With the whole of the networking world moving toward inhabiting a single global village, we inevitably have to start thinking about locking our doors and bolting our windows.

However, as firewalls move from the category of "propeller-head" to "commodity", the smart vendors are already realising the need to differentiate their products further. Some are doing this by layering more and more services on top of the firewall � such as virus scanning or bandwidth control � though obviously at extra cost.

Others, such as GTA, are concentrating on producing a fully-featured product at an ever more reasonable price. GNAT Box has the unique distinction of tightly integrating Network Address Translation (NAT) with a kernel-based stateful packet inspection engine, and costing less than �1000 for an unlimited user license.

GNAT Box is based on a stripped down BSD Unix operating system, providing a secure platform as well as allowing it to fit on a single floppy disk � firewall code and configuration data! It also requires very little in the way of hardware, running quite happily on as little as a 386 processor with 8MB of RAM and the appropriate number of network cards.

The system can support two or three network interfaces (external, protected and De-Militarised Zone), and the external network interface can have up to 300 IP addresses using the Aliasing facility. This allows you to set up a number of "tunnels" from the external interface to specific servers within your organisation (say web and FTP servers), each showing only its own "fake" IP address to the outside world.

Installation is about as simple as it can be, since all that is required is to boot from the floppy disk supplied and provide a few IP addresses to the set-up wizard. The system automatically creates a default list of simple filters and provides a few additional example rule-sets to illustrate the examples in the excellent user guide. Although a good start, none of these are likely to suit most installations, so new filters will need to be defined almost immediately.

For the masochistic command line addict, this can be done at the system console (which also provides some basic menu-driven configuration and reporting facilities). A much more palatable means of configuring, however, is to use the Web browser interface, which provides a hierarchical menu and a number of forms to complete to add rules to the security policy.

Yet another means of configuration is the new GBAdmin offline configuration utility. This allows the administrator to perform a complete GNAT Box configuration offline, format a floppy disk and copy the configuration and GNAT Box runtime OS to the diskette. GBAdmin provides the means for an administrator to offer remote configuration and support across an organisation, even if the various GNAT Box firewalls are not connected by a single corporate LAN. For instance, it is possible to save a firewall configuration to a file which could be e-mailed to a counterpart elsewhere in the company, and then installed on a remote firewall.

Although the initial set-up of the firewall is to be commended on its simplicity, the configuration of the rules lacks some of the polish that can be seen in some of its more expensive competitors. User interfaces are always a subjective matter, however, and this is still much better than many others I have seen! There is no built-in support for remote user authentication or VPNs, though if the latter is important to you, GNAT Box does support PPTP and SSH. My final gripe is with the logging and reporting, which is restricted to a simple SYSLOG utility (supplied), meaning that historical filtering and sifting of logs is not possible. However, at least there is provision for e-mail, pager or SNMP alerts on attempted break-ins, which is probably far more useful than the means to track them down after the event.

The main new features in the latest release include DHCP, RIP and DNS support, an e-mail proxy (for inbound e-mail), URL blocking (using WebSense), the set-up wizard, IP pass-through (for those who don�t want NAT), and additional filter actions (e-mail, pager and SNMP trap alarms).

Verdict

If simplicity and low cost are at the top of your shopping list, you won�t go far wrong with the GNAT Box. Though logging and reporting are a little basic and there is no direct VPN or user authentication support, it is still an ICSA Certified stateful inspection firewall with full NAT. It is hard to fault such an excellent product, with a rich feature set, coupled with minimal hardware requirements and such a low price. Shop around and you should have your firewall up and running for less than �1400 including all hardware and software � unbeatable!

Product : GNAT Box
Supplier : GTA Associates
Telephone : 01903 205151

Send mail to webmaster with questions or�
comments about this web site.
Copyright � 1991-2005 The NSS Group Ltd.
All rights reserved.