Firewalls are ubiquitous, but no size fits all. When it comes to granular security analysis, gateway-based firewalls
(proxy-based) are the best, closely followed by stateful inspection, then stateful (also called dynamic) filters, with static packet filters providing the least security processing. Yet, in terms of manageability, the list is reversed: packet filters are the most "plug-and-playable"; app proxies are the least.
So how can you decide which type of firewall is right for your organization? Which one strikes a good balance between security and functionality and cost and manageability?
To answer this question, I'll examine three infrastructures: a small office; a medium- or large-sized office with common needs; and a large office with complex needs.
Small office. Small offices obviously have fewer users and managed machines than large infrastructures. They're usually smaller targets. And they require access to minimal Internet services: e-mail (but maybe not even that, if connected to the main office over a VPN), Web and (sometimes) streaming media. Just about any firewall will do in this scenario, because, in general, the smaller the office, the fewer the people and the lower the risk.
For a small office, a simple packet filter, such as those that come with many DSL or cable routers, is sufficient. These are available for less than $500, and include broadband routers from D-Link, 3Com, Netgear and Linksys. Also, WatchGuard's Firebox SOHO, Symantec's Firewall 100, Global Technology's GNAT box and NetScreen and SonicWALL SOHO firewalls are just fine for this environment. Check Point and Cisco offer small office versions of FireWall-1 and PIX, respectively, but they're a bit more expensive.
Medium or large office with "common" needs. "Common" means basic or standard Internet services. Sure, the definition of common changes over time, but for our purposes it includes services such as Web, e-mail, Usenet, streaming media and a sprinkling of file transfer and terminal access.
For these needs, just about any firewall that does more than simple static filtering will do. An application proxy does the trick, but few pure app gateway-based firewalls exist today. Many leading firewalls--CyberGuard, Firebox, PIX, NetScreen, Sidewinder, Raptor, FireWall-1--are hybrids, in some cases allowing you to choose either proxies, stateful inspection or dynamic filtering. When configured to use security proxies for as many services as possible, any of these is suitable. E-mail should always use proxies, and the firewall should only allow Internet e-mail to and from the designated e-mail servers. All Web access from inside to the Internet should be proxied. When proxies don't exist for common services, it's a good practice to use dynamic or stateful filtering.
Large, complex environments. Large enterprises with many users and many complex, problematic services are, of course, more challenging. A "problematic" service is one that may seem simple--such as VoIP or NetMeeting--but actually requires opening many ports through your firewall. Both of these services require ports for more than 25 different services, and should be approached only with application gateway firewalls or in very controlled situations (e.g., when initiated from the inside network, from a particular set of IP addresses and only during particular times). Additionally, for large and complex firewall installations, you should use a firewall that supports centralized firewall management and configuration, such as PIX, CyberGuard, Firebox, FireWall-1, NetScreen and Sidewinder G2.
Keep in mind that these are guidelines. The firewalls I mentioned as examples are just that: examples. When configured properly, any of the firewalls under each category--plus others I didn't mention--will do the job. Decide if you agree with my guidelines, then ask your firewall salesman to tell you how his firewall stacks up against the ones I've listed.
About the author:
Fred Avolio is president and founder of Avolio Consulting, a Maryland-based computer and network security consulting firm.