over several years and is described by LSLI as being "the state of the art in securing a network from unauthorised access." Previously a two-system solution it is now a single system solution that retains the same level of security as before. Its sendmail facility translates internal user IDs and hostnames in mail headers to external user IDs and the host name of the firewall.
PORTUS can also provide departmental security within a corporation. PORTUS only allows FTP from inside the protected network; it allows outbound telnet; uses authentication for incoming users; assigns different shells to users according to their status; directs users to specific nodes (configurable); supports SMTP; provides separate domain name servers for the unprotected and protected nets; logs successful logins and failed login attempts for telnet and FTP; supports SOCKS, Mosaic and HTTP.
Distribution in the UK is by E92 PLUS Ltd, Surbiton, Surrey e92plus@e92plus.co.uk
More information: http://www.sccsi.com/lsli/
Purpose: Packet Filter
Platform: PC hardware/Linux OS
Vendor: Mazama Software Labs
The Mazama Packet Filter is an economical dedicated firewall system that runs on PC hardware (486/33 or faster, with 8MB RAM) and uses the Linux operating system, a version of which is included with the product along with a quick-start installation kit.
The Mazama Packet Filter can cope with T1 speeds (1.5Mbits/second), although this requires one of the faster 486s or a Pentium host. Its tested network interfaces are SLIP and PPP, and Ethernet 3com and 3c509. Other cards supported by Linux will also work with it.
More information: http://www.mazama.com/
Purpose: Packet Filtering Router
Platform: Sparc running SunOS or Solaris
Vendor: SmallWorks
NetGate Software Firewall is a rule-based packet filtering and routing package for administering TCP/IP networks. It protects against external intrusion from the Internet by examining every incoming packet on all connections (modem, leased lines, Ethernet, etc.). Its kernel-based protection - with rule filtering directly in the kernel - makes it very difficult for unauthorised users to change the rule set.
The vendor claims that the firewall causes no performance degradation, unlike many of the "wrapper" programs and application gateways that are widely available. "Proxy services and application gateways all add context switch time which slows down your network access drastically."
NetGate runs from a simple command line interface from a single point of control.
More information: http://www.smallworks.com/
Purpose: Proxy server
Platform: UNIX
Vendor: Netscape Communications
Netscape Proxy Server is a high performance caching proxy server, providing security to corporate users who wish to access the Internet. It places users behind a firewall, thus ensuring that internal corporate information remains confidential. The system provides transaction logging and may be used by a system administrator to prevent individual users from accessing certain information on the Internet.
The caching facilities of Netscape Proxy Server can (claim the vendor) significantly enhance the speed with which information is accessed, reducing the load on the network while also reducing the overall cost of Internet access.
More information: http://www.netscape.com/
Purpose: Firewall
Platform: Solaris 2.4 and above (any machine)
Vendor: Telos
NetSeer is a firewall that combines the main features of both packet filtering and application level firewalls. It can monitor and control both incoming and outgoing network traffic, with control over host/destination addresses, service, time/day, etc. It has an alarm capability, and detailed reporting facilities. The latest version adds user authentication, encryption, and custom reporting capabilities.
Whenever a new service is added to a machine, NetSeer can be configured to control it from the program's Rules Administrator. It can detect spoof attacks and identify sources. To the users of the network it is entirely transparent and requires no change to be made to any workstation software. Its GUI makes system administration easy.
More information: http://www.telos.com/
Purpose: Firewall
Platform: (uses vendor's hardware)
Vendor: Network Systems Corporation
NetSentry is a network security product that provides packet filtering and firewall protection for a corporate or institutional network. It is essentially an enhanced version of the vendor's Packet Control Facility (PCF) and it may be combined with other security products from NSC (such as Data Privacy Facility) to provide top-class data protection for standards based networks.
A very full description of NetSentry, together with the rationale that led to its development, can be found at the vendor's web site.
