How To Choose A Firewall

A firewall product is often treated like a commodity–as if all firewalls were the same and the only difference was the brand name. Yet a firewall is the most important piece of equipment protecting your entire network, and many criteria differ depending on the model and supplier. Certain features are included on some firewalls, and not others. Many suppliers try to get your attention with what initially appears to be a very low purchase investment; however, when you upgrade to get all the features you want, the total price becomes much higher.

Is the firewall you choose the right combination of value, security level, scalability, and support for your size of organization?

Here are the main factors to consider.  As many of you (like this writer!) are likely to be not quite as technically-minded as our developers, many of the terms have links to Wikipedia definitions, which will open in a separate window.


Criteria Considerations Small Org’s Med. & Enterprise Org’s
# IP Addresses
to Protect
Licensing? (Yes or No)
* Unlimited or Limited
number of licensed devices
* All products have performance
Upgradable? Consider
Growth Needs
Upgradable? Consider
Growth Needs
# Concurrent Connections # Varies by Firewall Model Upgradable? Consider
Growth Needs
Upgradable? Consider
Growth Needs
Performance (Throughput,
VPN, UTM/Filtering)
* Check firewall’s specs for each
* Throughput includes ALL traffic
through all ports
* Consider # of users, type of media,
Web servers, link speed
* UTM performance can be much
lower than stateful performance.
Upgradable? Consider
Growth Needs
Upgradable? Consider
Growth Needs
Configuration (#Ports,
Check if ports are FIXED function
or CONFIGURABLE, and if sufficient # provided
Common Criteria EAL4+
Type of VPN Access * IPSEC most common
* PPTP supported by some
firewalls only
* SSL/VPNs usually a separate
product, but some firewalls
include SSL access for small
# of users
PPTP or IPSEC may be
OK depending on security level required.
Firewall + SSL/VPN might be OK
for small # of users.
IPSEC is more secure option.
May have to buy separate SSL/VPN
product for optimal performance for
some firewalls.

Security Level

Criteria Considerations Small Org’s Med. & Enterprise Org’s
* ICSA is the basic certification level
* Common Criteria (EAL4+ is
ICSA ICSA, Common Criteria
CERT Advisories
(Vulnerabilities found)
Vendors whose products have few
vulnerabilities, and patch (fix) them
quickly are desirable
Fewest number possible,
quickly fixed by vendor patch downloads
NO vulnerabilities desirable,
any found quickly resolved by vendor
Protection Architecture
* Stateful Firewalls are good
* Stateful + Proxy Firewalls
are better
* Look for Secure OS, robust
design, good reputation
* IPS (signature based)
* Layer 7 Unified Threat Management
* Stateful firewall is basic
business requirement
* Proxy firewall can provide additional
protection for internal networks
* Evaluate quality and types of content filtering in UTM
Minimum: Stateful- or Proxy-based
Layer 7 Antivirus and IPS

Desired: Complete UTM
Minimum: Stateful- + Proxy-
based complete UTM +
IPS + Anomaly Protection

Reliability, Redundancy & Support

Criteria Considerations Small Org’s Med. & Enterprise Org’s
Redundant Architecture
* Dual power supply
* RAID Disk or Solid State
* WAN Failover and balancing
* High Available (unit to unit)
failover (2 units)
* Mission Critical firewalls need some
or all of these features
* High Availability can be Active-Active
or Active-Passive
Nice to have. WAN
failover required for Mission
Critical installations
* 8 hours X 5 days a week
* 24 hours X 7 days a week
Choose appropriate support level 8×5 unless Mission Critical 24×7
Warranty & Response Time
* 1 or 3 year warranty typical
* Depot service (mail-in) = slowest
* Next Business Day Onsite = next best
* 4 Hour Onsite = best
Choose appropriate level to
guarantee business continuity
1 or 3 yr. / depot
or next bus. day response
3 yr. + / at least
next bus. day response

Management & Reporting

Criteria Considerations Small Org’s Med. & Enterprise Org’s
* Network Management tools and logs
* Bandwidth monitoring
* Traffic shaping
* Basic logs and reporting
Balance number of tools with administrator skill level.
May be critical with high # of PCs on network
Basic reporting Enterprise-level tools and
reporting required


Criteria Considerations Small Org’s Med. & Enterprise Org’s
* Initial Purchase Price for appliance
* Additional subscriptions for Gateway, Security etc.
* Support, Warranty & Repair fees
* Installation fee
Choose an appliance that will grow with you.
Choose a vendor who can provide you with other IT solutions.
Find balance between short
term costs, security exposure, and growth support
Focus on longer term potential
risk of loss of assets/income

Check out the NetSentron’s specs right now!