Shopping for an enterprise firewall can be intimidating if you've never done it before. However, with a little background knowledge, an understanding of firewall features, and knowing what questions to ask the vendors, you'll end up with just the right firewall for your organization.
Types of Firewalls
One of the first things you need to figure out is what type of firewall best suits your needs.
There are six basic types of firewalls:
- embedded firewalls
- enterprise software-based firewalls
- enterprise hardware-based firewalls
- SOHO software firewalls
- SOHO hardware firewalls
- specialty firewalls
All of these firewall types typically offer stateful packet inspection or proxy capabilities. Stateful packet inspection and the ability to proxy are different techniques that firewalls use to make decisions on what traffic to allow or deny into and out of your intranet. While in the early days of firewall development, most firewalls offered either one or the other of these types of traffic passing architectures, today, leading firewalls with hybrid architectures offer both techniques to secure your intranet traffic.
Stateful packet inspection firewalls examine protocol packet header fields while proxy firewalls filter services at the application level. Stateful packet inspection firewalls learn and remember connection states and evaluate new traffic transactions against prior connection histories. Proxy firewalls are able to create virtual connections and can hide the internal client IP address making it more difficult to discern the topology of the protected intranet.
Firewall Types Explained
Embedded firewalls are firewalls that are embedded into either a router or a switch. Sometimes embedded firewalls come standard with certain routers, and other times you can purchase an add-on firewall module to install into a router or switch that you already have. Embedded firewalls are sometimes referred to as choke-point firewalls.
Due to the wide variety of different protocols used on the Internet, not all services are handled efficiently by embedded firewalls. Because embedded firewalls work at the IP level, they will not be able to protect your network from application level exploits such as viruses, worms, and Trojan horse programs. In some cases, embedded firewalls might offer greater performance gains, but they typically offer fewer features for protecting your networks. Embedded firewalls are often stateless in nature, and pass packets without consideration of prior connection states.
Software based firewalls are software packages containing firewall software that you install on top of an existing operating system and hardware platform. If you have a server with an enterprise class operating system that is available for use, purchasing a software-based firewall is a reasonable choice. As well, if you are a small organization, and want to combine a firewall with another application server (such as your web site server), adding on a software-based firewall is reasonable. If you are a large organization, you will probably want to create a security perimeter network known as a DMZ (demilitarized zone) and will therefore probably want to separate your firewall from all other applications. Software-based firewalls come in both small office/home office (SOHO) models and enterprise models.
Hardware-based firewalls are the same thing as appliance firewalls. The entire firewall is bundled into a turnkey system and when you buy it, you get a hardware device that has the software already inside it. Hardware-based firewalls, or appliance firewalls, also come in both SOHO and enterprise models.
Specialty firewalls are firewalls with a certain application focus. For example, there are some security servers with built-in firewall-type rules that are made particularly for filtering content, or security messaging servers. MailMarshal and WebMarshal are good examples of firewall-type products with a messaging and content filtering focus. A product that is not marketed as a firewall, but offers firewall-type rules and application lockdown features is OKENA's StormWatch. As security technologies become more advanced, sometimes the product segments start to blur and you need to understand what the product actually does, and not rely on its vendor marketed product definition.
Users, Locations, and Numbers
A consideration that should be very high on your list is how many users do you need to protect, and how many firewalls will you need? The number of users you are going to protect will determine whether you need an enterprise class firewall or a SOHO firewall. (You can certainly use an enterprise firewall, even for one user, but you might be paying a lot more than you need to pay, and might end up with features you will never use.)
Most SOHO firewalls can accommodate enough connection requests for up to 50 users. If you plan on protecting more than 50 users with your firewall, it's time to move up to an enterprise firewall. SOHO firewalls typically range in price from $30.00 to $500.00. $30.00 firewalls are typically used for one person, one system. A $500.00 SOHO firewall is sufficient for a small field office of less than 50 people.
Enterprise firewalls, typically ranging in price from $500.00 to $20,000, are commonly used in organizations that require multiple firewalls that need to be managed from one location. This means that enterprise firewalls need to be able to communicate with some sort of central management console. Most vendors who make enterprise firewalls offer a central management console as an option.
Alternatively, there is a young and growing security market segment of Security Information Management (SIM) devices that can essentially be used as third-party management consoles. Both netForensics and e-Security make third-party SIMs that can integrate with various leading enterprise firewalls.
Depending on how your architecture your security perimeter network, and how much money you are able to spend, one robust firewall on your perimeter may be sufficient for your organization's needs. The important thing is to ask the vendor's you are interviewing how many users each firewall can support. Most reputable firewall vendors rate their firewalls for a certain range of user connections. Typically the more users you need to support, the more RAM and processing power you will need in your firewall.
If you plan on pumping streaming media through your firewall, or plan on using a VPN, both of these applications can benefit from more processing power, and more RAM.