More information: http://www.network.com/
Purpose: Firewall
Platform: UNIX
Vendor: Norman Data Defense Systems
Norman Firewall provides a very high level of protection to computer networks that are connected to the Internet. It consists of an integrated front-end server, a proxy server, and a virus detector which checks for over 6500 known viruses before authorising the data to pass. It checks the origin, time of arrival and destination of every packet, and even examines the labels of packets to check the sensitivity of their contents.
More information: norman@digex.com
Purpose: Firewall
Platform: (runs NTI's embedded real-time kernel)
Vendor: Cisco/NTI
Private Internet Exchange (PIX) is a firewall that completely conceals the architecture of your internal network from the outside world. Equally important, it allows you to expand and reconfigure your TCP/IP network without any worries about the shortage of IP addresses. It uses what the vendor calls the Network Address Translation algorithm to let you take advantage of a larger address class than the one assigned to you.
PIX is scaleable; simple to install; and simple to configure (the vendor estimates 5 minutes). It offers complete access control to the services of the Internet. It also allows you to connect internal networks via the Internet, using PIX Private Link - which includes encryption for security.
PIX allows transparent access to the Internet; eliminates the need for insecure proxy servers; makes special client software unnecessary for Internet access; and requires no time-consuming management.
More information: http://www.translation.com/
Purpose: Firewall
Platform: (is hardware/software package)
Vendor: Morning Star Technologies
SecureConnect is a hardware/software package that provides corporate networks not only with secure access to the Internet but also safe transit of information across the Internet through encryption. Its firewall protection offers dynamic packet filtering, adapting its structure to open, lock and time the port for each transaction. Its gateway encryption automatically encrypts the data for transmission over the public network.
SecureConnect also has surveillance and monitoring features that can trigger an alarm when certain thresholds are reached, indicating intrusion upon the corporate network.
More information: http://www.morningstar.com/
Purpose: Firewall
Platform: 486 running BSD-based UNIX
Vendor: MIDnet
SecurIt is an Internet security system built on firewall technology from Trusted Information Systems. It provides specific application gateways for Internet access, including WWW, terminal services, email, FTP, network news, etc. Its additional features include user authentication and audit reporting functions.
SecurIt continuously logs all significant security events to a protected host on the network. It has a simple menu interface that allows easy modification of logging options, report parameters, etc. Source code is available for maximum flexibility.
Essentially, SecurIt provides a network "strong point" that becomes the focus of security policy and administration. It protects proprietary data against attack and fortifies defences against outside break-in attempts.
More information: http://www.mid.net/
Purpose: Secure bridge-routers
Platform: (has own single-board, RISC-based hardware platform)
Vendor: Network Systems Corporation
The Security Router is a family of secure bridge-routers that combine the vendor's firewall routing technology - Packet Control Facility (PCF) - with support for the vendor's Data Privacy Facility (DPF) data encryption software. The models in this range have their own RISC-based forwarding engine, which, says the vendor, guarantees high performance. In fact, the throughput performance is always equal to, or greater than, the actual speed of the connected media. Protocols supported include: TCP/IP, DECnet, Phase 1V, Novel IPX/SPX, AppleTalk II and XNS.
All the models of the Security Router range support data encryption using standards-based cryptography. In bridge mode, the systems also provide comprehensive filtering using Bridge Control Facility (BCF), and in turn this allows the installation manager to fine-tune network traffic. For large installations such as campus networks, BCF offers the facility to create closed user groups, sometimes called "virtual private networks."
More information: http://www.network.com/
Purpose: Firewall
Platform: Pentium with BSD/386 UNIX (demo available on Mac)
Vendor: Secure Computing Corporation
Sidewinder is an Internet firewall that provides security in depth, transparent Internet access, rule-setting and filtering mechanisms, active Defense capabilities, easy integration into existing environments, and secure central administration. It has won many awards (such as "Best Internet Firewall Product" in the Information Security News Reader's Trust Awards) and is highly regarded as an exceptionally safe system.
Sidewinder operates as an application and circuit level gateway using a proprietary "type enforcement" technology which enforces system and network server software privileges within defined domains. Type enforcement controls how programs use files and how they interact with other programs.
Sidewinder will support one-time authentication using Digital Pathway's SecureNet Key (SNK) hand-held authentication tool, or Secure Computing's LOCKout authentication system.
