Choosing a Firewall

by [Published on 23 Feb. 2004 / Last Updated on 23 Feb. 2004]

In this article, we’ll take a look at some of the factors you should consider when buying a firewall, features available on some of the most popular offerings, and how to compare the real cost of each (hint: the initial purchase price is only a starting point).

Every business organization that’s connected to the Internet needs a firewall to protect the internal network from attacks, but selecting the right firewall can be an overwhelming task. There are a plethora of products on the market, ranging in price from a few hundred dollars to tens of thousands. Software firewalls, hardware firewalls, “personal” firewalls, enterprise firewalls – how do you even begin to evaluate their features and determine what you need and what you don’t?

Not Your Father’s Firewall

Computer and network security needs have changed drastically over the past several years, and firewall technology has evolved to meet those new, more demanding needs. The traditional firewall was a fairly simple construct: it sat between the LAN (or in the case of personal firewalls, an individual computer) and the “outside world” of the Internet, and filtered packets coming in – and in some cases, going out – based on information in the Layer 3 and 4 headers (IP, TCP, UDP, ICMP). The decision to accept or reject a packet was usually based on the source or destination address or port number.

As attackers grew more sophisticated and began to exploit higher layer protocols (DNS, SMTP, POP3, etc.), firewalls had to do more. Most business-class firewalls today perform at least some application layer filtering, or ALF. See my article “ALF: What is it and How Does it Fit into Your Security Plan” on this site for details. ALF is necessary to prevent application layer attacks and to filter for spam and viruses, or to perform content filtering to block objectionable Web sites based on content rather than just IP address.

Firewalls today are often more than “sentries” at the network gate. Vendors have added other features that aren’t strictly firewall functions, such as VPN gateway and Web caching. Almost all modern firewalls other than those at the very low end support VPN, and many either include caching to accelerate Web performance or offer add-on modules for that purpose. In fact, many vendors have started calling their products “multifunction security” devices or software, instead of simply “firewalls.”

Host-based vs. Network Firewalls

Host-based firewalls (sometimes called “personal” firewalls) are simple, low cost programs or devices intended to protect a single computer. Examples include ZoneAlarm, Norton Personal Firewall, and the Internet Connection Firewall (ICF) built into Windows XP.

Network firewalls can protect multiple computers. However, not all network firewalls are created equal. Some are simple devices or programs that cost little more than personal firewalls. Many consumer-grade DSL and cable routers include this type of firewall technology. Simple network firewalls perform packet filtering, but usually don’t do more than very rudimentary ALF.

Enterprise firewalls are “all business,” designed for large, complex networks. It goes without saying that they cost much more. They will handle many more users, have faster throughput, and have advanced features, such as:

  • Incorporation of VPN gateways
  • Ability to manage multiple firewalls centrally
  • Sophisticated monitoring and reporting mechanisms
  • Can be extended through add-on modules or plug-ins
  • Ability to control access via policies and apply different policies to different users
  • More sophisticated authentication mechanisms
  • High availability with load balancing and failover

Cost for host-based firewalls is usually around $100 or less. Enterprise firewalls can cost over $25,000. The most popular medium-range business firewalls cost from $1500 to around $5000. But that’s just the initial purchase price. As we’ll see later, many vendors charge extra for functionalities that others include free.

Hardware vs. Software Firewalls

All firewalls run firewall software, and they all run it on some sort of hardware, but the terms hardware firewall and software firewall are used to distinguish between products marketed as an integrated appliance that comes with the software preinstalled, usually on a proprietary operating system, and firewall programs that can be installed on general purpose network operating systems such as Windows or UNIX.

Hardware firewalls can be further divided into those that are basically dedicated PCs with hard disks and those that are solid state devices built on ASIC (Application Specific Integrated Circuit) architecture. ASIC firewalls are generally faster performers and don’t have the hard disk (a mechanical device) as a potential point of failure.

Software firewalls include Microsoft ISA Server, CheckPoint FW-1 and Symantec Enterprise Firewall at the enterprise level, as well as most personal firewalls. ISA Server runs on Windows 2000/2003, and FW-1 runs on Windows NT/2000, Solaris, Linux, and AIX, as well as proprietary appliance operating systems. Symantec EF runs on Windows and Solaris.

Hardware firewalls include Cisco PIX, Nokia (which runs CheckPoint FW-1 on top of their IPSO operating system), SonicWall, NetScreen, Watchguard, and Symantec’s 5400 series appliances (which run their Enterprise Firewall software).

Hardware firewalls are often marketed as “turn key” because you don’t have to install the software or worry about hardware configuration or conflicts. Those that run proprietary operating systems claim greater security because the OS is already “hardened” (however, many of the proprietary systems have been exploited nonetheless). A disadvantage of hardware firewalls is that you’re locked into the vendor’s specs. For instance, a firewall appliance will have a certain number of network interfaces, and you’re stuck with that number. With a software firewall, you can add NICs to the machine on which it’s running to increase the number of available interfaces. You can also more easily upgrade the standard PC on which the software firewall runs, easily adding standard RAM or even multiple processors for better performance.

Important Firewall Features

Most businesses need more than a personal or simple network firewall can offer, but unless you’re running an ISP or datacenter, the top of the line enterprise firewalls are probably overkill (not to mention the way they can kill your budget). Assuming you have a medium sized business and are in the market for a firewall in the $2000-10,000 range, what’s out there and what’s the difference between them?

Here are some things you’ll want to look for:

  • Architecture: do you prefer a software firewall that you can install on a new or existing PC or a dedicated appliance?
  • How many concurrent firewall sessions does the firewall need to support?
  • How many VPN tunnels do you need to be able to run concurrently?
  • What VPN protocols do you want to use (IPSec, PPTP, L2TP)?
  • Do you need integration with Exchange mail servers or SharePoint collaboration servers?
  • What type of management user interface (UI) do you prefer: command line interface (CLI), graphical management console, Web-based interface? Do you need to manage the firewall via SSH, Telnet, or SNMP? Do you need centralized management of multiple firewalls?
  • Do you need high availability (load balancing, failover) features?

There is no One Perfect Firewall. Each product has strengths and weaknesses, and after you’ve evaluated your needs and decided which features are most important for your organization, you should carefully compare the technical specs and datasheets of different firewall products to determine which meet your own needs best.

For example, the Cisco PIX firewalls are reliable and well-liked, but many administrators don’t like the PIX Device Manager (PDM) Web interface and prefer to use the CLI. If you’re uncomfortable with the command line, this might be a factor in your choice. SonicWall mid-range Pro 230 firewalls offer a big price advantage over other brands, but support fewer VPN tunnels (500 as compared to 12,500 for the mid-range Nokia 350 and 8000 for the mid-range Watchguard V80). On the other hand, the NetScreen 50, which costs $4000 more than the SonicWall, provides fewer VPN tunnels (100) and fewer concurrent sessions (8000 vs. SonicWall’s 30,000).

Do You Need Extra Features?

Some features cost extra from some vendors (for example, you may have to buy an extra license to use 3DES encryption, or content filtering may be done through a subscription service such as SonicWall’s CFS or a third party such as Websense). Some features are included at no cost with some firewalls, not available at all with some others and require optional add-ons with others (for example, Web caching is included standard with ISA Server, can be added to CheckPoint via an add-on product, must be done “off box” with PIX, and is part of the content filtering service with SonicWall).

Features for which you might have to pay extra include:

  • Web caching
  • Centralized management and reporting
  • Spam filtering
  • High availability
  • URL screening
  • Anti-virus

With other firewalls, some or all of these features are built in. For example, ISA Server’s management console can be used to manage multiple ISA Servers, and its ALF functions can be used for rudimentary spam filtering, while ISA can use the Windows server operating system’s built in load balancing functionality.

Another consideration is throughput (amount of data transferred per second). Performance is important in a busy network where people depend on accessing resources quickly. Firewall throughput can range from 150Mbps to over 1Gbps. When comparing vendors’ throughput claims, look closely to be sure you aren’t comparing apples and oranges. VPN throughput, especially with strong encryption, will be far slower than firewall throughput. Also, some vendors will list throughput as bidirectional. Of course, throughput doesn’t determine access speed to the Internet; you’re still limited by the speed of your Internet connection.

Some special considerations dictate the use of a particular firewall. For example, no other product integrates with and protects Exchange servers and Outlook Web Access (OWA) users as well as ISA Server, because both products are made by Microsoft to work seamlessly together. ISA Server is also designed from the ground up to work with SharePoint Portal Servers (SPS). If protecting your Exchange and SPS servers is a high priority, ISA is your logical first choice.

Important Cost Considerations

When you compare the costs of different firewalls, then, you need to take into account any of the extra cost features that you need to implement. If you don’t need Web caching, it might cost less to buy a SonicWall box than to buy a PC plus the Windows server operating system plus ISA Server. On the other hand, if you DO need caching and you already have an extra box on which ISA can be installed, this might be much more cost effectively than buying the SonicWall plus a Web caching server or appliance.

Licensing schemes vary widely and some are so complex that they’re confusing. For example, some vendors charge extra for every VPN client. If you have 1000 VPN clients, even at $15 each, that adds up to $15,000. Other vendors, such as Microsoft, don’t require client licenses for VPN connections, and their VPN client software (PPTP and L2TP clients) are built into every modern Microsoft operating system. Some vendors also base the initial cost of the firewall on a specified number of users, and if you exceed that, you’ll have to buy an upgraded license.

A firewall solution that looks like the least expensive based on list price for the software or appliance might end up costing much more when you purchase all the necessary licenses and add-on modules or services.

Summary

Buying a firewall for your organization can be a daunting task, but it’s made easier by being properly prepared. That means knowing how many users it needs to support (and taking future growth into account), whether you’ll have VPN users and how many, whether you have Exchange and SharePoint servers you need to protect, whether you need to manage multiple servers centrally, and whether you want extra features such as Web caching. You’ll also want to determine whether you prefer that extra functions be performed “off box” (which increases the amount of hardware required but puts less load on the firewall’s processor) or “on box” which may be more convenient and reduce cost. There are many decisions to make when you start to evaluate firewall options. In this article, we’ve discussed just a few of the items you should consider.

Featured Links