Sonic Systems Inc. SonicWALL

by Paul Grosse - June 1999


The opportunities offered by the Internet are too good to ignore for most businesses - doing so only ensuring that a company's competitors take the lead. However, connecting to the Internet poses a series of dilemmas for the systems administrator who has to ensure the communications are maintained whist retaining the integrity of the system for all of its users. A firewall can keep out all but the most knowledgeable and determined hacker yet allow the users all the access to which they are authorised in a way that is largely transparent to them.

Many firewalls cost between $5,000 and $20,000 and offer businesses that can afford that level of investment the protection that they deserve. However, this part of the market represents only a small section of the total user population, many of which are schools, libraries, small businesses or remote offices of larger businesses that require Internet access and exposure but also need the same protection from the potential dangers that go with that exposure - spending $10,000 on each branch office in order to prevent them from becoming the point of access in a planned attack via a VPN can become very costly.

Sonic Systems has addressed this problem by producing a small, easy to configure, fast, lightweight firewall which, at less than the cost of a PC is affordable even to an Internet Cafe.


Firewalls have only one job to do - to decide whether or not to allow each packet of data to pass from one network into another. Working from a set of rules called a security policy, the firewall makes these decisions based upon which type of firewall it is.

Generally speaking, firewalls may be grouped into three generations:


SonicWALL comes in three main forms with variations that suit each user's circumstances. The basic SonicWALL firewall has 2 network connections (LAN and WAN - the latter normally representing the connection to the Internet although there is no reason why this should not be another internal network should you require an inter LAN gateway to control traffic between departments such as wages and personnel) and can accommodate 10 nodes on the LAN side. The number of nodes can be increased to 50 or an unlimited number in the SonicWALL Plus version. The SonicWALL DMZ has a third network connection allowing a third network or DeMilitarised Zone to be connected to the system. Visible from the WAN, the DMZ allows public services to be protected from external attacks by a full firewall yet still remain visible. In addition to this, if a hacker does manage to break into the DMZ, he still has a full firewall to break through to get to the LAN. Both the SonicWALL and the SonicWALL DMZ can be upgraded to include a VPN; and, with a VPN as standard, the SonicWALL PRO uses a faster processor to provide a higher throughput.

The SonicWALL firewall is small (20 x 10.6 x 3.8cm - 8 x 4.25 x 1.5 inches) and lightweight (0.45kg - 1lb) with no moving parts. There is no hard disc drive to malfunction as everything, from the operating system to the firewall and its data are all stored in RAM. Without the relatively slow access times of a hard disc to slow down the process, booting up takes only a few tens of seconds.

The operating system is proprietary with only the bare essentials required in order to run, manage and administer the firewall thus reducing to a minimum the possibility of hackers exploiting vulnerabilities in superfluous executables left on the firewall machine as in the case with many other firewalls.

Security policy management is performed using a Java enabled browser with authentication being established using an MD5-based encrypted security mechanism. This means that the computer used to configure the firewall can be any type of machine and the person who is required to configure it is already familiar with the overall interface thus cutting down on the training required. The default configuration of the firewall is sensible and in most cases, only a few IP addresses and network masks that the Systems Administrator should already be familiar with are required in order to configure the firewall. It takes literally only five minutes to set up SonicWALL from plugging it into the power supply and networks, to completion of the configuration process.

If circumstances dictate that greater complexity is required, rules may be created or modified to allow or deny access to different types of traffic in different directions. For example, Internet Relay Chat (IRC) may be blocked from the LAN to the WAN thus precluding wasteful use of bandwidth and employee time (whether it is the new man in accounts or the managing director), or access may be granted from the WAN to the company's web server on the HTTP port (80). Further, access may be granted to some services based upon time of day or day of week thus allowing employees some controlled recreational use of the Internet.

The firewall manages network addresses such that all connections on the outside/WAN side of the firewall only see one IP address - traffic being sorted and sent to the correct machine on the inside of the firewall. One of the advantages of Network Address Translation (NAT) is that the company using the firewall only needs the one address that its Internet Service Provider allocates to it thus cutting on overheads even further by allowing the use of low cost Internet accounts. In addition to this, DHCP (Dynamic Host Configuration Protocol) Server and Client provide centralised management of TCP/IP configurations and the ability to acquire settings from the Internet service provider. The DHCP configures the PCs on the LAN with an IP address range for assignment to the PCs, Static IP addresses, Lease times, Subnet masks allowing mapping of LAN addresses to IP addresses, Default gateway and upto three DNSs.

