The best firewall is ....
ALERT: You're reading the ancient 2005 version of this article! There's a new one, published in June 2009. Click this link to find out what the best firewalls currently are.
Firewalls are old hat these days. The majority of firewall vendors are now leveraging their firewall technologies and hardware as a basis for security appliances that provide services far in excess of the tasks a humble firewall used to provide.Contents
This convergence can impact in two ways. On the positive side, if the appliance is easy to manage and it fits the application and environment perfectly then go for it. On the negative side, with all the eggs in one basket, poorly scoped deployments, or situations where the product does not quite fit the environment, it can be a trigger for disaster. If the device lacks the redundancy needed for that deployment, a single failure in one subsystem can mean that the whole device is offline.
Likewise a security administrator who mis-configures one of the services may also cause detrimental effects on other services running on that box. Even minor glitches, which may require the redundant system to kick in and take over, can be a nightmare -- particularly when all the various connection states need to be maintained in a mirrored environment. This is where loads really need to be considered. Careful evaluation and testing needs to be performed before committing to any single security appliance.
Firewall technology evolution
Fundamental firewall technology has not changed much in recent times. It separates into a few broad categories and most vendors incorporate some or all of them into their toolset.
The most common baseline requirement these days is Stateful Packet Inspection (SPI). Vendors also generally incorporate forms of individual packet filtering as well as port filtering. There are two other features now commonly found in most mainstream firewalls -- these are; that they act as application gateways or proxies, and can also have rule/policy-based access control lists-referencing IP addresses/ranges, network user-IDs etc. Some vendors also enable the administrator of the device to set up advanced rule sets to enforce the enterprise's security policies and framework, be it content filtering, Web access/content control, blacklists/whitelists, or even bandwidth shaping and management.
Virtual firewalls and virtual policies/rule-sets are now making an appearance -- allowing several administrators to have access to their own areas and rules on the one appliance.
Stateful Packet Inspection
Stateful Packet Inspection (SPI) is a simple form of data scanning whereby data is scanned on a packet-by-packet basis according to whether or not the firewall deems the data to be legitimate.
Any suspicious or non-requested packets are flagged, logged, or simply denied. Packets are only allowed to pass through the firewall if they are associated with a valid session initiated from within the network.
If a Trojan has managed to breach the other security defences due to a negligent user--the SPI firewall will allow that data through as it seemingly comes from a legitimate request on the LAN. Where SPI firewalls come into their own is in conjunction with other methods of data scanning within the firewall, or with another firewall on the LAN. SPI provides a percentage of coverage while still maintaining performance across the network.
If a large enterprise was looking to protect its corporate network and if every single packet of data both inbound and outbound needed to be captured, logged, scanned for strange characteristics, and then traced, the network bandwidth hit would be unacceptable and the firewall would cause a bottleneck. While not an ideal solution, SPI can ease the pain while other techniques can be implemented to handle its deficiencies. A benefit of SPI is that it can be utilised as an additional technology to protect a Demilitarised Zone (DMZ) or a network that is required to allow public access to some machines/servers. It can allow specific individual IP addresses or segments on the LAN to have open ports, so the administrator can essentially select from a list -- ports to open/close for any given machine's IP address on the LAN.
The majority of these devices are more than just firewalls but we have kept our focus on firewall considerations for the time being -- see the feature tables for some of the additional extras.
CyberGuard SG710Contents
This 1RU-sized unit incorporates 10 x 10/100 Ethernet ports -- there is also a nine-pin serial console port along with five status LEDs. The rear of the unit has an IEC power connector, a power switch, a small fan, and an expansion port. In the unit we received there was no expansion card.
Configuration, administration, and management are all conducted via a Web browser. Great flexibility is available, in particular the user-configurable ports can be set to load balance WAN Internet connections, ADSL, cable and so on.
