Overview of software firewalls with SPID protection
The purpose of this article is to compare certified firewalls that can be used to protect ISPD. The review covers only certified software products, the list of which was compiled from the register of the FSTEC of Russia.
In this review, we will consider the firewalls presented in Table 1. This table shows the name of the firewall and its class. This table will be especially useful when selecting software to protect personal data.
Table 1. List of FSTEC certified firewalls
All these software products, according to the registry FSTEC, certified as firewalls.
According to the order of the FSTEC of Russia No. 21 dated February 18, 2013, to ensure 1 and 2 levels of personal data security (hereinafter PD), firewalls of at least class 3 are used in case of threats of type 1 or type 2 or information system interaction (IS ) with networks of international information exchange and firewalls of at least class 4 in the case of the relevance of threats of the 3rd type and the lack of interaction of IP with the Internet.
To ensure protection level 3 of firewalls, firewalls of at least class 3 will be suitable (or class 4, if the threats of type 3 are topical and there is no interaction between the information systems and the Internet). And to ensure 4 levels of security, the most unpretentious firewalls will fit - no less than grade 5. Those, however, are not currently registered in the FSTEC registry. In fact, each of the firewalls presented in Table 1 can be used to provide 1-3 levels of security, provided that there are no type 3 threats and no interaction with the Internet. If you have an Internet connection, then you need a firewall at least 3 classes.
')
Firewalls have a specific set of features. So let's see what functions one or another firewall provides (or does not provide). The main function of any firewall is packet filtering based on a specific set of rules. Not surprisingly, this feature is supported by all firewalls.
Also, all the firewalls in question support NAT. But there are quite specific (but no less useful) functions, such as port masking, load control, multi-user operation, integrity monitoring, program deployment in ActiveDirectory, and remote administration from the outside. Quite convenient, you see, when the program supports deployment to ActiveDirectory - no need to manually install it on each computer on the network. It is also convenient if the firewall supports remote administration from the outside - you can administer the network without leaving home, which will be relevant for administrators who are used to performing their functions remotely.
Perhaps the reader will be surprised, but the deployment in ActiveDirectory does not support many firewalls presented in Table 1, the same can be said about other functions, such as load control and port masking. In order not to describe which of the firewalls supports one or another function, we systematized their characteristics in Table 2.
Table 2. Firewall Capabilities
The main task of firewalls in the protection of personal is the protection of ISPD. Therefore, the administrator often does not care what additional functions the firewall will have. The following factors are important to him:
Security for all firewalls is about the same, otherwise they would not have a certificate.
Next, we will compare the three firewalls - VipNet Office Firewall, Cyber ​​Saf Firewall and TrustAccess.
The TrustAccess firewall is a centrally managed distributed firewall designed to protect servers and workstations from unauthorized access, and to restrict network access to an enterprise’s IP.
CyberSafe Firewall is a powerful firewall designed to protect computer systems and the local network from external harmful influences.
ViPNet Office Firewall 4.1 is a software firewall designed to monitor and control traffic and convert traffic (NAT) between segments of local area networks during their interaction, as well as interaction of nodes of local area networks with resources of public networks.
What is SPID protection time? In essence, this is the deployment time of the program on all computers on the network and the time for setting up the rules. The latter depends on the ease of use of the firewall, while the first depends on the suitability of its installation package for a centralized installation.
All three firewalls are distributed as MSI packages, which means that you can use ActiveDirectory deployment tools to centrally install them. It would seem simple. But in practice it turns out that no.
At the enterprise, as a rule, centralized firewall management is used. This means that a firewall management server is installed on some computer, and the client software is installed on the others, or as they are called agents. The problem is that when installing the agent, you need to set certain parameters - at least the IP address of the management server, and maybe even a password, etc.
Therefore, even if you deploy the .msi files to all computers on the network, you still have to manually configure them. And this would not be very desirable, given that the network is large. Even if you have only 50 computers you just think about it - go to each PC and configure it.
