The obvious answer is one that stops what you want to stop and allows what you need to allow. There are many good firewalls on the market. What is best for your organization depends on your needs, such as bandwidth, complexity of the access rules needed, etc. I personnaly prefer those firewalls that rely on port-blocking along with statefull inspection. While there is nothing inherently wrong with those based on proxies, I have found that some administrators have trouble setting them up correctly and maintaining them. Flexibility in the rules sets is also a key. If you want to block a particular port from everyone except from a certain IP range, you want to make sure the firewall can do that. Some less capable packages have a port either on or off for everyone. If your organization is large, you probably want to have multiple interfaces to the firewall, as well. That way you can effectively have different back-end networks served by the same firewall. The firewall should also support different rules sets for those separate networks. If both have to have the same rules set, the multiple interfaces don't do much good from a security standpoint.
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.