Select the right firewall
Before you choose a firewall, assess your security needs by considering
five important factors.
If you're upgrading your firewall, or installing one on your network
for the first time, you'll discover that firewall technology has
changed a lot in the last several years. How do you select one that's
appropriate for your business?
Before you meet with firewall vendors, assess the needs of your
organization. In performing a firewall requirements inventory, you
should first determine a mandatory list of features and level of
performance, then decide what added functionality you would like
to have on top of that. Your "must" list should help cut down your
The following will guide you through the selection process. Laura
Taylor is the Chief Technology Officer and founder of Relevant Technologies.
What kind of firewall does your organization
Proxy firewalls filter services at the application level, and
in essence, create a virtual connection, hiding the internal client
IP address and concealing the network topology of the internal network
from the outside world. If a proxy firewall is bundled with an intrusion
detection module, it can analyze traffic patterns and often prevent
denial-of-service (DoS) attacks--something not all firewalls can
Stateful packet inspection firewalls are based on the filtering
of packets at the network level--these firewalls examine protocol
packet header fields: source IP address, destination IP address,
TCP/UDP source ports, and TCP/UDP destination ports. They're "stateful"
because the firewall can remember prior connection states, and continuously
updates this information in dynamic connection tables. The firewall
evaluates subsequent transactions against prior connection histories.
Check Point's Firewall-1 firewall goes beyond that and also collects
application state information, uses it to make RPC and UDP based
A hybrid firewall is the newest kind, and is a combination stateful
packet inspection firewall and proxy firewall.
An enterprise firewall appliance is a turnkey hardware/software
device that has all components pre-installed and pre-configured
as much as possible, and manages a security policy for an entire
enterprise. These are best suited for organizations that require
multiple firewalls that need to be managed from one location. An
enterprise firewall appliance must be able to log to a central control
console to be considered enterprise-ready. Examples of leading enterprise
firewalls include Check Point's Firewall-1, Symantec's VelociRaptor,
and Watchguard's Firebox II.
Built-in high-availability means that if your firewall loses its
operational capabilities, it can make a transparent cut-over to
a second firewall, which takes over all the operational capabilities
of the first. If you're a typical IT shop, high-availability is
probably not necessary, as long as your one production firewall
is carefully installed, maintained, and backed up. However, if you're
a large managed service provider with hundreds of customers that
depend on a firewall--you need a high-availability product. If you
don't have this capability in place, you risk leaving your network
exposed or completely blocked off if your firewall stops working.
Some firewall appliances, like the Nokia IP600 series, cut over
to backup systems especially well. The Nokia IP650 uses Check Point's
Firewall-1 and VPN-1 software running on a machine with a 450Mhz
Pentium II processor.
To create high-availability with a software-based firewall, you
need to purchase two sets of hardware and software packages, then
install a high-availability package like Stonesoft's Stonebeat on
top of them. Therefore, if you need high availability, a hardware-based
firewall is probably the way to go.
Firewall appliance or a software-based firewall
Firewall appliances come with software embedded and bundled with
the hardware platform, making them faster to deploy and configure
than pure software firewalls. If you are installing a firewall as
a result of a security incident, such speed of implementation might
be critical to your selection. Appliance firewalls are not necessarily
more inherently secure--the real value is in their speed of implementation,
cost savings, and ancillary features such as high availability and
Leading firewall appliances include:
- Nokia IP650
- Symantec/AXENT VelociRaptor
- Cisco PIX 535
- Watchguard Firebox II Plus
- Cyberguard KnightSTAR
- RapidStream 8000
The biggest advantage of software-based firewalls is that they
offer more flexibility and scalability. The biggest disadvantage
is the added time they take to procure and implement. Because of
their richer configuration options, software firewalls often take
longer and therefore cost more to implement properly.
If you decide a software-based firewall would work best for your
organization, you need to determine what platform it should run
on. Typical platforms for firewall installations include Solaris,
HP-UX, Linux, OpenBSD, FreeBSD, NetBSD, Windows NT or 2000, NetWare,
or even MacOS.
In most cases, Unix firewalls are a safer bet than Windows NT or
2000 because Unix operating systems are easier to harden and lock
down. OpenBSD, a Unix based derivative, is a particularly good platform
for firewalls, since it comes pre-hardened by default.
However, your choice of platforms may depend on another consideration--what
operating systems you are already using. Your familiarity with managing
a given platform may balance out the enhanced security of a strange
operating system your staff will need training to manage.
Firewall speed and performance
If your network is a basic print, mail, and file-sharing network,
and you never receive complaints about network performance, a firewall
that has been optimized for performance is probably not necessary.
Applications that typically affect performance include streaming
media and virtual private networking (VPN). If you send streaming
media through your firewall using applications like RealVideo 8,
CU-SeeMe, or Netscape CoolTalk, specify a firewall configured with
a minimum of 256MB of RAM, and one that can handle a large amount
of simultaneous connections.
The Netscreen-1000 firewall appliance is particularly well-suited
for performance-constrained implementations. It can accommodate
as many as 700,000 simultaneous connections, with a maximum throughput
of 1 gigabit per second.
If you're implementing site-to-site encryption, get a firewall
with built-in VPN capabilities. Be sure to select one that also
supports a secure remote access VPN client. And be sure the VPN
supports IPSec, the most popular standard in VPN encryption protocols,
since more add-on auxiliary security services and products interoperate
with IPSec than any other security protocol.