There are a range of additional features such as Intrusion Detection and VPN systems, including the ability to act as either server or client for PPTP or L2TP IPSec. GRE and Port Tunnelling are also supported. The device also has the capability of quality-of-service traffic shaping and content filtering via black lists.
Centralised management is also supported along with Syslog. Logging is relatively limited with nine predefined categories being sent out to the syslog server port. Alternatively the system log can be sent to an e-mail account. There are no report-generating tools integrated into this device.
Overall, a fairly straightforward and easy-to-use device. A good range of ports would provide the flexibility most small businesses would need. A definite plus is the ability to set two WAN ports and provide fail over or load balancing across two PPPoE ADSL connections or even cable connections.
| |||||||||||||||||||||||||||||||
Contents
Fortinet provided a very sleek black and silver number. At the front of the 1RU unit there are eight Ethernet ports (four internal, two DMZ, and two WAN), two USB ports, a console port, and a power LED. Also on the front there is a small backlit LCD and four buttons used for navigation around. The rear houses a small fan, a power switch, and an IEC power socket. Construction of the unit is excellent and the quality of workmanship and design is great.
The operator can select and set the IP addresses for the internal and external interfaces. Once on the network from the inside, the administrator can point a browser at the designated IP address using HTTPS and access the administration console.
A possible concern is that the default admin password is blank, however, one would assume in this day and age most security administrators designated the task of configuring the company firewall would immediately set a secure password.
The console itself is well laid out and very easy to navigate and manage. Primary actions are performed using the menu system on the left hand side. There is also a neat shortcut menu at the top of the screen enabling the administrators/operators to access a few helpful items, such as a Java console session to the CLI, (yes, for those hardcore CLI techs out there the Fortinet 200A can be accessed through a console), another handy shortcut is one to a basic setup wizard.
A plethora of software add-ons are available for licensing -- the box we were shipped had spam, Web and virus filters as well as intrusion and prevention systems.
Filtering and reporting is quite comprehensive, of particular note is the granularity with which one can configure the log filter, exporting various events and logs to different logging/reporting systems as needed.
Overall, a very refined and developed system, certainly worthy of shortlist for trial and evaluation. It is relatively straightforward and easy to use -- as a security appliance should be.
| |||||||||||||||||||||||||||||||
Contents
The heavy hitter in this review is Juniper's ISG1000 and by no means is this the largest firewall that Juniper carries.
It is hard to really criticise this device -- there is little that it is not capable of. In most Australian corporate networks it would be hard to find the ISG1000 causing any bottlenecks. Just check the features table for the list of what it can do.
The ISG1000 is a 3RU device. The rear has an easily removable power supply unit, with a IEC power socket and power switch. Both sides of the unit have large ventilation grills. There are three full-height fans vertically mounted in a removable tray. On the front of the device are nine status LEDs, a compact flash slot, console, and modem ports.
There is one dedicated management Ethernet port along with four configurable Ethernet ports. Above these there are two modular-slots, the firewall we were offered for the review had an eight-port copper Ethernet module in bay two, as well as a two-port fibre module installed in bay one. Naturally, the modular design means that users can purchase and install a wide array of modules to suit their specific needs and infrastructure. With the size of the fans the unit is relatively loud when running, but this is not a device designed to sit in the corner on top of the server, so keep some room available in the data centre racks.
The policy control for the monitoring and reporting systems is almost as comprehensive as the device's other capabilities.
Overall, the ISG1000 is clearly designed for the large enterprises or even carrier/ISP market. If you are in the market for a large-scale firewall then look no further than the ISG1000. If the 1000 is outside the budget for your requirements then look at some of the other firewalls further down on the Juniper tree, pardon the pun.
| |||||||||||||||||||||||||||||||
Contents
The concept of the Brick firewall and also the management behind it is excellent. This whole firewall device family is suited to businesses spread over multiple geographic sites and with varying sizes of operation. For example a corporate HQ with 800 employees could deploy the larger Brick solutions to protect their primary network and its interconnections with external networks, while the same company could deploy smaller Bricks in its remote sales and retail locations to protect their smaller networks. It can all be tied together with the Lucent Security Management Server (LSMS).
