Product Reviews

No Holes Here

Firewall Analyzer knows what your firewalls are doing.

• By Jim Idema
• 03/01/2004

Firewall Analyzer, particularly the more expensive Enterprise Edition, can collect data from hundreds of firewalls from some 25 vendors. It can then correlate data from traffic, event, content, and attack logs to figure out the type of attack, severity, and where it came from. The software translates cryptic syslogs from an array of firewalls into understandable reports. And because you don’t want to spend all day staring at firewall reports, Firewall Analyzer can send alerts based on thresholds that you define.

I loaded the Standard version first, which went in pretty easily. I then performed the "configure firewall" function and added the IP address of my firewall (the tools uses autodiscovery to ease the installation of devices), which set off a message asking if I wanted to allow access to the analyzer, which, of course I did.

By clicking the edit button, you can select your firewall and decide if you want the "fwasyslog" service to collect the log file. By selecting the latter option, you can change the port to any port you prefer.

The Configure Firewall lists available firewalls by IP or name, and it can add them to the reporting pool. (Click image to view larger version.)

I checked the logs created and saw that everything was operating as it should be. Since the installation put an icon on my desktop, I thought I’d find something interesting if I double-clicked it. Instead I was brought to the Internet Optimizer screen we’ve all seen a bazillion times.

Satisfied with the Standard version, I then loaded the Enterprise version, which offers more reports and more detail such as which user is doing what and when, and what DNS names are being resolved to what IP addresses.

A strength of Firewall Analyzer is its reporting. Each report lists each specific action, protocol and port that the analyzer listened on, so I had no problems seeing where my problem areas were. Through integration with Active Directory, reports can be customized based on the role and rights of the user.

Reports can move from the general—number of visitors and bytes transferred per day—to the highly detailed. Want to know how many attacks and emergencies have occurred? No problem. Care to know how many Ping of Death attacks occurred last Thursday, what IP addresses they went after, and the source of the attack? A simple Firewall Analyzer report can do the trick.

Because firewalls can collect reams and reams of data, you can decide how much data to collect and analyze. To further reduce bandwidth and storage, Firewall Analyzer can be configured to only pass along the delta or changes to log files. Reports can be formatted as PDFs, HTML, Excel, or Word docs, all complete with tables, graphs, and detailed summaries.

The analyzer doesn’t tell you how to fix errors or problems it finds, but that’s OK; most admins already know that stuff.

Firewalls collect an awful lot of data, and Firewall Analyzer can do more than track down attacks. This tool can also track bandwidth use, protocol use, Web visitors and internal use including the categorization of URLs, and hunt down downloading of inappropriate content.

Firewall Analyzer can be loaded on most Windows machines from NT 4 (with SP6) up to Server 2003. It should be noted here that on XP boxes, only one Web site can be running at a time. Firewall Analyzer also has a built-in Apache Web server.

If you want to make sure there are no holes in your firewall (or find the ones there), take a look at Firewall Analyzer. The last thing you need is some outside entity poking through company data.