Software firewalls offer more flexibility than appliance firewalls, because you can choose what hardware platform you want to run the firewall on. However, sometimes having to make a decision on what hardware platform and operating system to build your firewall on, is not a decision that some information technology managers and small business owners have time to make. If the concept of "I don't care what type of hardware platform the firewall runs on as long as it works," appeals to you, then an appliance firewall might be preferable. With an appliance firewall, you get a complete turnkey firewall bundled into one box. Because there are less procurement decisions to make, and everything comes pre-packaged as much as possible, getting an appliance firewall up and running usually is much faster than getting a software firewall up and running.
Unless you are using a specialty firewall, in most cases you will want to separate your firewall services and not install your firewall on top of other applications.
Today, almost all leading firewalls come bundled with network address translation (NAT) capabilities. However, there are different categories of NAT that you might want to be aware of. NAT gives you the ability to translate private or illegal IP addresses into legal public addresses and as an aside, it helps to hide the internal topology of your network(s).
There are four types of NAT configurations to be aware of: one-to-one addressing, many-to-one addressing, one-to-many addressing, and many-to-many addressing.
The one-to-one NAT configuration is the most basic of all NAT features. This feature maps an internal IP address to a different external public IP address. Many-to-one addressing means that multiple internal IP addresses can be mapped to one external IP address. You might want to do this if you have an internal DHCP scope that you want to map to one external IP address. Many-to-many NAT addressing is for mapping groups of internal or external IP addresses with different groups of IP addresses on other networks. You may want to use many-to-many NAT addressing if you are mapping one set of DHCP scopes to another. A one-to-many NAT scenario is most commonly used in load-balancing scenarios where you want to take one IP address, and split it into two. If you have a big and complex carrier-class network you will want advanced NAT features. For SOHO networks simple one-to-one NAT capabilities are probably sufficient.
Firewalls are commonly used as VPN endpoints, and some firewalls offer VPN capabilities. VPNs allow you to use site-to-site encryption. While a firewall acts like a road-block, and only lets certain traffic in and out, once the traffic is out on the Internet, it is being transported in clear-text, and with a sniffer, is viewable to the world. The only way to ensure privacy and data integrity is to use a VPN. If you decide you need a VPN, keep in mind that a VPN implies two endpoints. There is no point in getting a VPN if you don't have a second endpoint to connect it to because a VPN does not work with only one endpoint.
VPNs send your data through an encrypted tunnel, keeping it private from the rest of the world. The encryption process requires additional processing power, and if you are setting up a VPN for a carrier-class network, you will like want one that either comes bundled with a crypto accelerator, or allows you to add-on a crypto accelerator. Crypto accelerators take slow VPNs and make them faster.
Logging capabilities is one of the most important features of any firewall, and not all firewalls log events equally. You want a firewall than can log as many different types of events as possible, and can filter on as many different types of events as possible. So one question you will want to ask a prospective firewall vendor is how many different event types a potential firewall can log, and how many different filters the logging capability has. The filters allow you to view the different events in a logical and understandable way. For example, you should be able to filter on events by things such as IP address, network numbers, connection types, domain names, and by date and time (to name a few basic filters). The Syslog format is the most commonly used logging format, and if a particular firewall does not support Syslog, you might want to think about crossing it off your short list.
The firewall rules and the definitions you setup which tell the firewall what types of traffic to let in and out of your network. All firewalls have a rules file and it is the most important configuration file on your firewall. An important question to ask your firewall vendor prospects is if will you need to reboot the firewall every time you make a change to the rules file. If you are shopping for a carrier-class firewall this is a must. If you are in the market for a SOHO firewall, an occasional firewall reboot will probably not impact you too much.
Another feature to find out about is if the firewall supports automatic order-independent rules. The rules on a firewall need to be in a very specific order or they will not work properly. Some firewalls have the ability to order the rules automatically. This feature can be both good and bad so you will want to make sure that if it exists, there exists the capability to turn it on and off. The algorithms and code used to make the order-independent rule setting decisions need to be completely bug free, or using this feature could open up security holes on your network. In a perfect technical world, automatic order-independent rule setting is a great feature because if you have a lot of firewall rules, it can help you understand how to order the rules properly. However, there is no substitute for human knowledge in setting up your firewall rules.
Summing it all up
There are more things to know about firewalls than what I have discussed here, but hopefully this will be enough to get you going. Other features you might want to research are high-availability, content filters, and the ability to support anti-virus features. Before you start talking to firewall vendors, make a list of questions that you want to ask each vendor. Ask all the vendors the same questions, and refine your list as you talk to more vendors. Be sure to ask them about their phone support packages, and if this is included in the license fee. Good firewall phone support is key to helping you become comfortable and proficient at configuring your new security device.
Laura Taylor is the founder of Relevant Technologies (www.relevanttechnologies.com), a provider of original information security content, research advisory services, and best practice IT management consulting services.