When it comes to network security, the firewall is your primary line of defense. Firewalls have undergone a major transition in the past few years. The first firewalls were simple, stateful packet-filtering hardware devices that provided security at the OSI model's network layer. This approach worked because in the mid- to late 1990s, most attacks took place in the network layer. In the 21st century, however, types of attacks have expanded to include sophisticated application-layer attacks. Why the transition from network- to application-layer attacks? As the famous bank robber Willie Sutton said, "Because that's where the money is."
While "script kiddies" and "click kiddies" entertained themselves with network-layer Denial of Service (DoS) attacks, more savvy hackers realized that compromising network services lets them steal and destroy data with nary a trace. They don't do it "just for fun," either—there's money to be made by stealing and destroying your data, then reselling it to the fastest or highest bidder, which might include the company from which the data was stolen. Consequently, the standards for network-level security have changed. Now, all network perimeters require both stateful packet and application-layer inspection. Packet inspection alone can't provide what we consider a due-diligence effort at providing adequate network-level security. (For more information about OSI model layers, see "Network Port Fundamentals, Part 1," page 5.)
In this two-part series, we'll look at popular firewall appliances and make recommendations based on the size of your organization, the level of security you require, and the cost of the solution. In Part 1, we look at solutions that are ideal for low-security small-to-midsized businesses (SMBs), and in Part 2, we'll examine solutions more geared toward high-security SMBs and enterprise branch offices.
Considering the Firewall Options
Today, we face a dizzying array of firewall options, ranging from the simple (and free) host-based Windows Firewall to high-performance, stateful packet-inspection firewalls that cost tens of thousands of dollars. How do you choose the one that's right for you? You have two primary considerations to keep in mind when you're pondering a firewall acquisition: security requirements and budgetary limitations.
Security requirements. Security requirements are a moving target. You have to balance network security best practices with users' data-access requirements, as well as limitations inherent in software that isn't built with host or network security in mind.
Another crucial concern in assessing security requirements is the regulatory environment in which the company exists. The Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley (GLB) Financial Services Modernization Act, the Sarbanes-Oxley Act of 2002, and other wide-sweeping (and sometimes difficult-to-understand) regulations mandate that you secure certain types of data from theft and alteration—from end to end. You also need a comprehensive audit trail that's robust enough so that the company can defend itself against debilitating civil lawsuits, in which the standard of proof required for the complainant to prevail is much lower than in criminal courts.
Budgetary limitations. Budgetary limitations separate what you'd like to do from what you can do. The primary limiting factor on the level of security you'll obtain is the amount of money you're willing or able to spend. A simple broadband stateful packet-inspection SOHO router isn't going to provide anywhere near the level of security you'll experience with an industrial-strength stateful packet and application-layer inspection firewall. In general, the more you pay for a firewall, the higher the level of security you'll obtain. You get the level of security you're willing to pay for—either in up-front hardware and software costs or in consultants' fees to manage nominal-cost hardware and software security solutions.
Solutions We Considered
The firewall marketplace is extremely large and diverse, so we couldn't consider every vendor in the marketplace. To bring some order to the chaos, we've selected a range of vendors that offer firewall appliances spanning the security and pricing gamut, from traditional stateful packet-inspection firewalls to blended stateful packet and application-firewall/universal threat management (UTM) devices. Vendors we considered in this discussion include Cisco Systems, Network Engines, Rimapp, SonicWall, and Symantec.
It's important to note that this two-part review of network firewall security options for businesses of various sizes and security requirements focuses on the level of security the firewall provides—not the devices' router characteristics or additional features. Many firewall vendors charge a premium for advanced routing capabilities that add nothing to the overall security that the firewall provides. For example, we didn't consider policy-based routing, quality of service, data-link layer transparency, and similar network-centric enhancements because they add little to the organization's overall security posture.
On the other hand, a few vendors' products include Web-caching capabilities, vastly enhancing the overall value of the purchase to your organization if you would otherwise have purchased a separate caching solution. This feature improves Web performance for users and might reduce bottom-line Internet bandwidth costs. Web-proxy capability can also improve security.
