Problem solve Get help with specific problems with your technologies, process and projects.

How to ensure your next firewall isn't a dud

A firewall can be an invaluable tool when it comes to securing your network. On the other hand, a less-than-stellar firewall can leave your network open to attack and leave you with a false sense of security. Following a few simple steps when selecting your next firewall can help take out the guesswork.

A hardware firewall is arguably one of the most critical IT purchases that your organization can make. A firewall can legitimately help protect your network, but it can also give a false sense of security and make your network far more vulnerable. Before making a firewall purchase, it is important to review your organization's needs and requirements. The following questions should be asked before proposing a firewall purchase:

How many concurrent connections will the firewall need to support?

Each firewall is able to handle a finite number of simultaneous connections, and will be addressed in the product documentation. It is important to ensure that the hardware firewall proposed is able to handle the traffic that will need to pass through it. For instance, a firewall designed to protect and monitor the perimeter of the network would need to be able to handle far more connections than a network segment. If the firewall is unable to handle the traffic passing through, it will begin to drop packets.

How many VPN tunnels will be open concurrently?

If your organization will allow VPN connections for remote users, it is important to consider the number of simultaneous connections into the network. Similar to the previous question, underestimating will result in loss of service for users. Again, this feature will be addressed in the product documentation.

Will the firewall support the VPN protocols that you are using?

If your existing VPN architecture uses IPsec, PPTP or L2TP, it is important to verify that the firewall will support that protocol. Although most commercial hardware firewalls will support all three protocols, it should be verified.

How is the firewall managed?

This consideration is more a matter of preference and ease of use. Before deciding on a firewall, it is important to be familiar with the manner of the management user interface (MUI). For instance, many enterprise firewalls are controlled and configured through a command line interface (CLI), while many lower priced firewalls utilize the simpler Web-based interface. Ensure that you are familiar with the commands used to configure that particular firewall to avoid any dangerous delays between the installation and configuration of the firewall.

Are there any other features required?

There are many other features that can be performed by a hardware firewall, although some of them may require an additional subscription. Some of the features to consider are:

  • Web caching to store frequently viewed Web sites
  • URL or keyword filtering to block access to unapproved Web sites
  • Domain filtering to block access to prohibited domains, such as those associated with pornography or illegal downloads.
  • Spam filtering
  • Load balancing
  • Can I get the features that I need elsewhere cheaper?

    Unless it's your own money, it's always considered wise to comparison shop. For instance, some firewall vendors might charge extra for spam filtering, while others may provide it for free or as a free trial. It is generally advised to obtain multiple quotes and feature lists before deciding on a purchase.

    How much throughput is required through the firewall?

    Generally, firewall throughput is between 150Mbps and over 1Gbps, and the speed is often directly proportional to price. Again, this information is available in the product documentation.

    Is the firewall operating system proprietary or commercial?

    All hardware firewalls run on some sort of operating system. Many firewall systems (often referred to as "firewall gateways" or multipurpose firewall devices") run on a Linux or even a Windows operating system. However, the bulk of hardware firewall devices run on proprietary and inaccessible operating systems. These operating systems are designed to be "hardened," as they do not need to have certain services or ports opened. Generally, a proprietary-based firewall is considered more secure, although by no means infallible.

    Answering these questions, when combined with adherence to your organizations' security policy, will ensure that your network will be as secure as possible.

    Chris Cox is a network administrator for the United States Army, based in Fort Irwin, California.
    This was last published in February 2006

    Dig Deeper on Network Security Best Practices and Products

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.