How to solve a problem? And the problem can be solved by creating a transformation file (MST file), also known as an answer file, for the MSI file. That's just not VipNet Office Firewall, nor TrustAccess that can. That is why, by the way, Table 2 indicates that there is no support for deploying Active Directory. It is possible to deploy these programs in the domain, but the administrator’s manual work is required.
Of course, an administrator can use editors like Orca to create an MST file.
Fig. 1. Editor Orca. Attempt to create MST file for TrustAccess.Agent.1.3.msi
But do you really think that everything is so simple? Opened the MSI file in Orca, corrected a couple of parameters and got the ready answer file? It was not there! Firstly, Orca itself is just not installed. You need to download the Windows Installer SDK, from it using 7-Zip extract orca.msi and install it. Did you know about this? If not, then consider that you spent 15 minutes searching for the necessary information, downloading the software and installing the editor. But that’s not all the torment. MSI file has many parameters. Look at the pic. 1 is only the parameters of the Property group. Which of them change to indicate the IP address of the server? You know? If not, then you have two options: either manually configure each computer or contact the developer, wait for an answer, etc. Considering that developers sometimes respond for quite a long time, the actual time for program deployment depends only on the speed of your movement between computers. Well, if you have installed the remote management tool in advance, then the deployment will be faster.
Cybersafe Firewall creates an MST file by itself, you just need to install it on one computer, get the coveted MST file and specify it in the group policy. How to do this can be found in the article “Differentiation of Information Systems for the Protection of Personal Data” . For some polsach (or even less), you can deploy a firewall on all computers on the network.
That is why Cybersafe Firewall gets a rating of 5, and its competitors - 3 (thanks though the installers are in the MSI format, not the .exe).
A firewall is not a word processor. This is a rather specific software product, the use of which is reduced to the principle of “installed, configured, forgotten”. On the one hand, usability is a minor factor. For example, iptables in Linux cannot be called convenient, but is it used as well? On the other hand, the more convenient the firewall is, the faster it will be to protect ISPDn and perform some functions of its administration.
Well, let's see how convenient the firewalls in question are in the process of creating and protecting an ISPD.
We will start with VipNet Office Firewall, which, in our opinion, is not very convenient. You can allocate computers into groups only by IP addresses (Fig. 2). In other words, there is a binding to IP addresses and you need to either allocate different ISPDs to different subnets, or split one subnet into IP address ranges. For example, there are three ISPDn: Management, Accounting, IT. You need to configure the DHCP server so that the computers in the Management group are “distributed” with IP addresses in the range 192.168.1.10 - 192.168.1.20, Accounting 192.168.1.21 - 192.168.1.31, etc. This is not very convenient. For this reason, one point will be removed from VipNet Office Firewall.
Fig. 2. When creating groups of computers, there is an explicit binding to the IP address.
In the CyberSafe firewall, on the contrary, there is no binding to the IP address. The computers that make up the group can be on different subnets, in different ranges of the same subnet, and even be outside the network. Look at the pic. 3. Branches of the company are located in different cities (Rostov, Novorossiysk, etc.). Creating groups is very simple - just drag the computer names to the desired group and click the Apply button. After that, you can click the Set rules button to form rules specific for each group.
Fig. 3. Managing Groups at CyberSafe Firewall
With regard to TrustAccess, it should be noted close integration with the system itself. The already created system groups of users and computers are imported into the firewall configuration, which facilitates the management of the firewall in the ActiveDirectory environment. You can not create ISPDN in the firewall itself, but use the existing groups of computers in the Active Directory domain.
Fig. 4. User and Computer Groups (TrustAccess)
All three firewalls allow you to create so-called schedules, thanks to which the administrator can configure the passage of packets on a schedule, for example, to prohibit access to the Internet during off-hours. In VipNet Office Firewall, schedules are created in the Schedules section (Fig. 5), and in Cyber ​​Safer Firewall, the rule’s runtime is set when determining the rule itself (Fig. 6).
Fig. 5. Schedules in VipNet Office Firewall
Fig. 6. Opening times of the rule in CyberSafe Firewall
Fig. 7. TrustAccess Schedule
All three firewalls provide very convenient means for creating the rules themselves. TrustAccess also provides a convenient rule creation wizard.
