If you're upgrading your firewall, or installing one on your network for the first time, you'll discover that firewall technology has changed a lot in the last several years. How do you select one that's appropriate for your business?
Before you meet with firewall vendors, assess the needs of your organization. In performing a firewall requirements inventory, you should first determine a mandatory list of features and level of performance, then decide what added functionality you would like to have on top of that. Your "must" list should help cut down your vendor list.
The following questions will guide you through the selection process:
What kind of firewall does your organization require: proxy, stateful packet inspection, or a hybrid?
Proxy firewalls filter services at the application level, and in essence, create a virtual connection, hiding the internal client IP address and concealing the network topology of the internal network from the outside world. If a proxy firewall is bundled with an intrusion detection module, it can analyze traffic patterns and often prevent denial of service (DoS) attacks--something not all firewalls can do inherently.
Stateful packet inspection firewalls are based on the filtering of packets at the network level--these firewalls examine protocol packet header fields: source IP address, destination IP address, TCP/UDP source ports, and TCP/UDP destination ports. They're "stateful" because the firewall can remember prior connection states, and continuously updates this information in dynamic connection tables. The firewall evaluates subsequent transactions against prior connection histories. Check Point's Firewall-1 firewall goes beyond that and also collects application state information, uses it to make RPC and UDP based decisions.
A hybrid firewall is the newest kind, and is a combination stateful packet inspection firewall and proxy firewall.
Do you require an enterprise class firewall?
An enterprise firewall appliance is a turnkey hardware/software device that has all components pre-installed and pre-configured as much as possible, and manages a security policy for an entire enterprise. These are best suited for organizations that require multiple firewalls that need to be managed from one location. An enterprise firewall appliance must be able to log to a central control console to be considered enterprise-ready. Examples of leading enterprise firewalls include Check Point's Firewall-1, Symantec's VelociRaptor, and Watchguard's Firebox II.
Do you require built-in high-availability?
Built-in high-availability means that if your firewall loses its operational capabilities, it can make a transparent cut-over to a second firewall, which takes over all the operational capabilities of the first. If you're a typical IT shop, high-availability is probably not necessary, as long as your one production firewall is carefully installed, maintained, and backed up. However, if you're a large managed service provider with hundreds of customers that depend on a firewall--you need a high-availability product. If you don't have this capability in place, you risk leaving your network exposed or completely blocked off if your firewall stops working. Some firewall appliances, like the Nokia IP600 series, cut over to backup systems especially well. The Nokia IP650 uses Check Point's Firewall-1 and VPN-1 software running on a machine with a 450Mhz Pentium II processor.
To create high-availability with a software-based firewall, you need to purchase two sets of hardware and software packages, then install a high-availability package like Stonesoft's Stonebeat on top of them. Therefore, if you need high availability, a hardware-based firewall is probably the way to go.
Are you looking for a firewall appliance or a software-based firewall?
Firewall appliances come with software embedded and bundled with the hardware platform, making them faster to deploy and configure than pure software firewalls. If you are installing a firewall as a result of a security incident, such speed of implementation might be critical to your selection. Appliance firewalls are not necessarily more inherently secure--the real value is in their speed of implementation, cost savings, and ancillary features such as high availability and load balancing.
Leading firewall appliances include:
- Nokia IP650
- Symantec/AXENT VelociRaptor
- Cisco PIX 535
- Watchguard Firebox II Plus
- Cyberguard KnightSTAR
- RapidStream 8000
The biggest advantage of software-based firewalls is that they offer more flexibility and scalability. The biggest disadvantage is the added time they take to procure and implement. Because of their richer configuration options, software firewalls often take longer and therefore cost more to implement properly.
If you decide a software-based firewall would work best for your organization, you need to determine what platform it should run on. Typical platforms for firewall installations include Solaris, HP-UX, Linux, OpenBSD, FreeBSD, NetBSD, Windows NT or 2000, NetWare, or even MacOS.
In most cases, Unix firewalls are a safer bet than Windows NT or 2000 because Unix operating systems are easier to harden and lock down. OpenBSD, a Unix based derivative, is a particularly good platform for firewalls, since it comes pre-hardened by default.
However, your choice of platforms may depend on another consideration--what operating systems you are already using. Your familiarity with managing a given platform may balance out the enhanced security of a strange operating system your staff will need training to manage.
How important is firewall speed and performance?
If your network is a basic print, mail, and file-sharing network, and you never receive complaints about network performance, a firewall that has been optimized for performance is probably not necessary.
Applications that typically affect performance include streaming media and virtual private networking (VPN). If you send streaming media through your firewall using applications like RealVideo 8, CU-SeeMe, or Netscape CoolTalk, specify a firewall configured with a minimum of 256MB of RAM, and one that can handle a large amount of simultaneous connections.
The Netscreen-1000 firewall appliance is particularly well-suited for performance-constrained implementations. It can accommodate as many as 700,000 simultaneous connections, with a maximum throughput of 1 gigabit per second.
Do you need VPN capabilities?
If you're implementing site-to-site encryption, get a firewall with built-in VPN capabilities. Be sure to select one that also supports a secure remote access VPN client. And be sure the VPN supports IPSec, the most popular standard in VPN encryption protocols, since more add-on auxiliary security services and products interoperate with IPSec than any other security protocol.
Think you have a good handle on what to look for now? Not yet! Next time I'll discuss seven more firewall features you should consider.
Laura Taylor is the Chief Technology Officer and founder of Relevant Technologies. Ms. Taylor has 17 years of experience in IT operations with a focus in information security. She has worked as Director of Information Security at Navisite and as CIO of Schafer Corp., a weapons development contractor for the Department of Defense.