One of the first things you need to figure out is what type of firewall best suits your needs. There are six basic types of firewalls:
- Embedded firewalls
- Enterprise software-based firewalls
- Enterprise hardware-based firewalls
- SOHO software firewalls
- SOHO hardware firewalls
- Specialty firewalls
All of these firewall types typically offer stateful packet inspection or proxy capabilities. Stateful packet inspection and the ability to proxy are different techniques that firewalls use to make decisions on what traffic to allow or deny into and out of your intranet. Stateful packet inspection firewalls learn and remember connection states and evaluate new traffic transactions against prior connection histories. Proxy firewalls are able to create virtual connections and can hide the internal client IP address making it more difficult to discern the topology of the protected intranet.
ENTERPRISE FIREWALL TYPES EXPLAINED
Embedded firewalls are firewalls that are embedded into either a router or a switch. Sometimes embedded firewalls come standard with certain routers, and other times you can purchase an add-on firewall module to install into a router or switch that you already have. Embedded firewalls are sometimes referred to as choke-point firewalls. Due to the wide variety of different protocols used on the Internet, not all services are handled efficiently by embedded firewalls. Because embedded firewalls work at the IP level, they will not be able to protect your network from application level exploits such as viruses, worms, and Trojan horse programs. In some cases, embedded firewalls might offer greater performance gains, but they typically offer fewer features for protecting your networks.
Software based firewalls are software packages containing firewall software that you install on top of an existing operating system and hardware platform. If you have a server with an enterprise class operating system that is available for use, purchasing a software-based firewall is a reasonable choice. As well, if you are a small organization, and want to combine a firewall with another application server (such as your web site server), adding on a software-based firewall is reasonable. If you are a large organization, you will probably want to create a security perimeter network known as a DMZ (demilitarized zone) and will therefore probably want to separate your firewall from all other applications.
Hardware-based firewalls are the same thing as appliance firewalls. The entire firewall is bundled into a turnkey system and when you buy it, you get a hardware device that has the software already inside it.
Specialty firewalls are firewalls with a certain application focus. For example, there are some security servers with built-in firewall-type rules that are made particularly for filtering content, or security messaging servers. MailMarshal and WebMarshal are good examples of firewall-type products with a messaging and content filtering focus.
USERS, LOCATIONS, AND NUMBERS
A consideration that should be very high on your list is how many users do you need to protect, and how many firewalls will you need? The number of users you are going to protect will determine whether you need an enterprise class firewall or a SOHO (Small Office/Home Office) firewall. (You can certainly use an enterprise firewall, even for one user, but you might be paying a lot more than you need to pay, and might end up with features you will never use.)
Most SOHO firewalls can accommodate enough connection requests for up to 50 users. If you plan on protecting more than 50 users with your firewall, it's time to move up to an enterprise firewall. SOHO firewalls typically range in price from $30 to $500. The $30 firewalls are typically used for one person, one system. A $500 SOHO firewall is sufficient for a small field office of less than 50 people.
Firewalls are commonly used as VPN endpoints, and some firewalls offer VPN capabilities. VPNs allow you to use site-to-site encryption. While a firewall acts like a road-block, and only lets certain traffic in and out, once the traffic is out on the Internet, it is being transported in clear-text, and with a sniffer, is viewable to the world. The only way to ensure privacy and data integrity is to use a VPN. If you decide you need a VPN, keep in mind that a VPN implies two endpoints. There is no point in getting a VPN if you don't have a second endpoint to connect it to because a VPN does not work with only one endpoint.
VPNs send your data through an encrypted tunnel, keeping it private from the rest of the world. The encryption process requires additional processing power, and if you are setting up a VPN for a carrier-class network, you will like want one that either comes bundled with a crypto accelerator, or allows you to add-on a crypto accelerator. Crypto accelerators take slow VPNs and make them faster.
There are more things to know about firewalls than what I have discussed here, but hopefully this will be enough to get you going. Other features you might want to research are high-availability, content filters, and the ability to support anti-virus features. Before you start talking to firewall vendors, make a list of questions that you want to ask each vendor. Ask all the vendors the same questions, and refine your list as you talk to more vendors. Be sure to ask them about their phone support packages, and if this is included in the license fee. Good firewall phone support is key to helping you become comfortable and proficient at configuring your new security device.
Laura Taylor is the founder of Relevant Technologies, a provider of original information security content, research advisory services, and best practice IT management consulting services.