Sonic Systems Inc. SonicWALL

by Paul Grosse - June 1999

Introduction

The opportunities offered by the Internet are too good to ignore for most businesses - doing so only ensuring that a company's competitors take the lead. However, connecting to the Internet poses a series of dilemmas for the systems administrator who has to ensure the communications are maintained whist retaining the integrity of the system for all of its users. A firewall can keep out all but the most knowledgeable and determined hacker yet allow the users all the access to which they are authorised in a way that is largely transparent to them.

Many firewalls cost between $5,000 and $20,000 and offer businesses that can afford that level of investment the protection that they deserve. However, this part of the market represents only a small section of the total user population, many of which are schools, libraries, small businesses or remote offices of larger businesses that require Internet access and exposure but also need the same protection from the potential dangers that go with that exposure - spending $10,000 on each branch office in order to prevent them from becoming the point of access in a planned attack via a VPN can become very costly.

Sonic Systems has addressed this problem by producing a small, easy to configure, fast, lightweight firewall which, at less than the cost of a PC is affordable even to an Internet Cafe.

Products

Firewalls have only one job to do - to decide whether or not to allow each packet of data to pass from one network into another. Working from a set of rules called a security policy, the firewall makes these decisions based upon which type of firewall it is.

Generally speaking, firewalls may be grouped into three generations:

• First generation or packet filters - these simply look at the header information and make a decision based upon the source and destination of each packet with a security policy based upon IP addresses. These firewalls are generally difficult to configure properly and incorrect configurations can lead to the vulnerabilities in the firewall. However, with little checking going on for each packet that goes through the firewall, a first generation firewall is very fast;
• Second generation application gateways and circuit level gateways - The data part of the packet is reassembled and the firewall checks to see that it conforms to a set of definitions according to the type of traffic. Different types of traffic have different content and each set of packets is assembled into its final form and tested for conformity before it is allowed to pass through the firewall. This type of rebuilding is costly in computer resources and time and can make the firewall slow; and,
• Third generation SMLI or Stateful Multi-Layer Inspection firewalls - these look at all of the information in the packet header (although not the data part of the packet unless specifically required to do so), rebuilding the headers from the packets of each communication and checking to make sure that they are as they should be at each layer of the OSI model. The data for this process is only small and is stored in RAM so, like the first generation firewall, it is quick because most of the packet, the data itself, is not checked.

SonicWALL

SonicWALL comes in three main forms with variations that suit each user's circumstances. The basic SonicWALL firewall has 2 network connections (LAN and WAN - the latter normally representing the connection to the Internet although there is no reason why this should not be another internal network should you require an inter LAN gateway to control traffic between departments such as wages and personnel) and can accommodate 10 nodes on the LAN side. The number of nodes can be increased to 50 or an unlimited number in the SonicWALL Plus version. The SonicWALL DMZ has a third network connection allowing a third network or DeMilitarised Zone to be connected to the system. Visible from the WAN, the DMZ allows public services to be protected from external attacks by a full firewall yet still remain visible. In addition to this, if a hacker does manage to break into the DMZ, he still has a full firewall to break through to get to the LAN. Both the SonicWALL and the SonicWALL DMZ can be upgraded to include a VPN; and, with a VPN as standard, the SonicWALL PRO uses a faster processor to provide a higher throughput.

The SonicWALL firewall is small (20 x 10.6 x 3.8cm - 8 x 4.25 x 1.5 inches) and lightweight (0.45kg - 1lb) with no moving parts. There is no hard disc drive to malfunction as everything, from the operating system to the firewall and its data are all stored in RAM. Without the relatively slow access times of a hard disc to slow down the process, booting up takes only a few tens of seconds.

The operating system is proprietary with only the bare essentials required in order to run, manage and administer the firewall thus reducing to a minimum the possibility of hackers exploiting vulnerabilities in superfluous executables left on the firewall machine as in the case with many other firewalls.

Security policy management is performed using a Java enabled browser with authentication being established using an MD5-based encrypted security mechanism. This means that the computer used to configure the firewall can be any type of machine and the person who is required to configure it is already familiar with the overall interface thus cutting down on the training required. The default configuration of the firewall is sensible and in most cases, only a few IP addresses and network masks that the Systems Administrator should already be familiar with are required in order to configure the firewall. It takes literally only five minutes to set up SonicWALL from plugging it into the power supply and networks, to completion of the configuration process.

