Problem solve Get help with specific problems with your technologies, process and projects.

What evaluation criteria should be used when buying a firewall?

Choosing a firewall for the enterprise isn't always easy. In this expert Q&A, Mike Chapple provides three important points to consider before deciding on a product.

Our company is about to purchase a new firewall, and we've narrowed the field down to three vendors. What criteria...

should we use to evaluate the finalists? Are there best practices for choosing the right enterprise firewall product?

First and foremost, consider the functionality of the firewall. The good news for those deciding between products is that mainstream firewalls all have the same core functions. Each performs stateful inspection packet filtering and allows the implementation of basic perimeter defenses. I recommend honing in on functional requirements. Ask yourself: Do you need to emphasize network throughput or enhanced security features?

One major point of differentiation between firewalls is their ability to perform application-layer inspection. Many firewalls simply don't have application-layer inspection, while others implement basic functionality (such as URL filtering). Some products, like Secure Computing Corp.'s Sidewinder G2 firewall and F5 Networks' BIG-IP Application Security Manager, have deep application inspection capabilities. These types of firewalls allow for complex application rule bases that limit the types of actions carried out over a connection. For example, you might limit inbound HTTP requests from the Internet to GET commands, while internal users might be able to issue POST commands. This functionality allows you to protect the enterprise against application-based attacks as well as network-based attacks.

Finally, consider the vendor itself. When investing in a firewall product, you're making a long-term decision. The financial commitment is only the tip of the iceberg; your firewall administrators will invest significant time and energy building and customizing a rule base for that particular product. In general, rule bases are not portable between platforms, so any future platform change will require a substantial commitment of human resources, so it's wise to make sure the vendors on your short list are all stable companies with solid financials. You certainly don't want to get on board a sinking ship.

More information:

This was last published in July 2007

Dig Deeper on Network device security: Appliances, firewalls and switches