Alternatively the Lucent Brick technology can be deployed within an enterprise's single geographic network environment and used as a "defence in-depth" strategy to segregate, monitor, and protect different networks and sub-networks. The beauty of the system is in its LSMS management console application which enables security administrators to centrally control and manage hundreds and even thousands of registered Bricks from the one location -- 10,000 Bricks according to Lucent's LSMS Web site.
The Lucent Brick 150 that we were supplied for this review was a robust (read heavy) 1RU device. A neat feature is the ability to create virtual firewalls and policies within the one device. The primary system administrator can then assign quite granular access rights and privileges to nominated parties to allow sub-administration and report creation to be performed without allowing the operators full access to the device. These rules can be controlled to a point where each policy change can be sent to the system administrator to approve prior to its executions.
Logging in its most basic form is via text to a central directory. The Bricks can then be set to push this log out to a central repository or server for report-processing. There are quite a few popular report-management tools that can be used to create usable reports. The administrator has the ability to set several levels of logging for virtually every function of the device, enabling logging to be tailored to the owners requirements.
The Lucent Brick family is well suited to deployment within VoIP-enabled enterprises. Several specific rules and policies can be created to enable dynamic pinholes to be created in the firewall to allow SIP and H.323 traffic in and out. This saves great slabs of port ranges having to be open and therefore made potentially vulnerable. Again granular rules and policies can be enabled to allows control of this traffic -- even between virtual policy groups on the one device.
The Brick family enables the administrator to apply quite a comprehensive array of bandwidth controls, from maximum session speeds to individual group aggregate speed. Bandwidth availability can also be evenly spread across users and a percentage can be set to retain some usability in the event of a denial-of-service attack.
Lucent is one to shortlist for evaluation, particularly if the enterprise is spread geographically with many offices or if multiple firewall layers are called for.
| |||||||||||||||||||||||||||||||
Contents
Netgear, the appliance hardware vendor to the SOHO market and small business, is now going for the slightly bigger fish with the FVX538. Anyone familiar over the years with Netgear's consistent quality devices will not be disappointed with the FVX538.
The traditional dark blue and no-fuss sturdy steel chassis are still there. While not 19in, this device comes with metal "ears" which attach to the side, enabling it to be mounted in a 19-inch rack. It also comes with small rubber feet which can be attached to use in the comms closet or it can sit on top of the server.
There are two WAN ports, an eight-port 100Mb switch, and a Gigabit port. It has an internal power supply with a standard IEC connector, so there is no nasty power packs to try and plug in just to have fall out whenever someone goes near it.
Administration and configuration is done via a familiar Netgear browser interface. While the interface can appear cluttered, a short time with it will soon alleviate apprehensions -- particularly given the well laid out help in the right-hand frame. Comprehensive Web support is also available at the bottom of the left-hand frame.
Both WAN ports support PPPoE. WAN ports can be configured with automatic failover (rollover) or load-balancing modes. There are relatively comprehensive logs and alerting facilities -- syslog and e-mail are the primary methods.
Overall, this firewall would provide a very sturdy gateway for branch/remote offices. The WAN port functions are very good and for businesses connected with ADSL it could even replace their router, and enable options such as failover or load balancing.
| |||||||||||||||||||||||||||||||
Contents
Looking for a solution that is out of the box? The concept behind Network Box is a security service system managed remotely. Network Box sends and engineer on-site who delivers, sets up the device and performs an initial configuration, then leaves. But that is far from where Network Box's involvement in ends.
Everything else security wise is managed, monitored, updated and configured remotely by the Network Box operation centres (see their Web site for more details and NOC locations). Being an Internet connected device the NOC's can really be anywhere. If a business feels that their IT department is simply unable to keep up with the latest security threats and mitigation technologies -- or perhaps external security consultant costs are piling up then perhaps it is time to call Network Box.
