How to Evaluate and Buy a Firewall

By Ian Matthews January 31, 2006

If you have ever been responsible for purchasing a firewall you know it can be quite intimidating.  There are lots of buzzwords and lots of fast talking salesmen.  This document is intended to provide a simple grid for you to evaluate competing products. 

For home users, almost anything will do but for small and medium business more critical evaluation is required prior to purchase and that is the real target of this document.  It is written with a Microsoft Windows 2000, XP, Vista mentality but almost all of the concepts would apply to other operating systems like Linux and Unix.

The idea is that you print a copy for each product you are considering and then compare the results.  FYI, we found the SonicWall TZ170 Wireless and some Watchguard Firebox products happily compete in this space.  To get you started here is a linked list of notable Firewall providers: SonicWall, NetGear, WatchGuard, Linksys, DLink, SMCNote, that we do not make ANY money off those links and that we have no affiliation with any of the companies mentioned.
 

# Category Description Value
1 Price How much is this thing?  
2 Availability Often you will see product promoted on websites that either is not available in your area, not available to anyone yet, or worse, is old discontinued stock.  Make sure you can get it or don’t waste your time researching it.  
3 Deep Packet Inspection All the but the very cheapest firewalls will now provide SPI (Statefull Packet Inspection) but newer, more expensive firewalls should provide DPI, which means that they will open EVERY packet and inspect not only the header but all content to make certain it is what it claims to be.  
4 Content Filtering Many new >$500 firewalls offer annual subscription services which will filter SMTP email traffic and web site content.  
5 VPN End Point All but the cheapest firewalls will provide VPN pass through to your server but that means your server has to be exposed on the internet; not your best choice.  Many firewalls now act as a VPN Endpoint.  This means that your VPN client connects to the firewall prior to you connecting to your server.  
6 VPN Active Directory Tie In Do VPN accounts get created on the firewall or do credentials come from your Windows Server?  It is very nice to have one password and some mid range ($500ish) firewalls can perform an LDAP query against your Windows Active Directory to validate credentials.  
7 SSL VPN Can VPN’s be created through your browser using SSL connections.  This is very nice for remote users because no client is required and client configuration is minimal.  
8 Number of Concurrent VPN Tunnels: How many remote users can you have connected at the same time?  Note that many firewall manufactures will sell you more licences as you need them and some are unlimited.  
9 VPN Client Some VPN’s will work with a Microsoft IPSec or PPTP software client built into Windows while others require their own software client.  I actually prefer the proprietary client because it reduces the number of people that are going to be able to easily attack your VPN.  
10 VPN Policies can you set policies for VPN clients, such a inactive timeouts, reconnection attempt maximums, popup banner welcoming/warning them about your VPN, time of day restrictions…  
11 Branch Office VPN Can you connect one firewall to an identical unit in a remote office and have the two create a hardware VPN?  
12 ISP Failover Does it support multiple ISP connections and can it automatically flip between them so that if one fails your office stays up?  Most small offices will not care about this option.  
13 ISP Aggregation Can multiple ISP connections be seen inside your office as one link to increase speed and reduce bottlenecks?  Most small offices will not care about this option.  
14 VoIP Support Voice Over Internet Protocol support simply means that the firewall will increase the priority of voice packets.  This assumes you are planning to use a VoIP phone solution in the near future.  
15 Wireless Access Everybody wants wireless these days.  Most sub $1000 firewalls will offer a wireless option while most more expensive firewalls will require a wireless access point to be a different piece of hardware.  
16 Guest Access Can you have users connect to your wireless (or wired) network, receive an IP address and surf but NOT see your office machines or servers ?  This is a great feature that is just now gaining popularity.  
17 A, B, G, N Wireless A (100Mbit?) is great for corporate networks because it does not go through walls
B (11Mbit) is the old standard everything supports
G (54MBit) is the new “B” which almost everything supports
N (110Mbit?) is a new standard expected to gain popularity by the end of 2006
 
18 Wireless Accelerator Most wireless Access Points will offer a proprietary software compression which will double (or better) your connection speed.  The catch here is that you need to use a matching wireless network card but nearly all laptops (for example) already have a good quality network card.  
19 Wireless Range How far does the wireless cover.  Most <$500 Access Points will state the official range for “G” of about 200′ however, in most offices you can could on about 70′.  You can usually improve this with different antennas if required.  
20 Wireless Security All Access Points will support WEP but other than home use, it is inappropriate because it is too easily cracked.  WPA (Windows Protected Access) and WPA2 are the new standards which are quite common.  Using a WPA-PSK (Pre-Shared Key) is most small office settings provides and acceptable level of security.  The catch here is again to make certain that your clients (i.e. your laptop network card) will support the standard  
21 Multi-Node Management Can you manage more than one firewall using a single piece of software?  Usually this is an add-on.  This will only apply to larger organizations.  
22 DMZ Demilitarized Zones are handy if you have servers that need to be accessed from the internet without restrictions.  Almost all devices will do this but if you have such a need, you must find out about the port forwarding capabilities.  
23 Page Caching Does the firewall store all the content on from websites your client have visited for a set period of time?  This is really a Proxy Server.  This will dramatically speed up performance of frequently visited sites.  Very few <$1000 firewalls will perform this task.  
24 Free Telephone Support How long is free telephone support provided.  Oddly, the cheap firewalls often provide lifetime free support but it is usually very low quality support.  Once you get past the $500 mark you are likely going to pay for support after 90 days or after 1 year.   If only web-based / email support is available, you need to find another product.  
25 Where is the Support You should make sure that (at a minimum) second level support is handled in a jurisdiction similar to your own.  If you have a serious problem and you need support for your company the last thing you want to do is spend hours talking to overseas technical support staff who really do not understand the problem.  If you live in Britain make sure you can get European support.  If you live in Canada make sure you can get North American support.  
26 Logging / Reporting Can you tell if you are being attacked?  Can you tell if your staff is visiting questionable sites?  Can you tell if your firewall is failing?  Can your firewall email you if there is a problem detected?  The email option is exceptionally rare in <$500 firewalls.  
27 Enhanced Firmware Many >$500 firewall manufactures produce two sets of software for their devices.  The default set covers most features but you can pay to get the enhanced software.  When checking this list with your manufacture make sure you ask if the options they are telling you about require upgraded code.  

Leave a Reply