More information: http://www.sctc.com/
Purpose: Firewall
Platform: UNIX
Vendor: BBN Planet Corp
Site Patrol is a turnkey service combining hardware, software and services for high levels of Internet security. It gives corporate customers a fully-managed, protective firewall between the internal network and the external Internet. The service includes 24-hour secure monitoring and response, configuration management, security updates and alerts.
Site Patrol combines a bastion host, a choke router and a fully encrypted management and monitoring infrastructure. Customer networks are monitored nation-wide at BBN's three Network Operation Centres (NOCs) in Cambridge, MA; Palo Alto, CA; and College Park, Maryland.
Among the many features of the service are: security analysts on call; quick response to security incidents; mailing list for security alerts and information; monthly reports on firewall activity; two scheduled configuration changes each week; annual customer training; Defense against intrusion from the Internet; logging of security events; and periodic reconfiguration of system resources as a proactive response to security threats.
More information: http://www.bbnplanet.com/
Purpose: Firewall
Vendor: Virtual Open Network Environment (V-ONE)
SmartWall combines firewall protection with smart card user authentication. It is the first product to do this. It uses V-ONE's Smart Computer-access Authentication Terminal (SmartCAT) together with ISO 7816 smart cards. The hybrid technology gives a very high level of protection, ideal for electronic commerce and other forms of secure Internet communication.
More information: http://www.v-one.com/
Purpose: Firewall
Platform: Sun
Vendor: Sun Microsystems
Solstice SunScreen is a complete network security solution that addresses the whole range of network security needs. It offers advanced packet screening together with authentication and privacy technologies, allowing employees access to the Internet while keeping intruders out of the corporate network. Equally important, it also provides site-to-site encryption which ensures that companies and their business partners can communicate securely across public networks.
There are two components in the SunScreen system: the SPF-100, a "cloaked" hardware device containing the SunScreen software, and the SunScreen Administration Station, which includes a GUI and enables administrators to define and implement a security policy.
More information: http://www.sun.com/
Purpose: Firewall
Platform: BSD UNIX
Vendor: Trusted Information Systems
The TIS Firewall Toolkit is a software kit for building and maintaining Internet firewalls. It was the forerunner of the Gauntlet Internet Firewall (see that entry). The TIS Firewall Toolkit is distributed in source code form, and all of its modules are written in C. This is a toolkit for the experienced programmer rather than for the company that needs an off-the-shelf product that can be quickly installed.
More information: http://www.tis.com/
Purpose: Firewall
Platform: UNIX (e.g. BSD on a 486; or Sparc or Alpha for larger networks)
Vendor: Atlantic Systems Group
TurnStyle Firewall System (TFS) provides protection to all types of network connected to the Internet. Its primary function is to stop sophisticated hackers from invading the private network.
TFS uses a packet filtering system, working on the principle of "that which is not expressly permitted is prohibited." It filters every packet from the Internet, and checks the IP address, the service requested, and the time of receipt. Highly configurable, TFS allows you to set and modify your own security policies.
The approach that TFS takes to spoofing (using false IP addresses for gaining root access) is to disallow any packets with a local domain IP address. It also filters outgoing packets and disallows any with a source IP address different from your Internet network.
TFS has a Graphical User Interface; extensive reporting facilities; is functional on many platforms; is supported by ongoing development; and can log every packet (if necessary).
More information: http://www.asg.unb.ca/
Purpose: Internet access with partial firewall
Platform: UNIX
Vendor: Atlantic Systems Group
TurnStyle Internet Module (TIM) provides a replacement for the standard inetd (the Internet super-server daemon - that detects requests for Internet-related services and starts the appropriate program). It provides functions found in TCP Wrapper programs and significantly enhances standard UNIX security on systems connected to the Internet.
TIM both authenticates requests for services and enables the system administrator to monitor the status of the enhanced inetd and services started. It checks the user's source IP address; the destination address; the destination port; the source port; the service requested; and also checks to see if the service requested falls within the valid times for that service.
More information: http://www.asg.unb.ca/