Elron Firewall – A security solution with minimal hardware requirements
Elron Firewall is a stateful inspector firewall which requires minimal hardware. Read the article to know its security features.
Elron, a U.S. subsidiary of the Israel-based Elron Electronic Industries, is a reliable name in the world of IT. Elron Firewall runs on Windows NT as well as its own proprietary operating system which is uniquely developed to prevent security attacks. There is no support to superfluous services like file & print sharing and thus no holes in the operating system. Elron's 32OS uses MSDOS as its boot leader. The documentation threw light on some alarming problems (example, losing NAT addresses) which may happen when the firewall runs out of memory but none of these is a security threat. The firewall has plenty of security features and is easy to use.Minimum hardware requirements
For connections less than 1.5Mb/sec :
For connections more than 1.5Mb/sec :
For management station :Interface
The user interface is not well designed. The main window is non-sizeable and takes up the entire screen. Also, the modal dialogs throughout the software prevent the administrator from seeing two windows at a time. This lack of programming is disappointing. Next, the interface is not even easy to use. It does not conform to any interface methodology- somewhere the user is supposed to right click, somewhere he has to double click to access features. Which elements cannot be activated and which can be, isn't indicated. It can be remotely configured using the Windows based policy manager. For remote administration, first the firewall has to be configured using the firewall management software and then it can be transmitted to another firewall on same Ethernet collision domain. On the interface, there is a Master Security Plan feature using which you can add or remove user services (example, DNS, FTP, email & World Wide Web) and enable or disable the inbound/outbound processes. To view details, double click on the interface or hit Enter button. Hit spacebar if you want to make changes.Security features
Stateful inspection filter
The firewall uses multilayer stateful inspection for filtering in the Application Layer. It does not use proxy servers for this purpose. The benefit of using filtering in Application Layer is that more number of attacks can be blocked. The level to which its functionality is used varies from protocol to protocol but it can also be customized on a per protocol basis. However, customization requires a thorough knowledge of TCP/IP. The inspection packet filter is unique because it filters the payload or application portion of a packet. Before passing data packets in to protected network, Elron compares them with the previously filtered bit packets. Any unknown or deformed packets are filtered out. There are also two separate Application Layer filters, the MessageInspector and the InternetManager. The former blocks email spams, newsgroups and FTP downloads while the latter blocks HTTP.
Network Address Translation (NAT)
The NAT used hides IP addresses with the help of Elron Firewall's IP address. The firewall allows an upper limit of around 64000 outbound connections which is very high. The IPs in the network are directed to their legal addresses.
Secure authentication
For secure authentication, strong passwords are created and the user authentication software supports periodic encrypted authentication. The authentications supported are CHAP and RADIUS. No unauthorized users can get access to the network.
Virtual Private Network (VPN)
VPN provides the IP in IP tunneling process. This hides the source and destination addresses and provides high security. To encrypt the encapsulated the IP packets, IPSec is used.
IP and IPX filtering
The firewall supports both types of filtering. Unless you have a very big IPX network where inter divisional security is necessary, IPX filtering is not very important. IPX bridging, where IPX packets are forwarded irrespective of their content, is also supported by the firewall. The whole process is very transparent.
VPN continuous key generation
Once a set amount of VPN traffic passes between two firewalls, new keys are generated by them. Both the firewalls then exchange new keys, making it meaningless for a hacker to use brute force decrypted key.
Operating System hardening
The 32OS is hardened so that no extraneous services or exploitable mechanisms are supported on the system. Software functions that do not contribute to firewall-support or are unrelated are also disabled.Pricing & support
The 25 user level version comes for $1,000. For 5O users, the firewall costs $2,000, for 100 users, it costs $3,250 and for 225 users, it costs $5600. For unlimited number of users, the price goes up to $9,000. Annual maintenance contracts can also be purchased at around 25% of the initial price. The documentation (PDF format) provided at the time of purchase is task oriented but covers basic theoretical concepts as well. It is easy to understand and even novel administrators should not face any problem in following it. Technical support is provided by email. There is also a small searchable knowledge base to answer users' queries.Review
Elron Firewall has minimal hardware requirements but in the hardware, adapters are limited to 3c905 Ethernet only. Users are not needed to make any special arrangements for setting up the firewall but the interface is not as user friendly as that of other firewalls. The firewall has a fast stateful inspector, a VPN and IPX support but no proxy servers. There are some advantages of using Elron but there are disadvantages too. The price is reasonable when compared to that of other firewalls. Overall, Elron Firewall is a decent product in medium price range.
Read PIX Firewall - a high performance dedicated firewall by Cisco
