A firewall product is often treated like a commodity–as if all firewalls were the same and the only difference was the brand name. Yet a firewall is the most important piece of equipment protecting your entire network, and many criteria differ depending on the model and supplier. Certain features are included on some firewalls, and not others. Many suppliers try to get your attention with what initially appears to be a very low purchase investment; however, when you upgrade to get all the features you want, the total price becomes much higher.
Is the firewall you choose the right combination of value, security level, scalability, and support for your size of organization?
Here are the main factors to consider. As many of you (like this writer!) are likely to be not quite as technically-minded as our developers, many of the terms have links to Wikipedia definitions, which will open in a separate window.
Sizing
| Criteria | Considerations | Small Org’s | Med. & Enterprise Org’s |
|---|---|---|---|
| # IP Addresses to Protect |
Licensing? (Yes or No) * Unlimited or Limited number of licensed devices * All products have performance limits |
Upgradable? Consider Growth Needs |
Upgradable? Consider Growth Needs |
| # Concurrent Connections | # Varies by Firewall Model | Upgradable? Consider Growth Needs |
Upgradable? Consider Growth Needs |
| Performance (Throughput, VPN, UTM/Filtering) |
* Check firewall’s specs for each function * Throughput includes ALL traffic through all ports * Consider # of users, type of media, Web servers, link speed * UTM performance can be much lower than stateful performance. |
Upgradable? Consider Growth Needs |
Upgradable? Consider Growth Needs |
| Configuration (#Ports, LAN, DMZ, WAN) |
Check if ports are FIXED function or CONFIGURABLE, and if sufficient # provided |
ICSA | ICSA, Common Criteria EAL4+ |
| Type of VPN Access | * IPSEC most common supported * PPTP supported by some firewalls only * SSL/VPNs usually a separate product, but some firewalls include SSL access for small # of users |
PPTP or IPSEC may be OK depending on security level required. Firewall + SSL/VPN might be OK for small # of users. |
IPSEC is more secure option. May have to buy separate SSL/VPN product for optimal performance for some firewalls. |
Security Level
| Criteria | Considerations | Small Org’s | Med. & Enterprise Org’s |
|---|---|---|---|
| Certifications/ Compliance |
* ICSA is the basic certification level * Common Criteria (EAL4+ is desirable |
ICSA | ICSA, Common Criteria EAL4+ |
| CERT Advisories (Vulnerabilities found) |
Vendors whose products have few vulnerabilities, and patch (fix) them quickly are desirable |
Fewest number possible, quickly fixed by vendor patch downloads |
NO vulnerabilities desirable, any found quickly resolved by vendor |
| Protection Architecture * Stateful Firewalls are good * Stateful + Proxy Firewalls are better * Look for Secure OS, robust design, good reputation * IPS (signature based) * Layer 7 Unified Threat Management |
* Stateful firewall is basic business requirement * Proxy firewall can provide additional protection for internal networks * Evaluate quality and types of content filtering in UTM |
Minimum: Stateful- or Proxy-based Layer 7 Antivirus and IPS Desired: Complete UTM |
Minimum: Stateful- + Proxy- based complete UTM + IPS + Anomaly Protection |
Reliability, Redundancy & Support
| Criteria | Considerations | Small Org’s | Med. & Enterprise Org’s |
|---|---|---|---|
| Redundant Architecture * Dual power supply * RAID Disk or Solid State * WAN Failover and balancing * High Available (unit to unit) failover (2 units) |
* Mission Critical firewalls need some or all of these features * High Availability can be Active-Active or Active-Passive |
Nice to have. WAN failover required for Mission Critical installations |
Required |
| Support * 8 hours X 5 days a week * 24 hours X 7 days a week |
Choose appropriate support level | 8×5 unless Mission Critical | 24×7 |
| Warranty & Response Time * 1 or 3 year warranty typical * Depot service (mail-in) = slowest * Next Business Day Onsite = next best * 4 Hour Onsite = best |
Choose appropriate level to guarantee business continuity |
1 or 3 yr. / depot or next bus. day response |
3 yr. + / at least next bus. day response |
Management & Reporting
| Criteria | Considerations | Small Org’s | Med. & Enterprise Org’s |
|---|---|---|---|
| * Network Management tools and logs * Bandwidth monitoring * Traffic shaping * Basic logs and reporting |
Balance number of tools with administrator skill level. May be critical with high # of PCs on network |
Basic reporting | Enterprise-level tools and reporting required |
Pricing
| Criteria | Considerations | Small Org’s | Med. & Enterprise Org’s |
|---|---|---|---|
| * Initial Purchase Price for appliance * Additional subscriptions for Gateway, Security etc. * Support, Warranty & Repair fees * Installation fee |
Choose an appliance that will grow with you. Choose a vendor who can provide you with other IT solutions. |
Find balance between short term costs, security exposure, and growth support |
Focus on longer term potential risk of loss of assets/income |
Check out the NetSentron’s specs right now!