Not only does the Network Box device act as a firewall, it also can perform gateway anti-virus scanning, gateway anti-spam, intrusion detection, VPN connections and content filtering.
Although someone else is assuming the responsibility and management of the gateway security, it is still worthwhile performing routing security scans and checks to ensure that everything is in order. It is also advisable to regularly check the reporting interface provided. It is easily accessed via a secure internal browser based address.
A managed security service may be worthwhile for small to medium enterprises aware of the damage a security breach could wreak, yet unsure or unable to adequately protect and defend their network. Even organisations wishing to add another layer of security to their existing infrastructure might be interested.
| |||||||||||||||||||||||||||||||
Contents
Yet another appliance from SonicWALL that has the potential to deliver the -whole enchilada" of security services -- from firewall to secure wireless gateway services using proprietary SonicPoints (Access Points).
It even has anti-spyware functionality. The 5060 is the big brother in the SonicWALL family of firewalls. Sporting six-user configurable copper Gigabit ports fibre versions are also available. Along with Ethernet ports, the front of the 1RU device also has a nine-pin serial console port and three status LEDs (power, test, and alarm). The rear of the unit has five smallish fans which are surprisingly quiet.
Reporting and management can be performed through the Web-based console for basic deployments or via feature rich Viewpoint software. For even more advanced command and control over many SonicWALL devices, its Global Management System (GMS) is also available.
The thing which has always impressed us is the amount of options available to run through the SonicWALL device family. There still is the issue of being locked in with a single vendor -- putting all your eggs in one basket from a failure point of view -- however if it is critical, redundancy is available.
Both of these potential drawbacks can virtually be cancelled by the ease of deployment and management, and the fact that any SME deploying SonicWALL devices can be assured that even their future security requirements can be catered for. This can become quite relevant if wireless network access may be on the cards.
| |||||||||||||||||||||||||||||||
Contents
The faceplate of the device sports a small LCD along with six small recessed buttons and five status LEDs showing power, temperature, network, and disk status/activity.
The rear of the device is where all the ports are located, including a serial/console port, two USB ports, and six copper network ports. There is a standard IEC power connector and a small power switch.
Once the machine has been booted and the initial addresses, (IP, subnet, gateway) and password set via the LCD, the system reboots and the administrator can then access it via a browser using HTTPS and port 2456. Then a preliminary configuration wizard runs. Some of the systems features in addition to firewalling are; VPN, content filtering, antivirus scanning, intrusion detection, and prevention, as well as hardware encryption.
Symantec developers have certainly exercised a prodigious amount of Java coding to create this management interface. Reports can be generated directly from the interface, and saved in either PDF or HTML format â€" there are even options for page sizes. There are also 38 different types of report that are available to be generated at the click of a button.
Overall this is a well-designed device with plenty of scalability. The management and administration interface may take a little time to get used to.
| |||||||||||||||||||||||||||||||
Contents
All the ports and buttons are located on the front of the device, including six copper network ports, a serial/console port, four configuration buttons, a small backlit LCD, and 12 status indications, 10 of them showing each of the network port's connection speed (either 10Mbps or 100Mbps). The remaining two LEDs show power and Arm/Disarm. The rear of the unit has a standard IEC power connector and a power switch.
As with Watchguard products we have reviewed in the past, configuration and administration is performed via a client-based application, Watchguard System Manager (WSM). Once installed the user is guided through a quick setup wizard that covers things such as the licence key and initial port setup. Interestingly, Fireware 8.0 can unlock a lot of additional functionality in the device. Watchguard applies a -Golden Screwdriver" approach to their products, enabling it to grow with the client instead of needing a forklift replacement.