Fig. 8. Creating a rule in TrustAccess
Take a look at another feature - tools for receiving reports (logs, logs). In TrustAccess, you need to install an event server (EventServer) and a report server (ReportServer) to collect reports and event information. Not that this is a flaw, but rather a feature ("feature", as Bill Gates said) of this firewall. As for the Cybersafe and VipNet Office firewalls, both firewalls provide convenient tools for viewing the IP packet log. The only difference is that the CyberSafe Firewall first displays all the packets, and you can filter the necessary ones using the capabilities of the filter built into the table header (Fig. 9). And in VipNet Office Firewall, you first need to install filters, and then view the result.
Fig. 9. Log Management IP Packages in CyberSafe Firewall
Fig. 10. Managing IP packet logging in VipNet Office Firewall
From the firewall Cybersafe had to remove 0.5 points for the lack of the function of exporting the log to Excel or HTML. The function is far from critical, but sometimes it is useful to simply and quickly export several lines from the journal, for example, for “debriefing”.
So, the results of this section:
To bypass the financial side of the issue is simply impossible, because often it becomes decisive when choosing a product. Thus, the cost of one ViPNet Office Firewall 4.1 license (license for 1 year per computer) is 15,710 p. And the cost of a license for 1 server and 5 TrustAccess workstations will cost 23,925 p. The cost of these software products can be found at the links at the end of the article.
Remember these two numbers 15710 p. for one pc (per year) and 23 925 p. for 1 server and 5 PCs (per year). And now attention: for this money you can buy a license for 25 nodes Cyber ​​Saf Firewall (15178 p.) Or add a little and it will be quite enough for a license for 50 nodes (24025 p.). But the most important thing in this product is not the cost. The most important thing is the duration of the license and technical support. The license for Cyber ​​Saf Firewall - no expiration, as well as technical support. That is, you pay once and get a software product with a lifetime license and technical support.
In our experience, the delivery time for VipNet Office Firewall is about 2-3 weeks after contacting Infoteks OJSC. Honestly, this is quite a long time, considering that a software product is being bought, and not a PACK.
TrustAccess delivery time, if ordered via Softline, is from 1 day. A more realistic timeframe is 3 days, taking into account some delay of the Softline. Although it can be delivered in 1 day, it all depends on the workload of the Softline. Again, this is a personal experience, the actual time period for a particular customer may differ. But in any case, the delivery time is rather short, which is to be noted.
As for the CyberSafe Firewall software product, the manufacturer guarantees delivery of the electronic version within 15 minutes after payment.
If you are guided only by the cost of the product and technical support, then the choice is obvious - Cyber ​​Saf Firewall. Cyber ​​Saf Firewall has an optimal ratio of functionality / price. On the other hand, if you need Secret Net support, then you need to look towards TrustAccess. But we can only recommend VipNet Office Firewall as a good personal firewall, but for these purposes there are many other and also free solutions.
The review is made by experts
company integrator LLC "DORF"
Cost VipNet Office Firewall
TrustAccess Cost
CyberSafe Firewall
Choosing a firewall for a certain level of personal data security
In this review, we will consider the firewalls presented in Table 1. This table shows the name of the firewall and its class. This table will be especially useful when selecting software to protect personal data.
Table 1. List of FSTEC certified firewalls
| Software | ME class |
| ME "Checkpoint Screen 2000 / XP" | four |
| Special software firewall "Z-2", version 2 | 2 |
| TrustAccess Information Security Tool | 2 |
| Information Security Tool TrustAccess-S | 2 |
| StoneGate Firewall Firewall | 2 |
| Information Security Tool Security Studio Endpoint Protection Personal Firewall | four |
| Software complex "Security Server CSP VPN Server. Version 3.1" | 3 |
| Software complex "Security Gateway CSP VPN Gate. Version 3.1" | 3 |
| Software complex “Security Client CSP VPN Client. Version 3.1 | 3 |
| Software complex firewall "Ideco ICS 3" | four |
| Software complex "Traffic Inspector 3.0" | 3 |
| Means of cryptographic protection of information "Continent-AP". Version 3.7 | 3 |
| Firewall "CyberSafe: Firewall" | 3 |
| Program complex “Internet gateway Ideco ICS 6” | 3 |
| VipNet Office Firewall | four |
All these software products, according to the registry FSTEC, certified as firewalls.