Checking that network traffic originated from where it was supposed to is only part of the problem and great importance is given to being able to show that a company is taking reasonable steps to make sure that its employees are not downloading the latest entertainment from questionable sites in parts of the world where there are less effective restrictions on what gets published. A 30 day free trial subscription to the CyberNOT categorised list of tens of thousands of URLs is included. This list is automatically updated each week and is grouped by subject so that racial, pornographic, hate, irrelevant sites and so on may be selected and kept up to date. In addition to this, the firewall itself is able to allow or deny access to up to 256 sites through trusted or forbidden domain filtering.

As new methods of attack manifest themselves, the firewall needs to be able to detect and preclude the success of an attack. A firewall that could detect all methods of attack and stop them all is an impossibility so the firewall is kept up to date with updates that it can download securely form the Sonic Systems site. The simple nature of SMLI means that it is relatively quick and easy to make alterations to the firewall which are done by Sonic as each new method of attack manifests itself - the firewall simply querying the Sonic Systems site to see if it has the latest version of the firewall. The new firewall is downloaded into the firewall's flash ROM and the machine rebooted, which again only takes seconds.

The firewall's log may be configured so that any level of detail is recorded. If all traffic was to be logged, the log would fill up very quickly so a set of rules may be applied such that particular types of traffic or traffic originating from a particular place at certain times may be recorded. In addition, system maintenance, system errors, attempts to access blocked websites, blocked Java, ActiveX or Cookies, attacks, dropped TCP, UDP and ICMP packets and network debugging are all logged.

The log or a summary of it (top 25 users according to accessed sites and bandwidth usage by IP address or service) may be emailed to various parties on a weekly basis and should the log actually fill, there are options to shut down, overwrite the log, copy the log and start again and so on - all configurable from the Java based firewall management front end. In the event of an attack, system error or attempt to access a blocked website, emails may be sent to particular individuals and so on.

One of the advances in firewall technology is that of local caching - storing locally, on the secure side of the firewall, data that has already been retrieved from the Internet. SonicWALL supports Web Proxy Relay as it calls it and in the case where bandwidth is close to fully consumed or there is a natural delay in the retrieval of information, local caching can make a great deal of impact on the apparent performance of the firewall - there being no reason to process repeatedly the same information. Without local caching, the throughput rates are 7Mbps for the standard and DMZ models (running on a 33MHz Motorola CPU) and 80Mbps for the PRO version (running on a 233MHz RISC (Reduced Instruction Set Chip) StrongArm processor).

As an option in the SonicWALL and SonicWALL DMZ, a VPN (Virtual Private Network) is available - this being provided as standard in the SonicWALL PRO. This VPN is IPSEC compliant and is compatible with Checkpoint Software's Firewall-1 VPN along with a number of other manufacturer's VPNs. The VPN operates using 168 bit triple DES, 56 bit DES and 56 bit ARC4. The SonicWALL PRO is due to have an accelerator card for heavy VPN use which clears up the firewall's processor for firewall data processing. The VPN card gives throughput figures of: 10Mbps for 56 bit DES; 25Mbps for 56 bit ARC4; and, 4Mbps for 168 bit Triple DES.


The SonicWALL is completely self contained and requires only 2 10Base-T connections or 3 for the DMZ and PRO models


SonicWALL /10 - 10 user, 2 port version $495, 495
SonicWALL /50 - 50 user, 2 port version $995, 995
SonicWALL Plus - unlimited user, 2 port version $1,795, 1,495
SonicWALL DMZ - 3 port version $1,795, 1,795
SonicWALL Content Filter Subscription - Microsystems CyberNOT URL list $175 - $695 per year
SonicWALL VPN Upgrade - Optional VPN upgrade for SonicWALL products $495 - $695
SonicWALL PRO - 10/100 fast ethernet, VPN as standard $2,995, 2,995


Firewalls tend to be expensive investments both in terms of the initial capital outlay and the time and efforts of the IT department of the company that bought it. For smaller companies that require an Internet presence but also require a reasonable amount of security, this places them in a very difficult position. Without a presence on the Internet, they would see there competitors leave them behind but in the back of the Systems Administrator's mind is the knowledge that security by obscurity does not work so not having some sort of firewall is not an option either. With around 90% of the firewall market not catered for, Sonic Systems has started to fill a void with its SonicWALL range which starts at just under $500 providing an SMLI firewall which should give adequate protection for schools, libraries, small businesses and so on. The SonicWALL PRO is aimed at the next sector up and, well supported with features and performance, looks well placed to take on that market as well.