Administration is via the WSM and a very straightforward menu system is available augmented by a graphical -button" system. Amongst the usual formats, Firebox logs can also be output in XML (with Fireware Pro) and WebTrends (WELF) format. Once the Firebox System Manager is launched a graphical representation is shown of traffic load as well as port status and other key system details.
Overall, this is a very well-designed firewall, with a configuration system slightly differentfrom the run-of-the-mill browser-based systems. The Watchguard configuration system, while slightly more complex than the usual browser systems, adds greater flexibility and increased security. The WSM user interface and management system is very well designed considering the features of the device being controlled.
| |||||||||||||||||||||||||||||||
| Product/Model | SG710 | FortiGate 200A | ISG1000 | Brick 150 |
| Company | Cyberguard | Fortinet | Juniper Networks | Lucent Technologies |
| Phone | 07 3435 2888 | 02 8923 2555 | 02 8913 9800 | 02 9491 6500 |
| Web Site | www.cyberguard.com | www.fortinet.com | www.juniper.net | www.lucent.com/security |
| Price (as tested) | AU$4490 | AU$12,580 | AU$33,000 | AU$3113 |
| Product price range | AU$499 - $6250 | AU$1000 - $100,000 | N/A | AU$1868 - $3113 |
| Warranty | 1 year | 1 year | 1 year | 1 year |
| E-mail support | 24 hours | 24 hours | Web support available | |
| Phone support | Business hours | $743 for 8 x 5 | Phone support available | |
| Form factor | 483 rackmount | 44 x 432 x 270 | 13 x 44 x 58 | 45 x 279 x 182 |
| Security certifications | ICSA, VPNC Conformance and Interoperability | AV, VPN, Firewall & IDS/IDP | FCC class A, CE class A, C-Tick, VCCI class A | ICSA V4.0 Firewall Certified , ICSA V1.0B IPSec Certified |
| Number of user configurable Ethernet ports | 4 network segments (2 x 4 port switches. All 10/100) | 5 | 4 fixed 10/100/1000 | 4 10/100 Base-TX Ethernet Ports |
| Number of fixed Ethernet ports trusted | Untrusted, trusted or DMZs | configurable | configurable | configurable |
| Number of fixed Ethernet ports untrusted | Untrusted, trusted or DMZs | configurable | configurable | configurable |
| Number of fixed Ethernet ports DMZ | Untrusted, trusted or DMZs | configurable | configurable | configurable |
| Other ports | Serial port for config or dial out for back up internet | 1 x Console + 2 x USB | Console / Modem | SVGA video, DB9 serial, Parellel, 2 x USB |
| Network Address Translation | Yes | Yes | Yes | Yes |
| Packet filtering | Yes | Yes | Yes | Yes |
| Stateful inspection | Yes | Yes | Yes | Yes |
| Application proxy | No | Yes | No | Yes |
| Policy based traffic routing | Yes | Yes | Yes | Yes |
| QoS support | Yes | Yes | Yes | Yes |
| VLAN support | Yes | Yes | Yes | Yes |
| Max. port throughput while firewalling (Mb/sec) | 300 | 150 | WireSpeed to device maximum | 334 |
| Max. sessions | TCP 100,000 and UDP 150,000 | 400,000 | 250,000 | 245,000 |
| Monitoring methods | Web, CMS, SNMP | Fortimanager appliance CMS, Web client | SNMP, Console, Telnet, SSH, SYSLOG, CMS | Via Security Management Server Navigator and Remote Navigator |
| Reporting methods | SNMP, Syslog, SMTP | Fortilog, Syslog, SNMP, WELF | SNMP, Console, Telnet, SSH, SYSLOG, Security Manager | SNMP, Syslog, SMTP, direct page, console message |
| Management method(s) | HTTP, HTTPS, telnet, SSH, CMS | Fortimanager appliance, SSL, SSH. | SNMP, Console, Telnet, SSH, HTTP, SSL, Security Manager | Management Server, Remote Navigator, LSMS CLI |
| VPN support | Yes | Yes | Yes | Yes |
| VPN encryption | DES, 3DES, AES | PPTP, L2TP, IPSec, DES, 3DES, AES | DES, 3DES, AES | DES, 3DES, AES |
