Problem solve Get help with specific problems with your technologies, process and projects.

Identifying which type of firewall is right for you

Packet filters, proxies, stateful inspection--which type of firewall is right for your enterprise? Here's how to decide.

This article can also be found in the Premium Editorial Download: Information Security magazine: Buying spree: 2003 product survey results:

Firewalls are ubiquitous, but no size fits all. When it comes to granular security analysis, gateway-based firewalls...

(proxy-based) are the best, closely followed by stateful inspection, then stateful (also called dynamic) filters, with static packet filters providing the least security processing. Yet, in terms of manageability, the list is reversed: packet filters are the most "plug-and-playable"; app proxies are the least.

So how can you decide which type of firewall is right for your organization? Which one strikes a good balance between security and functionality and cost and manageability?

To answer this question, I'll examine three infrastructures: a small office; a medium- or large-sized office with common needs; and a large office with complex needs.

Small office. Small offices obviously have fewer users and managed machines than large infrastructures. They're usually smaller targets. And they require access to minimal Internet services: e-mail (but maybe not even that, if connected to the main office over a VPN), Web and (sometimes) streaming media. Just about any firewall will do in this scenario, because, in general, the smaller the office, the fewer the people and the lower the risk.

For a small office, a simple packet filter, such as those that come with many DSL or cable routers, is sufficient. These are available for less than $500, and include broadband routers from D-Link, 3Com, Netgear and Linksys. Also, WatchGuard's Firebox SOHO, Symantec's Firewall 100, Global Technology's GNAT box and NetScreen and SonicWALL SOHO firewalls are just fine for this environment. Check Point and Cisco offer small office versions of FireWall-1 and PIX, respectively, but they're a bit more expensive.

Medium or large office with "common" needs. "Common" means basic or standard Internet services. Sure, the definition of common changes over time, but for our purposes it includes services such as Web, e-mail, Usenet, streaming media and a sprinkling of file transfer and terminal access.

For these needs, just about any firewall that does more than simple static filtering will do. An application proxy does the trick, but few pure app gateway-based firewalls exist today. Many leading firewalls--CyberGuard, Firebox, PIX, NetScreen, Sidewinder, Raptor, FireWall-1--are hybrids, in some cases allowing you to choose either proxies, stateful inspection or dynamic filtering. When configured to use security proxies for as many services as possible, any of these is suitable. E-mail should always use proxies, and the firewall should only allow Internet e-mail to and from the designated e-mail servers. All Web access from inside to the Internet should be proxied. When proxies don't exist for common services, it's a good practice to use dynamic or stateful filtering.

Large, complex environments. Large enterprises with many users and many complex, problematic services are, of course, more challenging. A "problematic" service is one that may seem simple--such as VoIP or NetMeeting--but actually requires opening many ports through your firewall. Both of these services require ports for more than 25 different services, and should be approached only with application gateway firewalls or in very controlled situations (e.g., when initiated from the inside network, from a particular set of IP addresses and only during particular times). Additionally, for large and complex firewall installations, you should use a firewall that supports centralized firewall management and configuration, such as PIX, CyberGuard, Firebox, FireWall-1, NetScreen and Sidewinder G2.

Keep in mind that these are guidelines. The firewalls I mentioned as examples are just that: examples. When configured properly, any of the firewalls under each category--plus others I didn't mention--will do the job. Decide if you agree with my guidelines, then ask your firewall salesman to tell you how his firewall stacks up against the ones I've listed.

About the author:
Fred Avolio is president and founder of Avolio Consulting, a Maryland-based computer and network security consulting firm.

This was last published in May 2003

Dig Deeper on Network device security: Appliances, firewalls and switches



Find more PRO+ content and other member only offers, here.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.







  • CIO Trends #6: Nordics

    In this e-guide, read how the High North and Baltic Sea collaboration is about to undergo a serious and redefining makeover to ...

  • CIO Trends #6: Middle East

    In this e-guide we look at the role of information technology as the Arabian Gulf commits billions of dollars to building more ...

  • CIO Trends #6: Benelux

    In this e-guide, read about the Netherlands' coalition government's four year plan which includes the term 'cyber' no fewer than ...