Explanation of Features
Let's walk through the features that we targeted in our examination of firewall appliances. For an understanding of the comparison tables in both Part 1 and Part 2 of this series, you'll need to refer to this list.
Price. The cost of a specific firewall product varies widely from reseller to reseller. The price quoted here includes the default feature set without add-ons that must be purchased separately. Add-ons can significantly increase the quoted price.
Stateful application-layer inspection. Stateful application-layer inspection exposes both the protocol headers and the application data to the firewall's application-layer inspection engine. Examples include deep application-layer inspection of HTTP headers and data, SMTP headers and data, and Instant Messaging (IM) protocol headers and data.
Application protocol validation. Application protocol validation (aka deep packet inspection) interrogates the application-layer protocol and confirms that it complies with Internet Engineering Task Force (IETF) standards for the protocol's command set. Examples include protocol validation for DNS, FTP, POP3, and SMTP. Application protocol validation doesn't statefully inspect all the data within the application-layer protocol.
Stateful packet inspection. Stateful packet inspection exposes network and transport layer headers to the firewall's packet-filtering inspection engine. Stateful packet inspection is a component of virtually every firewall on the market and at one time was the standard for firewall security.
Transparent Windows authentication. Transparent Windows authentication lets the firewall receive user credentials from the client OS without intervention. This functionality lets the firewall provide granular outbound access control based on user or group membership without challenging the user for credentials.
Logging of all Web and Winsock applications and usernames. Logging is the cornerstone of comprehensive reporting for regulatory compliance and effective cooperation with law enforcement. Logging Winsock applications and usernames lets the firewall record information about which application and user accessed resources while connected through the firewall.
Application-layer inspection through SSL tunnels. Application-layer inspection through Secure Sockets Layer (SSL) tunnels lets the firewall perform stateful application-layer inspection and protocol validation of communications within an encrypted SSL tunnel. Stateful packet-inspection-only firewalls can't inspect application- layer headers and data contained within encrypted SSL tunnels.
Microsoft Exchange Server support. Firewalls with integrated support for Exchange include technologies that enhance security for remote-access connections over the Internet to Exchange services, such as Outlook Web Access (OWA), Outlook Mobile Access (OMA), Exchange ActiveSync, Secure Exchange RPC, and RPC over HTTP. This feature includes integrated support for two-factor authentication, such as that provided by RSA Security's RSA SecurID.
Application-layer inspection of VPN client and gateway traffic. Application-layer inspection of the VPN client and gateway connections lets the firewall perform both stateful packet and application-layer inspection of communications moving through a PPTP, Layer Two Tunneling Protocol (L2TP)/IPsec, or IPsec tunnel-mode connection. Application-layer inspection of communications over a VPN link prevents the spread of worms such as Blaster and Sasser. For example, Microsoft's ISA Server 2004 firewall forces remote procedure call (RPC) compliance and stops Blaster and related attacks.
Intrusion detection and prevention. Intrusion detection and prevention focuses on network and transport layer anomalies targeted at the firewall's TCP/IP stack. You can configure most Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) firewalls to alert the administrator without taking action, or alert the administrator and prevent the attack. In practice, most IDS/IPS firewalls prevent the intrusion as it's detected.
Remote-access VPN server and VPN gateway. A remote-access VPN server accepts VPN client connections from one host to connect that host to the corporate network. A VPN gateway connects entire networks to one another over a site-to-site VPN link.
Included VPN client. All traditional VPN remote-access client connections require client software. (Clientless SSL VPNs use the Web browser as the client.) Most firewalls support PPTP and L2TP/IPsec connections from the Microsoft VPN client built into Windows. Some firewalls require additional ("enhanced") VPN client software to support VPN client hygiene (security compliance checking) and proprietary Network Address Translation (NAT)-traversal IPsec protocols. This software might be included free, or you might have to purchase it at additional cost.