If circumstances dictate that greater complexity is required, rules may be created or modified to allow or deny access to different types of traffic in different directions. For example, Internet Relay Chat (IRC) may be blocked from the LAN to the WAN thus precluding wasteful use of bandwidth and employee time (whether it is the new man in accounts or the managing director), or access may be granted from the WAN to the company's web server on the HTTP port (80). Further, access may be granted to some services based upon time of day or day of week thus allowing employees some controlled recreational use of the Internet.

The firewall manages network addresses such that all connections on the outside/WAN side of the firewall only see one IP address - traffic being sorted and sent to the correct machine on the inside of the firewall. One of the advantages of Network Address Translation (NAT) is that the company using the firewall only needs the one address that its Internet Service Provider allocates to it thus cutting on overheads even further by allowing the use of low cost Internet accounts. In addition to this, DHCP (Dynamic Host Configuration Protocol) Server and Client provide centralised management of TCP/IP configurations and the ability to acquire settings from the Internet service provider. The DHCP configures the PCs on the LAN with an IP address range for assignment to the PCs, Static IP addresses, Lease times, Subnet masks allowing mapping of LAN addresses to IP addresses, Default gateway and upto three DNSs.

Checking that network traffic originated from where it was supposed to is only part of the problem and great importance is given to being able to show that a company is taking reasonable steps to make sure that its employees are not downloading the latest entertainment from questionable sites in parts of the world where there are less effective restrictions on what gets published. A 30 day free trial subscription to the CyberNOT categorised list of tens of thousands of URLs is included. This list is automatically updated each week and is grouped by subject so that racial, pornographic, hate, irrelevant sites and so on may be selected and kept up to date. In addition to this, the firewall itself is able to allow or deny access to up to 256 sites through trusted or forbidden domain filtering.

As new methods of attack manifest themselves, the firewall needs to be able to detect and preclude the success of an attack. A firewall that could detect all methods of attack and stop them all is an impossibility so the firewall is kept up to date with updates that it can download securely form the Sonic Systems site. The simple nature of SMLI means that it is relatively quick and easy to make alterations to the firewall which are done by Sonic as each new method of attack manifests itself - the firewall simply querying the Sonic Systems site to see if it has the latest version of the firewall. The new firewall is downloaded into the firewall's flash ROM and the machine rebooted, which again only takes seconds.

The firewall's log may be configured so that any level of detail is recorded. If all traffic was to be logged, the log would fill up very quickly so a set of rules may be applied such that particular types of traffic or traffic originating from a particular place at certain times may be recorded. In addition, system maintenance, system errors, attempts to access blocked websites, blocked Java, ActiveX or Cookies, attacks, dropped TCP, UDP and ICMP packets and network debugging are all logged.

The log or a summary of it (top 25 users according to accessed sites and bandwidth usage by IP address or service) may be emailed to various parties on a weekly basis and should the log actually fill, there are options to shut down, overwrite the log, copy the log and start again and so on - all configurable from the Java based firewall management front end. In the event of an attack, system error or attempt to access a blocked website, emails may be sent to particular individuals and so on.

One of the advances in firewall technology is that of local caching - storing locally, on the secure side of the firewall, data that has already been retrieved from the Internet. SonicWALL supports Web Proxy Relay as it calls it and in the case where bandwidth is close to fully consumed or there is a natural delay in the retrieval of information, local caching can make a great deal of impact on the apparent performance of the firewall - there being no reason to process repeatedly the same information. Without local caching, the throughput rates are 7Mbps for the standard and DMZ models (running on a 33MHz Motorola CPU) and 80Mbps for the PRO version (running on a 233MHz RISC (Reduced Instruction Set Chip) StrongArm processor).