| VPN DES speed (Mb/sec) | 42 | N/A | 1Gbps | 150 |
| VPN 3DES speed (Mb/sec) | 42 | 70 | 1Gbps | 150 |
| VPN AES speed (Mb/sec) | 42 | N/A | 1Gbps | N/A |
| Other option(s) | Snort IDS, Squid Proxy/cache, NASL, failover, Clam AV, Mailshell AS and HA | IDS/IDP, Antivirus, Dynamic Routing (Rip, OSPF, BGP), Anti-spam, Content Filtering, Traffic Shaping, Diffserv, | IDP optional, Deep inspection included | IDS/IPS, others via Lucent Proxy Agent are Anti-Virus, Content/URL filtering |
| FVX538 | RM-300 | PRO 5060c | SGS 5420 | Firebox X1000 |
| Netgear | Network Box | SonicWALL | Symantec | WatchGuard |
| 1800 502 061 | 1800 638 269 | 02 9006 7914 | 02 8879 1041 | 02 8912 2199 |
| www.netgear.com.au | www.network-box.com.au | www.sonicwall.com | www.symantec.com | www.watchguard.com |
| $879 | $15,840 | $18,849 | $6600 - $11,000 | $5885 |
| $6325 upwards | $18,849 - $21,420 | $12,100 - $31,020 | ||
| 3 years | Full replacement for length of service contract. | 1 year | 3 year | 1 year |
| 24 hours | 8 x 5 Web | Included in managed service | Free | 2 incidents, 5 more when you renew contract |
| 24 x 7, free | Included in managed service. | Included in managed service. | Platinum - one year $800-1100 | 2 incidents, 5 more when you renew contract |
| 44 x 330 x 203 | 2U Rackmount | 445 x 431 x 412 | 445 x 438 x 438 | 45 x 426 x 240 |
| Radius client/ Groups and Hosts | N/A - Managed service. | ICSA Firewall, ICSA VPN, FIPS | ELA4 Plus Augumented | ISCA Firewall and Ipsec Certified |
| 8 | 4 to 13 | 6 | 6 | 6 |
| 8 | configurable | configurable | 5 | 1 initially, but user configurable |
| 8 | configurable | configurable | 1 to 5 configurable | 1 initially, but user configurable |
| 1 | configurable | configurable | 1 to 5 configurable | 1 initially, but user configurable |
| Console | N/A | Console | USB, serial port | console port |
| Yes | Yes | Yes | Yes | Yes |
| Yes | Yes | Yes | Yes | Yes |
| Yes | Yes | Yes | Yes | Yes |
| Yes | Yes | No | Yes | Yes |
| Yes | Yes | Yes | Yes | Yes |
| Yes | Yes | Yes | limited | Yes |
| No | Yes | Yes | Available with V3 Code | No |
| 90 | 95 | 1000 | 200 | 240 |
| 200 Simulataneous VPN Tunnels | 600,000 | 750,000 | Concurrent Connections 64000 | 200,000 Sessions |
| Web, Hypertrm | Web-based reporting and centralised monitoring - managed service. | Web, e-mail notification, GMS, Viewpoint | Web Based SSL Java Client, | Client App |
| SNMP, | Web-based, SMTP | syslog, SNMP, SMTP | Internal logging, Extended SSL, SESA. | SNMP, Syslog, SMTP, windows popup |
| Web, Hyperterminal | Centralised management | HTTP, HTTPS, GMS | Web Based SSL Java Client | Client App |
| Yes | Yes | Yes | Yes | |
| 3DES, AES | IPsec, L2TP, PPTP, GRE, DES, 3DES, AES, CAST, Blowfish, Serpent, Twofish. | DES, 3DES, AES | AES, 3DES, DES, IPSEC, SHA1, MD5 | DES, 3DES, AES |
| 80 | 82 | 500 | 140 | 100 |
| 80 | 82 | 500 | 90 | 100 |
| 80 | 89 | 500 | 30 | 100 |
| Anti-virus (Trend Micro) | IDP, anti-virus, SPAM filtering, web content filtering | IPS/IDS Gateway Anti-Virus, Anti-Spyware, RBL, Content Filtering | AV, IDS, CF,IPS, HA/LB, IDS | Gateway Antivirus, IPS, Web filtering |
Contents
We have a publicly addressable C-Class network space (253 public IP addresses) just for the lab alone, so luckily we were able to turn off all our own firewall rules on a range of our network and set up each of the vendors' devices on its own IP address. This simulates a typical network edge or perimeter firewall deployment, and each machine had one or two PCs or notebooks connected to it on the inside or LAN ports so that we could create policies and monitor traffic both in and out.