10/100 LAN ports. Multiple Ethernet ports on the firewall dedicated to LAN connections let the firewall create more physically segmented security zones. Some firewalls have multiple Ethernet ports but limit the number the firewall can use to interface with the Internet.
WAN ports. Some firewalls limit the number of Ethernet ports the firewall can use to directly interface with the Internet. Others let you use as many ports as you want.
Load balancing. Load balancing lets you configure multiple firewalls in parallel in an array and balance incoming and outgoing connections through the firewall array. Ideally, load balancing equally distributes connections among the firewall array members and improves overall performance on each firewall by preventing excess load on any one firewall.
Number of users. Some firewalls limit the number of users or IP addresses that can connect through the firewall. These firewalls are licensed for a specific number of users and generate alerts if the number of users exceeds the license restrictions.
Failover. Failover lets you set up two or more firewalls that can take over for firewalls that go offline. Failover capabilities vary from cold-standby to hot-standby to load-balanced arrays. Some failover routines are automatic, whereas others require administrator intervention.
ISP failover and bandwidth aggregation. Support for multiple ISPs is a crucial component for any organization that depends on Internet connectivity for normal business activity. Firewalls with ISP failover can use multiple ISPs to connect to the Internet and transparently fail over to a working line should one or more ISP links become unavailable. Bandwidth aggregation lets the firewall combine the throughput of multiple Internet links to speed connections to Internet resources.
Configuration. Most firewalls support Web-based SSL connections for some or all firewall configuration. Some firewalls support a command-line interface through a terminal session, and ISA Serverbased firewalls support Federal Information Processing Standard (FIPS) encryptioncompliant RDP connections.
Processor. This self-explanatory feature refers to the type and speed of the firewall's main processor.
Web caching and proxy. Some firewalls include a built-in Web caching server. Web caching can speed up Internet access for end users and can significantly reduce Internet-link bandwidth usage and associated link costs. The Web proxy component can significantly improve security because the proxy completely deconstructs, inspects, and reconstructs the HTTP messages moving through it.
Low-Security Environments
As we mentioned at the start of this article, we're organizing this firewall discussion according to the security level that your environment requires. The first firewall type we want to discuss is for the low-security SMB. A low-security environment is one in which no proprietary data resides on the network, or in which business-critical data exists but the owner is unwilling or unable to pay for a network firewall that provides strong inbound and outbound access control, packet and application-layer inspection, and comprehensive logging of user and application activity.
Low-security networks are typically small businesses that have limited budgets. The LAN might connect to the Internet via broadband cable or DSL links, using what's referred to as a "broadband router" instead of the dedicated T-level and above lines more typical of larger organizations. These broadband routers are technically not routers, but instead are simple NAT devices. Most of these devices allow a handful of VPN connections using proprietary VPN client software.
The high-end price range for the low-security-environment firewall is about $500. If you manage a low-security network that doesn't bear the burden of regulatory oversight and you're severely cost constrained, consider one of the offerings from Cisco, SonicWall, or Symantec—a comparison of which you can see in Table 1.
The three firewalls sport similar feature sets, capabilities, and levels of inbound security. Each provides stateful packet inspection on incoming connections from the Internet. These devices are low-powered and have significant restraints on the number of supported users. The firewall-licensing scheme that each vendor enforces, as well as hardware limitations, set a limit on the number of connections.
More important, these firewalls offer no provisions for user- or group-based inbound or outbound access control. Each supports only rudimentary logging. And you'll find no stateful application-layer inspection. These exclusions are typical of low-cost firewall hardware.
Of these three, our pick is the SonicWall 170, a device that's simple to configure and almost runs by itself. The SonicWall 170 includes a modem interface, permitting it to fail over to an analog modem connection should the primary broadband connection become unavailable. In addition, the SonicWall 170 has one more LAN port than the other two devices have.
Network security is a crucial component of an organization's overall defense-in-depth strategy. Network firewalls are the key players in securing systems and data at multiple network perimeters. Low-security environments might be able to opt for one of the firewalls in Table 1 or comparable products, but higher-security environments will be more interested in the appliances we discuss in the upcoming Part 2 of this article.