According to the order of the FSTEC of Russia No. 21 dated February 18, 2013, to ensure 1 and 2 levels of personal data security (hereinafter PD), firewalls of at least class 3 are used in case of threats of type 1 or type 2 or information system interaction (IS ) with networks of international information exchange and firewalls of at least class 4 in the case of the relevance of threats of the 3rd type and the lack of interaction of IP with the Internet.
To ensure protection level 3 of firewalls, firewalls of at least class 3 will be suitable (or class 4, if the threats of type 3 are topical and there is no interaction between the information systems and the Internet). And to ensure 4 levels of security, the most unpretentious firewalls will fit - no less than grade 5. Those, however, are not currently registered in the FSTEC registry. In fact, each of the firewalls presented in Table 1 can be used to provide 1-3 levels of security, provided that there are no type 3 threats and no interaction with the Internet. If you have an Internet connection, then you need a firewall at least 3 classes.
')
Firewall Comparison
Firewalls have a specific set of features. So let's see what functions one or another firewall provides (or does not provide). The main function of any firewall is packet filtering based on a specific set of rules. Not surprisingly, this feature is supported by all firewalls.
Also, all the firewalls in question support NAT. But there are quite specific (but no less useful) functions, such as port masking, load control, multi-user operation, integrity monitoring, program deployment in ActiveDirectory, and remote administration from the outside. Quite convenient, you see, when the program supports deployment to ActiveDirectory - no need to manually install it on each computer on the network. It is also convenient if the firewall supports remote administration from the outside - you can administer the network without leaving home, which will be relevant for administrators who are used to performing their functions remotely.
Perhaps the reader will be surprised, but the deployment in ActiveDirectory does not support many firewalls presented in Table 1, the same can be said about other functions, such as load control and port masking. In order not to describe which of the firewalls supports one or another function, we systematized their characteristics in Table 2.
Table 2. Firewall Capabilities
How will we compare firewalls?
The main task of firewalls in the protection of personal is the protection of ISPD. Therefore, the administrator often does not care what additional functions the firewall will have. The following factors are important to him:
- Protection time Here it is clear, the faster, the better.
- Ease of use . Not all firewalls are equally convenient, as will be shown in the review.
- Cost Often the financial side is crucial.
- Delivery time . Often the delivery time leaves much to be desired, and you need to protect the data now.
Security for all firewalls is about the same, otherwise they would not have a certificate.
Firewalls in Review
Next, we will compare the three firewalls - VipNet Office Firewall, Cyber ​​Saf Firewall and TrustAccess.
The TrustAccess firewall is a centrally managed distributed firewall designed to protect servers and workstations from unauthorized access, and to restrict network access to an enterprise’s IP.
CyberSafe Firewall is a powerful firewall designed to protect computer systems and the local network from external harmful influences.
ViPNet Office Firewall 4.1 is a software firewall designed to monitor and control traffic and convert traffic (NAT) between segments of local area networks during their interaction, as well as interaction of nodes of local area networks with resources of public networks.
ISPD protection time
What is SPID protection time? In essence, this is the deployment time of the program on all computers on the network and the time for setting up the rules. The latter depends on the ease of use of the firewall, while the first depends on the suitability of its installation package for a centralized installation.
All three firewalls are distributed as MSI packages, which means that you can use ActiveDirectory deployment tools to centrally install them. It would seem simple. But in practice it turns out that no.
At the enterprise, as a rule, centralized firewall management is used. This means that a firewall management server is installed on some computer, and the client software is installed on the others, or as they are called agents. The problem is that when installing the agent, you need to set certain parameters - at least the IP address of the management server, and maybe even a password, etc.
Therefore, even if you deploy the .msi files to all computers on the network, you still have to manually configure them. And this would not be very desirable, given that the network is large. Even if you have only 50 computers you just think about it - go to each PC and configure it.
