By Steven J. Vaughan-Nichols
If you’re like me and you believe that a firewall belongs on a box of its very own-not with a router, not on a PC-then SonicWALL has a pair of appliance firewalls that will tickle your fancy and fit your bill: the SOHO3 and the TELE3. The only real difference between the two is that the TELE3 is designed from the get-go for home and small branch office (less than 10 people) users to use a virtual private network (VPN) to connect with the main offices, while the SOHO3 can be upgraded to handle more users and doesn’t come with network-to-network VPN capabilities.
Given this configuration, you normally set up the SonicWALLs between your cable or DSL router and the network. My situation was a little difference. My DSL provider uses an Alcatel Speed Touch USB device for the DSL connection and a PC, using Internet Connection Sharing (ICS), as the router.
While not covered in the manual, the solution is simple enough. You connect the PC router’s Ethernet cable to the SonicWALL’s WAN port and from there you link the SonicWALL’s LAN port to a network port on your LAN hub. In my case, that’s a Dell PowerConnect 3024 Fast Ethernet/Gigabit Ethernet switch. To make a long story short, it worked like a charm after some cable swapping.
Any user who’s done any networking work at all shouldn’t have problems with the SonicWALLs in most setups. The manual clearly covers how to connect the firewall using Network Address Translation (NAT, typically cable modem, frame-relay or T1); NAT with Point-to-Point Protocol over Ethernet (PPPoE, typically DSL) and NAT with a Dynamic Host Configuration Protocol (DHCP) client that’s often found with both cable and DSL setups. Sound complicated? Don’t sweat it; the manual makes it easy to figure out what’s what.
Once the power in on and the cabling is in place, basic installation is done using a Java application off a supplied CD-ROM. Actually setting up and managing the SonicWALLs is done from an easy-to-use Web interface.
Like any good firewall should, the SonicWALLs blocks all incoming ports except for the ones like port 80 for Web surfing. The firewall also makes it easy to choose and pick from all the other common Web ports that your applications might need. Going beyond many other such appliances and popular applications like ZoneAlarm, the SonicWALLs also supports video-conferencing’s difficult to firewall H.323 protocols.
Unfortunately, the SonicWALL’s default, like many other firewalls, is to allow all outgoing network transactions. That’s fine in 99% of all situations, but if a backdoor Trojan like Backdoor.Goster or Backdoor.GWGhost has already infected your systems, your PCs are still compromised and you’ll be none the wiser.
With the SonicWALL’s interface you can seal up any possible leaks from the inside. Better still, before setting up SonicWALL, or any other firewall for that matter, run an up-to-date virus checker on your PCs to make sure that a backdoor program isn’t already in place. After all, if the fox is already in the chicken coop, locking the coop’s door isn’t going to help much.
In addition to port and protocol firewalling, the SonicWALLs come with Stateful Packet Inspection (SPI). In SPI, data packets are checked, in short, to make sure that they’re legitimatize packets that should be going in and out of your network. For example, incoming Internet Control Message Protocol (ICMP) redirect packets are forbidden entry since they could be used to misdirect traffic.
Beyond the fancy words, what it all means is that the SonicWALLs go a step beyond basic firewalls to make sure that your systems stay safe.
The firewall also comes with many other optional features such as client VPN licenses, content and anti-virus filters. If anything, though, these systems have too many options. For example, there are at least three SOHO3 models and up to 14 different options for each one. Yes, you can certainly get exactly the firewall you need, but it can be downright confusing picking it out. Fortunately, SonicWALL’s Web site has a walk-through system to help you pick the right combination for you, but I still found it a touch confusing and I’ve been running firewalls for almost twenty years now.
Some of the features have a few quirks. For example, you can block access to a given Web site by name, but if someone inside your network knows the site’s IP address, they can still get to it. It’s not a major problem, but it does point out that no matter how easy a firewall appliance can be to manage-and the SonicWALLs are certainly that-you still need to take security seriously.
Most users, though, won’t have to worry about such issues though. Out of the box, the SonicWALLs do their main job of protecting your network flawlessly.
Moreover, if you use DHCP to give your PC network addresses and you run a wireless network, you’ll be especially interested to know that the SonicWALLs can act as DHCP servers with a significant security twist. You can set the SonicWALLs to lock DHCP leases to a given MAC (machine level) address. With this, only devices with authorized network interface cards (NIC)s can get on-board your network. While hardly a perfect solution to wireless security problems, it can help keep network traffic hitchhikers off your bandwidth.
In addition to basic firewall protection, the TELE3 comes with a good network-to-network and PC-to-network VPN and you can add this feature to most SOHO3 models. Unlike most VPNs, which can slow network throughput down by about 10%, I didn’t’ see any such slowdown when using the TELE3.
Whether you’re a VPN user who needs a TELE3 to connect with the main office without fuss or muss, or just a SOHO user who wants a SOHO3 to block Internet attacks, SonicWALL is for you.
The only thing you really must be careful of is that you get the right combination of hardware and software options you need. The SonicWALL Web site isn’t as useful as it could be with this critical question. Fortunately one of SonicWALL’s most important resellers, SecureHQ, has an excellent Buyer’s Guide and FAQ that goes a long way towards helping you making the right SonicWALL buying decision. And, trust me, a SonicWALL decision will be a right decision.
Model Numbers: SOHO3 ( $495), TELE3 ($495)
Pros: Fast throughput; easy to set up; simple to manage.
Cons: No DMZ Port; confusing product selection.
This article originally appeared in Practically Networked.