As an option in the SonicWALL and SonicWALL DMZ, a VPN (Virtual Private Network) is available - this being provided as standard in the SonicWALL PRO. This VPN is IPSEC compliant and is compatible with Checkpoint Software's Firewall-1 VPN along with a number of other manufacturer's VPNs. The VPN operates using 168 bit triple DES, 56 bit DES and 56 bit ARC4. The SonicWALL PRO is due to have an accelerator card for heavy VPN use which clears up the firewall's processor for firewall data processing. The VPN card gives throughput figures of: 10Mbps for 56 bit DES; 25Mbps for 56 bit ARC4; and, 4Mbps for 168 bit Triple DES.

Platforms

The SonicWALL is completely self contained and requires only 2 10Base-T connections or 3 for the DMZ and PRO models

Pricing

Opinion

Firewalls tend to be expensive investments both in terms of the initial capital outlay and the time and efforts of the IT department of the company that bought it. For smaller companies that require an Internet presence but also require a reasonable amount of security, this places them in a very difficult position. Without a presence on the Internet, they would see there competitors leave them behind but in the back of the Systems Administrator's mind is the knowledge that security by obscurity does not work so not having some sort of firewall is not an option either. With around 90% of the firewall market not catered for, Sonic Systems has started to fill a void with its SonicWALL range which starts at just under $500 providing an SMLI firewall which should give adequate protection for schools, libraries, small businesses and so on. The SonicWALL PRO is aimed at the next sector up and, well supported with features and performance, looks well placed to take on that market as well.

In addition to this, the fact that the VPN that goes with it as an option in the SonicWALL and SonicWALL DMZ models and as an integral part of the SonicWALL PRO version is compatible with that of Checkpoint Software's Firewall-1 and so on. With this in mind, where a company has a Firewall-1 protecting its main investments, its branch offices and even on the road sales force are able to set up secure VPN based communications with access to internal resources using the SonicWALL firewalls to communicate with the Firewall-1.

The SonicWALL firewall is quite small, only around the same size of a video cassette. With two or three network interface sockets on the back, and a few lights on the front, it is superficially a simple device. It is also light, weighing in at around 1lb. As such, it is easy to hide from potential thieves but should it be stolen, it is also easy to walk off with. It is important, as it is with any security device, that it is physically secure.

In September 1998, Sonic Systems announced that its SonicWALL firewall had passed the ICSA firewall certification. ICSA certification means that consumers know that when the firewall is properly configured, it can support standard IP business services whilst withstanding an extensive suite of hacker attacks. Most ICSA certified firewalls are many times more expensive than the Sonic Systems' firewalls so this gives it a distinct advantage.

Strengths

• The firewalls are configured via a Java enabled web browser. Giving the Systems Administrator a head start by providing him with an interface that he is familiar with, configuration and management of the firewall is easy, taking only a few minutes.
• The low cost of the firewalls gives a ICSA certified firewall to a sector that has been ignored by the manufacturers of the more expensive firewalls. SMLI is not the most secure type of firewall but it is not that short of the protection afforded by second generation firewalls. Taken with the appropriate level of expertise required to provide the initial configuration and it is well within the requirements, budget and capabilities of small to medium sized businesses, schools, libraries and so on.
• The VPN is compatible with more expensive firewalls thus providing VPN capability for branch offices and so on for just a fraction of the price of providing a copy of the more expensive firewall at each location. Access to centralised, up-to-date resources is an important part of business and only needing to spend around $500 for each branch office instead of three or four times that is a significant step forward.

Weaknesses

• Administration through an Java enabled browser is very easy as browsers with this capability are ubiquitous and therefore the company is not tied down to using any particular platform for its firewall administration. However, having a Java enabled browser on a machine is a security risk in its own right as it could be infiltrated and used to attack the system in a number of ways. If the management is done from a machine that is occasionally taken outside the perimeter provided by the firewall, it may be attacked with code that can capture passwords and pass them onto a completely different site without the user suspecting anything. One such attack uses frames which provide a form that looks the same as any other form in the browser environment so a carefully crafted attack could siphon off information that allows hackers access to the system at a later date.
• Reporting the top 25 sites, services, or IP addresses may only show up the legitimate use on the firewall with the occasional 'illicit' use of the company's Internet resources failing to be detected. The real meaning of any set of statistics must be appreciated before any conclusions can be made. The reports configured in this way can only be used as a starting point for any company investigation into employee Internet usage with the full log providing the meaningful data in any particular case.
• The biggest weakness with any firewall is its configuration. If configured incorrectly, it may be that, due to complacency, it is less secure than if the firewall was not there at all. With so many variables to change in the system, the person responsible for the firewall's administration may be under the impression that since he last 'tweaked' the settings, it is still secure. SonicWALL will let you know if you do something stupid such as allowing all external traffic in but with the ingenuity of hackers and time on their side, the security impact of any peculiarities in the configuration of a firewall must be considered carefully.

