Welcome back to our discussion of popular firewall appliances! In this two-part series, we're examining solutions and making recommendations based on the size of your organization, the level of security you require, and the cost of the solution. In "Firewall Appliances, Part 1" July 2005, InstantDoc ID 46588, we looked at solutions appropriate for low-security small-to-midsized businesses (SMBs). Now, in Part 2, we examine solutions more geared toward high-security SMBs and enterprise branch offices.
In contrast to low-security SMB environments, high-security SMB environments require a much higher level of firewall security. Higher security requirements are either mandated by law, necessitated by the nature of the business (e.g., a highly competitive industry that values the protection of trade secrets), or based on the business owner's willingness to spend the requisite funds to provide a good level of network protection at a reasonable price. High-security SMBs treat firewall security the same way they regard automobile insurance, errors and omissions (E&O) insurance, and health insurance. They're willing to pay the price up-front to prevent potential personal and business disasters.
High-Security Environment Concerns
For a listing and explanation of the basic features we targeted in our examination of firewall appliances, see Part 1 of this series. In addition to these features, high-security environments must address several further concerns when shopping for the right appliance:
Although some small businesses have high security requirements, those businesses are still small, and they probably don't have the IT budgets available to larger businesses or enterprise environments. Our experience with high-security SMBs suggests that the average company is willing to spend as much as $3000 for a security solution that will last 3 to 4 years. The amortized daily cost of the security investment—about $2 per day—is low compared with potential financial losses the business might incur if it were to choose a low-security solution.
Table 1 shows a selection of available firewall devices that offer a reasonable level of network security to the high-security SMB. The SonicWALL Pro 3060 and Cisco Systems' Cisco PIX-515E-R-DMZ are traditional hardware firewalls. Network Engines' Microsoft ISA Server 2004based NS6200 firewall and Symantec's SGS 5420 firewall represent appliances that are typically called "software" firewalls—they either run on general-purpose OSs or have hard disks, or both. The NS6200 represents a "third generation" of firewall because it combines a hardware firewall's stability and reliability with a software
firewall's flexibility, security enhancements, and update agility to meet current security threats. The SGS 5420 lies somewhere in between: It doesn't run on a general-purpose OS, but it does use hard-disk storage.
From a network-security standpoint, the Network Engines and Symantec appliances are our top picks, beating out the traditional stateful-packet-inspection hardware firewalls. The key difference is the level of application-layer inspection these two devices provide, compared with the SonicWALL and Cisco devices.
Although you can use on-box or off-box application-layer inspection add-ons (e.g., antivirus checking, download filtering, mail filtering, pop-up blocking, spyware checking, Web filtering) to enhance all the firewalls in this class, these types of features add significantly to the cost of each of these devices. Such increases in cost might move them beyond the price point that high-security SMB owners can tolerate.
In the end, the Network Engines firewall takes the nod over the Symantec appliance because it has the following features that are crucial to high-security environments:
Even with high-cost application-layer inspection enhancements, none of the other firewalls in Table 1 provide the security features that the NS6200 provides.
Larger High-Security Environments
High-security mid-to-large-sized businesses and enterprise branch offices share similar security requirements. Similar to the high-security SMB, they require comprehensive stateful packet and application-layer inspection, comprehensive logging, and user/group-based access control through the firewall. The primary difference between the high-security large-business environment and the high-security SMB environment is that larger companies have far more generous IT budgets that align with their security requirements.
These offices don't need high-end, high-speed firewalls that cost $35,000, but they do need a high level of security. A single, successful application-layer attack can result in losses that number in the millions of dollars.
Determining how much money organizations in this class are willing to spend on network firewall protection is difficult. Some companies are extremely security conscious and are willing to spend more than $10,000 for exceptional packet and application-layer inspection firewalls. On the flip side, many midsized to large businesses that require high security balk at paying more than $2500 for this crucial piece of network-security infrastructure. In general, we've found that most organizations in this class are willing to spend between $5000 and $6000 for advanced firewall
Table 2, page 9, shows a selection of firewalls typically deployed in larger high-security environments. The SonicWALL PRO 4060 and the Cisco PIX 515E-UR-FE-BUN are built on a traditional hardware-firewall foundation and provide similar levels of network security. Stateful packet inspection is the cornerstone of these security offerings, without requiring high-dollar add-ons. Both provide high network performance but lack load-balancing and failover capabilities, which are crucial for on-demand access to mission-critical data.
In contrast, RimApp's ISA Server 2004based RoadBLOCK F302PLUS firewall appliance provides comprehensive application-layer inspection at a reasonable price. Web site filtering, antivirus checking for Internet downloads, and antispam email filtering are available out of the box. In addition, with the help of Rainfinity's RainWall and RainConnect, the RoadBLOCK appliance supports load balancing and failover for both the RoadBLOCK firewall devices and ISP links. The RoadBLOCK appliance supports all the high-security features we discussed earlier for reporting and logging, as well as strong user- and group-based access control from inbound and outbound connections through the firewall.
What's Right for You?
The higher-end network firewalls in this article provide excellent security and high performance for the midsized to large business. Key features leading to the smartest firewall decision are application-layer inspection and comprehensive logging and reporting of user and application access. High availability is also important to keep in mind when you're shopping for a firewall appliance.