The last firewall review that we performed in the March 2004 edition of Technology & Business Magazine included a basic ability test. We ran a simple leaktest which is a simulated Trojan from the inside of the network. I also ran NMAP port scans against the inside and outside of the devices and a remote vulnerability scan on each device and devices situated on the network, so that we could be assured the scan was coming in remotely.
For internal purposes there are a plethora of capable vulnerability scanning and reporting software tools and hardware appliances such as Computer Associates' eTrust Vulnerability Manager Appliance or NetIQ's Vulnerability Manager Software.
This type of basic testing is a necessary to evaluate a firewall for the specific configuration a company will have in its environment. Once purchased and deployed it is necessary to regularly run similar pen-tests (penetration tests) and vulnerability scans to highlight any new found threats and take action.
It is now rather passé and redundant when used in relation to a review and is only a snapshot of the devices configuration and potential vulnerabilities at that one point in time. Most users would not purchase a firewall and simply connect it and run it under default configuration for many reasons. Most security vendors now wisely set their devices to -block all" from the factory, requiring administrators and operators to set up their own rules when the device is installed and initially configured on the network. If a product has a vulnerability that was known or detected by a scanning tool the vendor will usually be on it, ensuring that a patch was available as soon as possible.
This is not to say that security administrators can take a back seat approach and let the vendors drive them. Businesses should regularly stage and perform their own pen-testing of their network devices and resources to ensure that they are up-to-date and their network is as secure as they can make it at that point in time.
The next test that can be performed on these devices is a loaded throughput or performance test, while the lab is more than capable of performing this type of testing, the variance in potential environments, devices and configurations hinders a truly comparative performance test. At the end of the day each company will have their own varying amount of filtering policies, procedures that need to be applied, not to mention unique network load -- a performance test in this instance would be purely academic and of no real relevance.
We therefore decided to setup and run the individual firewalls and take a look at the devices and their management and identify strengths and weaknesses with an emphasis on the unique features between vendors. Also to take a look at the logging and reporting systems of each vendor and see how well they interoperated with third party reporting and analysis systems.
The benefit of having our own public facing IP range enabled us to set up each device on an open address and log all the traffic against that machine from the outside -- Script Kiddies running port scans and various other foot printing tools.
Contents
With such a range of firewall solutions it would be unfair to award an Editor's Choice to one single vendor so we have created two enterprise categories â€" medium and large.
The medium category goes to the SonicWALL product, for the same reasons that it won the scenario, with an honourable mention to Watchguard. Each are excellent devices, they both have their own special unique features, so it really comes down to the client's specific requirements.
The large category goes to Juniper for its physical configurability and options, redundancy options and relative ease of management and administration, given what is such a complex and powerful device.
An honourable mention must also be given to Lucent and if a category were to be created for a unified -family" of firewalls with powerful and flexible management it would certainly win with the Brick range and LSMS management software.
Contents
About RMIT IT Test Labs