How to solve a problem? And the problem can be solved by creating a transformation file (MST file), also known as an answer file, for the MSI file. That's just not VipNet Office Firewall, nor TrustAccess that can. That is why, by the way, Table 2 indicates that there is no support for deploying Active Directory. It is possible to deploy these programs in the domain, but the administrator’s manual work is required.
Of course, an administrator can use editors like Orca to create an MST file.
Fig. 1. Editor Orca. Attempt to create MST file for TrustAccess.Agent.1.3.msi
But do you really think that everything is so simple? Opened the MSI file in Orca, corrected a couple of parameters and got the ready answer file? It was not there! Firstly, Orca itself is just not installed. You need to download the Windows Installer SDK, from it using 7-Zip extract orca.msi and install it. Did you know about this? If not, then consider that you spent 15 minutes searching for the necessary information, downloading the software and installing the editor. But that’s not all the torment. MSI file has many parameters. Look at the pic. 1 is only the parameters of the Property group. Which of them change to indicate the IP address of the server? You know? If not, then you have two options: either manually configure each computer or contact the developer, wait for an answer, etc. Considering that developers sometimes respond for quite a long time, the actual time for program deployment depends only on the speed of your movement between computers. Well, if you have installed the remote management tool in advance, then the deployment will be faster.
Cybersafe Firewall creates an MST file by itself, you just need to install it on one computer, get the coveted MST file and specify it in the group policy. How to do this can be found in the article “Differentiation of Information Systems for the Protection of Personal Data” . For some polsach (or even less), you can deploy a firewall on all computers on the network.
That is why Cybersafe Firewall gets a rating of 5, and its competitors - 3 (thanks though the installers are in the MSI format, not the .exe).
| Product | Evaluation |
| VipNet Office Firewall |  |
| CyberSafe Firewall |  |
| Trustaccess | |
The convenience of use
A firewall is not a word processor. This is a rather specific software product, the use of which is reduced to the principle of “installed, configured, forgotten”. On the one hand, usability is a minor factor. For example, iptables in Linux cannot be called convenient, but is it used as well? On the other hand, the more convenient the firewall is, the faster it will be to protect ISPDn and perform some functions of its administration.
Well, let's see how convenient the firewalls in question are in the process of creating and protecting an ISPD.
We will start with VipNet Office Firewall, which, in our opinion, is not very convenient. You can allocate computers into groups only by IP addresses (Fig. 2). In other words, there is a binding to IP addresses and you need to either allocate different ISPDs to different subnets, or split one subnet into IP address ranges. For example, there are three ISPDn: Management, Accounting, IT. You need to configure the DHCP server so that the computers in the Management group are “distributed” with IP addresses in the range 192.168.1.10 - 192.168.1.20, Accounting 192.168.1.21 - 192.168.1.31, etc. This is not very convenient. For this reason, one point will be removed from VipNet Office Firewall.
Fig. 2. When creating groups of computers, there is an explicit binding to the IP address.
In the CyberSafe firewall, on the contrary, there is no binding to the IP address. The computers that make up the group can be on different subnets, in different ranges of the same subnet, and even be outside the network. Look at the pic. 3. Branches of the company are located in different cities (Rostov, Novorossiysk, etc.). Creating groups is very simple - just drag the computer names to the desired group and click the Apply button. After that, you can click the Set rules button to form rules specific for each group.
Fig. 3. Managing Groups at CyberSafe Firewall
With regard to TrustAccess, it should be noted close integration with the system itself. The already created system groups of users and computers are imported into the firewall configuration, which facilitates the management of the firewall in the ActiveDirectory environment. You can not create ISPDN in the firewall itself, but use the existing groups of computers in the Active Directory domain.
Fig. 4. User and Computer Groups (TrustAccess)
All three firewalls allow you to create so-called schedules, thanks to which the administrator can configure the passage of packets on a schedule, for example, to prohibit access to the Internet during off-hours. In VipNet Office Firewall, schedules are created in the Schedules section (Fig. 5), and in Cyber ​​Safer Firewall, the rule’s runtime is set when determining the rule itself (Fig. 6).
