By Ian Matthews January 31, 2006

If you have ever been responsible for purchasing a firewall you know it can be quite intimidating.  There are lots of buzzwords and lots of fast talking salesmen.  This document is intended to provide a simple grid for you to evaluate competing products. 

For home users, almost anything will do but for small and medium business more critical evaluation is required prior to purchase and that is the real target of this document.  It is written with a Microsoft Windows 2000, XP, Vista mentality but almost all of the concepts would apply to other operating systems like Linux and Unix.

The idea is that you print a copy for each product you are considering and then compare the results.  FYI, we found the SonicWall TZ170 Wireless and some Watchguard Firebox products happily compete in this space.  To get you started here is a linked list of notable Firewall providers: SonicWall, NetGear, WatchGuard, Linksys, DLink, SMCNote, that we do not make ANY money off those links and that we have no affiliation with any of the companies mentioned.
 

#CategoryDescriptionValue
1PriceHow much is this thing? 
2AvailabilityOften you will see product promoted on websites that either is not available in your area, not available to anyone yet, or worse, is old discontinued stock.  Make sure you can get it or don’t waste your time researching it. 
3Deep Packet InspectionAll the but the very cheapest firewalls will now provide SPI (Statefull Packet Inspection) but newer, more expensive firewalls should provide DPI, which means that they will open EVERY packet and inspect not only the header but all content to make certain it is what it claims to be. 
4Content Filtering Many new >$500 firewalls offer annual subscription services which will filter SMTP email traffic and web site content. 
5VPN End PointAll but the cheapest firewalls will provide VPN pass through to your server but that means your server has to be exposed on the internet; not your best choice.  Many firewalls now act as a VPN Endpoint.  This means that your VPN client connects to the firewall prior to you connecting to your server. 
6VPN Active Directory Tie InDo VPN accounts get created on the firewall or do credentials come from your Windows Server?  It is very nice to have one password and some mid range ($500ish) firewalls can perform an LDAP query against your Windows Active Directory to validate credentials. 
7SSL VPNCan VPN’s be created through your browser using SSL connections.  This is very nice for remote users because no client is required and client configuration is minimal. 
8Number of Concurrent VPN Tunnels:How many remote users can you have connected at the same time?  Note that many firewall manufactures will sell you more licences as you need them and some are unlimited. 
9VPN ClientSome VPN’s will work with a Microsoft IPSec or PPTP software client built into Windows while others require their own software client.  I actually prefer the proprietary client because it reduces the number of people that are going to be able to easily attack your VPN. 
10VPN Policiescan you set policies for VPN clients, such a inactive timeouts, reconnection attempt maximums, popup banner welcoming/warning them about your VPN, time of day restrictions… 
11Branch Office VPNCan you connect one firewall to an identical unit in a remote office and have the two create a hardware VPN? 
12ISP Failover Does it support multiple ISP connections and can it automatically flip between them so that if one fails your office stays up?  Most small offices will not care about this option. 
13ISP Aggregation Can multiple ISP connections be seen inside your office as one link to increase speed and reduce bottlenecks?  Most small offices will not care about this option. 
14VoIP SupportVoice Over Internet Protocol support simply means that the firewall will increase the priority of voice packets.  This assumes you are planning to use a VoIP phone solution in the near future. 
15Wireless Access Everybody wants wireless these days.  Most sub $1000 firewalls will offer a wireless option while most more expensive firewalls will require a wireless access point to be a different piece of hardware. 
16Guest AccessCan you have users connect to your wireless (or wired) network, receive an IP address and surf but NOT see your office machines or servers ?  This is a great feature that is just now gaining popularity. 
17A, B, G, N Wireless A (100Mbit?) is great for corporate networks because it does not go through walls
B (11Mbit) is the old standard everything supports
G (54MBit) is the new “B” which almost everything supports
N (110Mbit?) is a new standard expected to gain popularity by the end of 2006
 
18Wireless AcceleratorMost wireless Access Points will offer a proprietary software compression which will double (or better) your connection speed.  The catch here is that you need to use a matching wireless network card but nearly all laptops (for example) already have a good quality network card. 
19Wireless RangeHow far does the wireless cover.  Most <$500 Access Points will state the official range for “G” of about 200′ however, in most offices you can could on about 70′.  You can usually improve this with different antennas if required. 
20Wireless SecurityAll Access Points will support WEP but other than home use, it is inappropriate because it is too easily cracked.  WPA (Windows Protected Access) and WPA2 are the new standards which are quite common.  Using a WPA-PSK (Pre-Shared Key) is most small office settings provides and acceptable level of security.  The catch here is again to make certain that your clients (i.e. your laptop network card) will support the standard 
21Multi-Node Management Can you manage more than one firewall using a single piece of software?  Usually this is an add-on.  This will only apply to larger organizations. 
22DMZDemilitarized Zones are handy if you have servers that need to be accessed from the internet without restrictions.  Almost all devices will do this but if you have such a need, you must find out about the port forwarding capabilities. 
23Page Caching Does the firewall store all the content on from websites your client have visited for a set period of time?  This is really a Proxy Server.  This will dramatically speed up performance of frequently visited sites.  Very few <$1000 firewalls will perform this task. 
24Free Telephone SupportHow long is free telephone support provided.  Oddly, the cheap firewalls often provide lifetime free support but it is usually very low quality support.  Once you get past the $500 mark you are likely going to pay for support after 90 days or after 1 year.   If only web-based / email support is available, you need to find another product. 
25Where is the SupportYou should make sure that (at a minimum) second level support is handled in a jurisdiction similar to your own.  If you have a serious problem and you need support for your company the last thing you want to do is spend hours talking to overseas technical support staff who really do not understand the problem.  If you live in Britain make sure you can get European support.  If you live in Canada make sure you can get North American support. 
26Logging / ReportingCan you tell if you are being attacked?  Can you tell if your staff is visiting questionable sites?  Can you tell if your firewall is failing?  Can your firewall email you if there is a problem detected?  The email option is exceptionally rare in <$500 firewalls. 
27Enhanced FirmwareMany >$500 firewall manufactures produce two sets of software for their devices.  The default set covers most features but you can pay to get the enhanced software.  When checking this list with your manufacture make sure you ask if the options they are telling you about require upgraded code. 

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *