Stonesoft to Launch Firewall and VPN for iSeries

by Alex Woodie

iSeries shops waiting for a firewall that installs on their iSeries should get one soon. Stonesoft, a Finnish developer of security software and hardware, recently announced that its Linux-based StoneGate firewall and virtual private network (VPN) software will be available for iSeries early in the second quarter.

First available on Intel-based xSeries servers, and then on zSeries mainframes, the StoneGate Firewall and VPN software suite provides integrated firewall and VPN capabilities from a "hardened" Linux partition. Officials with Stonesoft, based in Helsinki, Finland, say IBM approached it to develop a version of the StoneGate product for the iSeries after developing a similar solution for the zSeries mainframe. The two solutions are nearly identical, Stonesoft officials say.

StoneGate provides a three-tiered security architecture that uses a central server component, called the StoneGate Management Center, which delivers a GUI and runs on Windows, Linux, and Solaris operating systems. With the StoneGate for iSeries firewall, the StoneGate Management Center will run directly on the iSeries. The StoneGate Management Center manages all the different nodes of the StoneGate suite, which includes the firewall and VPN components for iSeries. On Intel, the StoneGate Management Center also connects to an intrusion-detection system. The company is considering developing intrusion-detection system for the iSeries or zSeries, a company official says.

Stonesoft's firewall uses a multi-layered approach to understanding and blocking Internet traffic, combining packet filtering, stateful connection tracking, and application-level security (also known as protocol agents). This combination of different techniques (configurable rules-based protocol agents, in particular) provides the highest level of protection, especially with the array of different protocols in use by applications today, the company says.

The StoneGate VPN component, which provides both IPsec and site-to-site capabilities, will have a special role on the iSeries. By running the VPN software directly on the iSeries, Stonesoft says, there is less of a chance of exposing data than if a company ran VPN from a separate box. "The closer the encryption is done to the application, the less chance that someone can tap into the decrypted information," the company says. The same virtualization capabilities that benefit an iSeries network also apply to the StoneGate firewall, which can be virtualized and used to separate individual departmental servers residing in separate OS/400 partitions, the company says.

Stonesoft claims superior speed and throughput for StoneGate, compared with hardware-based firewall and VPN appliances. The StoneGate software has its own "hardened" Linux operating system (no need to have Red Hat or SuSE Linux already set up), which supports "advanced high-performance algorithms" for firewall filtering and packet handling. As a result of these algorithms, the StoneGate Firewall can support in excess of one million concurrent connections, the company claims.

The company is banking on this high performance throughput claim iSeries initiative. Stonesoft says that, just as companies can realize extensive gains by consolidating multiple servers and networks onto a single iSeries, they can consolidate their firewall and VPN appliances, and thereby simplify their network while cutting costs.

StoneGate will be the second Linux-based firewall developed for the iSeries by IBM business partners. In May 2003, Symantec announced general availability of its Linux-based Enterprise Firewall software for the iSeries (see "Symantec Delivers Linux-Based Firewall for iSeries Model 270"). At the time, the Symantec Firewall, which ran as a "virtual appliance" in an iSeries Linux partition, was certified for Red Hat Linux Version 7.1 on the iSeries Model 270. Symantec had committed to getting its firewall running on other iSeries models, but it has not announced any newly supported servers. Sources say the Symantec firewall for the iSeries program is not working. Symantec did not immediately return a phone call seeking comment.

Pricing for StoneGate Firewall and VPN for iSeries has yet to be finalized; it will likely be in the $10,000 to $30,000 range, a slight premium over stand-alone firewall appliances, officials say. For more information, go to www.stonesoft.com.