Network Protection in a Box

You've put thousands of hours and dollars into building the perfect network; now the question is: How do you protect it? If you're like many corporations, you go shopping -- for a firewall, a VPN solution, an authentication server, and any other security-specific products or services that you require. And then comes the difficult part: putting all of these disparate components together into a functional system.

In an effort aimed at making network protection a much more simple endeavor, WatchGuard Technologies Inc. (Seattle, has built network security appliances that combine all of the aforementioned security features together in a single plug-and-play box.

"We created a box that removes all the complexity of securing your network," explains Mike Martucci, WatchGuard vice president of marketing. "You plug in the box, you boot up our software on your trusty laptop, and you're on your way."

At last month's Networld+Interop show in Las Vegas, WatchGuard introduced the Firebox II security appliance, which is targeted at large enterprises and provides features such as improved remote configuration and updating, flash memory for automated policy and network configuration updates, and the integration of an IPSec virtual private network for branch offices. In contrast, WatchGuard's debut appliance, the Firebox 100, is designed for smaller environments and lacks these advanced features.

Both Firebox models feature a firewall that provides access control, network address translation, multiple levels of logging and notification, and the automatic detection and blocking of security threats. Each device also sports integrated authentication, enabling administrators to configure access policies and rules by user name, group, or IP and network address. In addition to its own built-in authentication server for small environments, Firebox supports NT primary domain controllers and RADIUS-compliant authentication servers.

Administrators can control security functions via the WatchGuard Security Management System, software that enables users to configure the Firebox device, implement firewall protection, and monitor the status of network services remotely from a Windows 95 or Windows NT client.

While many users might be reluctant to adopt network appliances for fear that they might not be able to modify what is essentially a "closed box," WatchGuard has exploited the advantages of such an architecture to make the Firebox 100 and Firebox II more manageable. "Just because we're a box, it doesn't mean we're inflexible," explains WatchGuard's Martucci. "The box is only a player, and in this case, it's playing security software."

Because of the dynamic nature of network security, with new threats arising on what sometimes seems to be a daily basis, keeping network security measures up-to-date can be an overwhelming task.

In an effort to address this problem as well as carve out a market with ISPs, WatchGuard has recently introduced Global Security Manager software, which is tailored to work with Firebox II and enables users to remotely install, manage and update numerous Firebox II systems from a central location. An ISP can send a Firebox II appliance to one of its customers and can have the customer hook the device into the customer's corporate network, and the Firebox II will automatically contact the ISP for configuration and security policy information. ISPs can initialize, configure, manage and update multiple Firebox II devices without ever having to set foot on customer premises.

Users can also use the Global Security Manager software to build security policies and broadcast them to multiple Firebox II devices, or deliver up-to-date security patches to numerous Firebox II devices.