Fig. 5. Schedules in VipNet Office Firewall
Fig. 6. Opening times of the rule in CyberSafe Firewall
Fig. 7. TrustAccess Schedule
All three firewalls provide very convenient means for creating the rules themselves. TrustAccess also provides a convenient rule creation wizard.
Fig. 8. Creating a rule in TrustAccess
Take a look at another feature - tools for receiving reports (logs, logs). In TrustAccess, you need to install an event server (EventServer) and a report server (ReportServer) to collect reports and event information. Not that this is a flaw, but rather a feature ("feature", as Bill Gates said) of this firewall. As for the Cybersafe and VipNet Office firewalls, both firewalls provide convenient tools for viewing the IP packet log. The only difference is that the CyberSafe Firewall first displays all the packets, and you can filter the necessary ones using the capabilities of the filter built into the table header (Fig. 9). And in VipNet Office Firewall, you first need to install filters, and then view the result.
Fig. 9. Log Management IP Packages in CyberSafe Firewall
Fig. 10. Managing IP packet logging in VipNet Office Firewall
From the firewall Cybersafe had to remove 0.5 points for the lack of the function of exporting the log to Excel or HTML. The function is far from critical, but sometimes it is useful to simply and quickly export several lines from the journal, for example, for “debriefing”.
So, the results of this section:
| Product | Evaluation |
| VipNet Office Firewall |  |
| CyberSafe Firewall |  |
| Trustaccess | |
Cost of
To bypass the financial side of the issue is simply impossible, because often it becomes decisive when choosing a product. Thus, the cost of one ViPNet Office Firewall 4.1 license (license for 1 year per computer) is 15,710 p. And the cost of a license for 1 server and 5 TrustAccess workstations will cost 23,925 p. The cost of these software products can be found at the links at the end of the article.
Remember these two numbers 15710 p. for one pc (per year) and 23 925 p. for 1 server and 5 PCs (per year). And now attention: for this money you can buy a license for 25 nodes Cyber ​​Saf Firewall (15178 p.) Or add a little and it will be quite enough for a license for 50 nodes (24025 p.). But the most important thing in this product is not the cost. The most important thing is the duration of the license and technical support. The license for Cyber ​​Saf Firewall - no expiration, as well as technical support. That is, you pay once and get a software product with a lifetime license and technical support.
| Product | Evaluation |
| VipNet Office Firewall | |
| CyberSafe Firewall | |
| Trustaccess | |
Delivery time
In our experience, the delivery time for VipNet Office Firewall is about 2-3 weeks after contacting Infoteks OJSC. Honestly, this is quite a long time, considering that a software product is being bought, and not a PACK.
TrustAccess delivery time, if ordered via Softline, is from 1 day. A more realistic timeframe is 3 days, taking into account some delay of the Softline. Although it can be delivered in 1 day, it all depends on the workload of the Softline. Again, this is a personal experience, the actual time period for a particular customer may differ. But in any case, the delivery time is rather short, which is to be noted.
As for the CyberSafe Firewall software product, the manufacturer guarantees delivery of the electronic version within 15 minutes after payment.
| Product | Evaluation |
| VipNet Office Firewall | |
| CyberSafe Firewall | |
| Trustaccess | |
What to choose?
If you are guided only by the cost of the product and technical support, then the choice is obvious - Cyber ​​Saf Firewall. Cyber ​​Saf Firewall has an optimal ratio of functionality / price. On the other hand, if you need Secret Net support, then you need to look towards TrustAccess. But we can only recommend VipNet Office Firewall as a good personal firewall, but for these purposes there are many other and also free solutions.
| Product | Protection time | Convenience | Cost of | Delivery time | Overall score |
| VipNet Office Firewall | 3 | four | 3 | 3 | 13 |
| CyberSafe Firewall | five | 4.5 | five | five | 19.5 |
| Trustaccess | 3 | five | four | five | 17 |
The review is made by experts
company integrator LLC "DORF"
Links
Cost VipNet Office Firewall
TrustAccess Cost
CyberSafe Firewall
Source: https://habr.com/ru/post/268049/
All Articles