Problem solve Get help with specific problems with your technologies, process and projects.

Firewalls: How to choose what's right for you

A Forrester analyst outlines types of firewalls on the market and deployment strategies for large and small organizations.

Forrester analyst outlines types of firewalls on the market and deployment strategies for large and small orga...


By Johanna Ambrosio

All companies need firewalls these days, large or small. Even security-conscious behemoths such as Microsoft Corp. have been hacked, and the different variants of the Code Red virus rightly have everyone up in arms.

Depending on the size of your company and how much money you're willing to spend on securing your information, there are different types of firewalls that come packaged with various features and functions. But it's also important to keep in mind that there's no absolute security, or silver bullet, to keeping your organization completely safe.

That said, however, Frank Prince, senior analyst at Forrester Research Inc. in Cambridge, Mass., feels very strongly that only the largest companies, or those with the most complex needs, should select and implement a firewall without outside help. His advice to almost everyone else is to outsource.

Prince explains why, and gives more background about firewalls, in this interview with TechTarget.

TechTarget: What are the different types of firewalls?

Prince: All firewalls act as a perimeter access-control device. They let some people into a network of computer systems, and they keep some people out.

Firewalls are classified into three different levels: packet-level firewalls that don't keep a history of who's talking to whom; stateful inspection firewalls that keep low-protocol records (at the IP level); and proxy firewalls that do take history into account. Proxy firewalls have higher protocols carried on low-level protocols, like e-mail or HTML. So the differences have to do with whether the firewall takes history into account, as well as the level of protocol that the firewall handles.

TechTarget: How else do firewalls differ, in terms of features and functions?

Prince: It mostly comes down to packaging differences -- how much tailoring of the firewall is allowed. There are highly flexible and configurable firewalls (like those from Check Point Software) that operate on dedicated computer systems. These are generally used by organizations with the need to specifically configure the firewalls for their own purposes -- and the resources to do so. At the other end of the spectrum are firewalls that come as part of an appliance or some other system, like those from Sonicwall Inc. or Linksys Group Inc., and that have limited configurability. These are generally made to drop into the home and SOHO environments. Then you have everything in between, depending on what is needed. Cisco, for instance, builds its firewall into routers and VPNs.

TechTarget: Should companies look at different types of firewalls, or will one do the trick?

Prince: Global organizations will generally have all three types of firewall. They have to think about different groups within the company, and these various groups might have different security needs. A large branch office might need something more sophisticated than will a small branch office, which needs something entirely different from corporate headquarters. If you're setting up a global extranet, you'll need a firewall that is big and flexible. Also keep in mind companies like Nokia, which packages a number of things in a kind of firewall appliance, but with more configurability and at a range of prices. So they're bridging the medium to high end with a number of firewalls.

TechTarget: What other firewall-related considerations should companies think about?

Prince: Most companies simply don't have the human resources needed to choose, install and maintain a firewall -- and most aren't particularly honest with themselves regarding their abilities in these areas. Expect to dedicate a minimum of two people to the firewall: one to handle the business and contractual end; another to handle the technical details and be the interface to your subcontractors. This technical person will need to monitor logs, handle setting up access rights for individual users, and so on. But two people are the minimum investment you can make. So we strongly suggest that the majority of organizations get help and outsource this. Most small and medium-sized enterprises should probably not be doing this themselves.

TechTarget: What's your advice for those bound and determined to roll their own?

Prince: I hesitate to give blanket guidelines. Any kind of little checklist is going to be insensitive to the real needs of the company. I suggest that organizations draw on places like the SANS Institute and make use of the online and training resources there. They should dedicate a person to understanding the organizational needs and the technological alternatives, and then tailor the solution to what they've learned about what the company needs. And this person needs to be well placed in the company, so he or she can tap into what's really going on and what the real needs are. The dedicated person also has to have management support to get the budget he or she needs for people and technology.

Also keep in mind that there is no absolute security. There's no protection, just some amount of reduction of risk. Companies generally don't feel insecure until they're violated.

Ambrosio is a freelance writer in Marlborough, MA. Reach her at mailto:[email protected]


Visit Search's best web links section on firewalls.

You'll also find tons of resources in's firewalls and security devices category.

This was last published in August 2001

Dig Deeper on Network device security: Appliances, firewalls and switches