Conclusions

An affordable and reasonably secure firewall for small to medium sized businesses and similar users has been long awaited. For this sector of the market, SonicWALL is plugging the gap and with sales of 2,500 in April 1999 alone, Sonic Systems appear to be able to demonstrate that it has made a good decision in targeting this market.

The SonicWALL PRO is aimed at the next sector up with higher throughput and a dedicated VPN card on the way. Larger companies are also able to take advantage of the SonicWALL by using the IPSEC VPN capabilities to tie in with larger, centralised firewall investments such as Firewall-1.

Sonic Systems has made a shrewd decision by changing the company's emphasis from 95% Mac oriented to 95% computer security oriented and has seen the benefits in terms of market share. The company is centred around computer networking products and, as such, does not have a problem with interdepartmental politics demanding shares of a limited research budget. Sales of SonicWALL firewalls have rocketed in the last year and if this continues the company looks set to fill on its own the void in the SME firewall market left by the other firewall manufacturers.

Company Profile

Founded in 1991 by Sreekanth Ravi and Sudhakar Ravi, both with bachelor of science degrees in engineering from the University of Illinois, Sonic Systems has enjoyed year on year growth which has led to the introduction of over 30 unique technologies and shipments of over 1.2 million products. Located in Santa Clara in California, the company is privately owned and currently employs over 40 people with an increase to 60 people anticipated within the next 2 to 3 months.

Initially, Sonic Systems' focus was on Macintosh based products such as NICs - just over 18 months ago, the company was 95% Macintosh, 5% Security Business - but that was quickly reversed without any noticeable dip in revenue. In the first year since the change, 10,000 units were shipped and in April of 1999, 2,500 units were shipped world-wide. The company has a strong sales base in the North America and is selling well across Europe (office based in the UK) and in Japan, other parts of Asia and Latin America. For the 6 months from October 1998 to the end of March 1999, Sonic Systems' revenue was approximately 45% from the US Channel, 43% from International Channel with the remaining 12% from OEM sales.

The company's key product is its ICSA certified SonicWALL firewall which is sold either: as a basic, 2 network device for either 10, 50 or an unlimited number of network nodes; a version with 3 network sockets; and, since its launch in May 1999, the SonicWALL PRO which has as standard, VPN and more power. Planned for the SonicWALL PRO in August 1999 is a VPN Accelerator card which will be useful for VPN heavy situations.

Sonic Systems' mission statement is to 'develop, market and sell affordable and easy to use Internet Security Applications for small to medium size networks.' The company has identified and targeted the small to medium sized businesses (SOHO, single site and branch offices), intranets, schools and libraries which represent around 90 percent of the firewall market but which also find it difficult to justify the high financial investment required to purchase a firewall. The SonicWALL provides this market with an ICSA firewall for less than the price of a PC - a successful move that is reflected in the number of units shipped.

In the US:
Sonic systems Inc.
5400 Betsy Ross Drive
Suite 206
SantaClara
Ca 95054 1101
USA
Tel: +1 888 557 6642
Fax: +1 408 844 9100
Email: sales@sonicsys.com
WWW: http://www.sonicsys.com/

In the UK:
Tekdata Network Solutions
Westport House
Federation Road
Burslem
Stoke-on-Trent
Staffordshire ST6 4HY
UK
Tel: +44 (0)1782 254 777
Fax: +44 (0)1782 834 784
Email: teksales@tekdata.co.uk
WWW: http://www.tekdata.co.uk/

Copyright (c) 1999 P. A. Grosse. All Rights Reserved.

Back to the Internet Security Index

Back to the Index