In addition to this, the fact that the VPN that goes with it as an option in the SonicWALL and SonicWALL DMZ models and as an integral part of the SonicWALL PRO version is compatible with that of Checkpoint Software's Firewall-1 and so on. With this in mind, where a company has a Firewall-1 protecting its main investments, its branch offices and even on the road sales force are able to set up secure VPN based communications with access to internal resources using the SonicWALL firewalls to communicate with the Firewall-1.

The SonicWALL firewall is quite small, only around the same size of a video cassette. With two or three network interface sockets on the back, and a few lights on the front, it is superficially a simple device. It is also light, weighing in at around 1lb. As such, it is easy to hide from potential thieves but should it be stolen, it is also easy to walk off with. It is important, as it is with any security device, that it is physically secure.

In September 1998, Sonic Systems announced that its SonicWALL firewall had passed the ICSA firewall certification. ICSA certification means that consumers know that when the firewall is properly configured, it can support standard IP business services whilst withstanding an extensive suite of hacker attacks. Most ICSA certified firewalls are many times more expensive than the Sonic Systems' firewalls so this gives it a distinct advantage.




An affordable and reasonably secure firewall for small to medium sized businesses and similar users has been long awaited. For this sector of the market, SonicWALL is plugging the gap and with sales of 2,500 in April 1999 alone, Sonic Systems appear to be able to demonstrate that it has made a good decision in targeting this market.

The SonicWALL PRO is aimed at the next sector up with higher throughput and a dedicated VPN card on the way. Larger companies are also able to take advantage of the SonicWALL by using the IPSEC VPN capabilities to tie in with larger, centralised firewall investments such as Firewall-1.

Sonic Systems has made a shrewd decision by changing the company's emphasis from 95% Mac oriented to 95% computer security oriented and has seen the benefits in terms of market share. The company is centred around computer networking products and, as such, does not have a problem with interdepartmental politics demanding shares of a limited research budget. Sales of SonicWALL firewalls have rocketed in the last year and if this continues the company looks set to fill on its own the void in the SME firewall market left by the other firewall manufacturers.

Company Profile

Founded in 1991 by Sreekanth Ravi and Sudhakar Ravi, both with bachelor of science degrees in engineering from the University of Illinois, Sonic Systems has enjoyed year on year growth which has led to the introduction of over 30 unique technologies and shipments of over 1.2 million products. Located in Santa Clara in California, the company is privately owned and currently employs over 40 people with an increase to 60 people anticipated within the next 2 to 3 months.

Initially, Sonic Systems' focus was on Macintosh based products such as NICs - just over 18 months ago, the company was 95% Macintosh, 5% Security Business - but that was quickly reversed without any noticeable dip in revenue. In the first year since the change, 10,000 units were shipped and in April of 1999, 2,500 units were shipped world-wide. The company has a strong sales base in the North America and is selling well across Europe (office based in the UK) and in Japan, other parts of Asia and Latin America. For the 6 months from October 1998 to the end of March 1999, Sonic Systems' revenue was approximately 45% from the US Channel, 43% from International Channel with the remaining 12% from OEM sales.

The company's key product is its ICSA certified SonicWALL firewall which is sold either: as a basic, 2 network device for either 10, 50 or an unlimited number of network nodes; a version with 3 network sockets; and, since its launch in May 1999, the SonicWALL PRO which has as standard, VPN and more power. Planned for the SonicWALL PRO in August 1999 is a VPN Accelerator card which will be useful for VPN heavy situations.

Sonic Systems' mission statement is to 'develop, market and sell affordable and easy to use Internet Security Applications for small to medium size networks.' The company has identified and targeted the small to medium sized businesses (SOHO, single site and branch offices), intranets, schools and libraries which represent around 90 percent of the firewall market but which also find it difficult to justify the high financial investment required to purchase a firewall. The SonicWALL provides this market with an ICSA firewall for less than the price of a PC - a successful move that is reflected in the number of units shipped.

In the US:
Sonic systems Inc.
5400 Betsy Ross Drive
Suite 206
Ca 95054 1101
Tel: +1 888 557 6642
Fax: +1 408 844 9100

In the UK:
Tekdata Network Solutions
Westport House
Federation Road
Staffordshire ST6 4HY
Tel: +44 (0)1782 254 777
Fax: +44 (0)1782 834 784

Copyright (c) 1999 P. A. Grosse. All Rights Reserved.

Back to the Internet Security Index

Back to the Index