As for performance, SEF was comparatively slow. Once we started loading the firewall with connections, SEF's CPU utilization hit 100 percent and stayed there. We started seeing failures at around 67 Mbps with 330 connections per second, and the failure rate was dramatic. Once the firewall was saturated, it stopped accepting new connections.
Symantec Enterprise Firewall with VPN 7.0, Symantec Corp., (800) 441-7234, (541) 335-7000. www.symantec.com
Microsoft Internet Security and Acceleration Server 2000
Micrsoft's ISA is a full-featured HTTP proxy. However, it lacks support for some key protocols. ISA is unique in that it can be installed on a Web or Exchange server and offers tight integration with Windows 2000 and Outlook Web Access (OWA). We did find a DoS problem with the DNS filtering, which Microsoft patched (you can find more details on this problem in Microsoft's Knowledge Base, article number Q331065). Our testing also revealed that you cannot create stateful packet-filtering rules between multiple internal networks nor can you install the proxy transparently for inbound traffic. These important implementation features are available in the other firewalls we tested. ISA was the fastest HTTP application proxy in the review, operating at 170 Mbps.
ISA's HTTP proxy takes URL filtering one step further than the other firewalls we tested. When a URL is sent to ISA, before it passes the URL to the destination host, it decodes any Unicode or ASCII encoded strings. To block directory-traversal attacks, we simply entered the string "../.." into the URLScan filter--we didn't have to monkey with regular expressions.
While testing ISA with Cenzic's Hailstorm, we noted that the POP3 intrusion-detection filter only looked for long strings in the user-name field during login. We informed Microsoft and the company confirmed that the POP3 is working as designed, but there may be other fields susceptible to attack besides the user field and the filter supplies limited detection. Finally, we found ISA's SMTP application filtering only works one way--inbound. We put a Netcat listener on Port 25 inside the firewall and telnetted to the SMTP proxy on ISA. Although we weren't able to send arbitrary data from the client to the server, we could send arbitrary data from the server to the client.
To realize the benefits of cloud-native software, an application must actually be cloud-native—designed to run in the cloud, interacting with disaggregated cloud services, fully manageable as code—to deliver the expected benefits.
By combining resources and expertise, the AI-Enabled ICT Workforce Consortium will offer a blueprint for how industries can adapt to an AI-dominated future.
IT leaders should heed the guidance of cybersecurity insurance providers who think businesses should prioritize security education, incident preparedness, regular internal audits, and ongoing vulnerability scanning and patching.
