In an increasingly crowded firewall market, WatchGuard has nudged its way in and has gained significant respect among IT decision makers. With over 130 firewall products on the market, getting firewall market attention these days is not as easy at it used to be. This Daily Feature will introduce you to WatchGuard and the firewall technologies it produces.
A little history
Founded in 1996, the Seattle-based firewall pure-play has a comprehensive product line with something to offer every IT budget. The WatchGuard hybrid firewalls combine proxy services with stateful inspection and are based on an appliance architecture. WatchGuard was savvy enough to forecast the appliance trend in firewalls before it became obvious to many other firewall vendors. The firewall market has been significantly ramping up on turnkey appliance solutions for the last three years.
Originally, commercial off-the-shelf firewalls were software packages that were installed on top of everyday operating systems. Firewall appliances, like WatchGuard’s, bundle the software and hardware into one turnkey box. Appliance firewalls have many advantages over traditional firewalls: one-stop shopping, faster installation, and built-in high-availability. With built-in high-availability, it’s like getting two firewalls for the price of one. Firewalls that do not provide high-availability require that you purchase and install another piece of hardware, a second firewall package, and then a third add-on product to install on top of the firewall package. This complex installation can lead to the procurement of five products; it may work fine as far as security goes, but it will cost you more and take you longer to procure and implement.
Often, firewalls are installed as a result of a security incident and getting them up quickly is critical. The benefits of appliance firewalls are significant, and without any software-based firewalls in its lineup, WatchGuard, one of the few firewall appliance pure-plays, is betting the farm that firewall appliances are the wave of the future.
WatchGuard's hybrid firewall appliances, dubbed Fireboxes, have both stateful inspection and proxy service capabilities. Traditionally, firewall vendors offered either stateful inspection or proxy capabilities. Now, leading firewall vendors are offering both to stay competitive.
- Firewall products: Firebox 4500, Firebox 2500, Firebox 1000, Firebox 700, Firebox SOHO
- Product lines: WatchGuard for MSSLiveSecurity, ControlCenter, SecuritySuite, Firebox System, ServerLock
- Product and service scope: Firewall and VPN appliances and host-based security
- Service lines: Customized security policies, 24-hour monitoring and management, rapid emergency response
- Industry focus: Internet security, e-commerce security, LAN and WAN security, government security, small to medium size businesses, SOHOs
- Key features: Automatic installation, automatic software updates, expanded reporting and analysis
Based on filtering packets at the network level, stateful packet inspection firewalls examine protocol packet header fields. The header fields include the source IP address, destination IP address, TCP/UDP source ports, and destination ports. The Firebox's stateful inspection architecture enables it to remember prior connection states and continuously update this information in dynamic connection tables. New transactions are evaluated against prior connection histories.
The Firebox's proxy filtering service occurs at the application level and has the ability to hide the internal client IP address, concealing the network topology of the internal network from the outside world. With advanced content filters, the Fireboxes can block ActiveX and Java applets, both of which are prone to security vulnerabilities and exposures.
For organizations that need to deploy multiple firewalls, a Firebox management console is available that can manage an unlimited number of firewalls over links encrypted by DES or 3DES. Administrators can define the security policies on the management system and then apply these policies to all the firewalls in the organization from one system.
The Fireboxes are solid boxes that work as advertised. WatchGuard includes an information service called LiveSecurity Update with the purchase of every Firebox. The updating service includes information on new releases, enhancements, security advisories, and tutorials on various firewall and security topics. All the content may not be applicable in every customer scenario, but it is well written and is evidence that WatchGuard keeps up with the latest threats and makes an effort to add value to its firewall offerings.
Each Firebox can also be used as either a site-to-site VPN or a secure remote access VPN. WatchGuard has made sure to stick to the most important VPN standards; all Firebox models support both IPSec and 3DES. The new Firebox 4500 was designed to maximize VPN performance and has a potential throughput of 100 Mb/second.
A high-availability (HA) option is available for larger networks or managed service providers. With an HA solution, if your firewall stops working, a second firewall will kick in and continue protecting your network. For a small network, an HA option probably isn't necessary, but for bigger networks or networks where financial transactions or lives are at stake, an HA solution gives added assurance that your production systems will always be protected.
All the Fireboxes support network address translation (NAT), which is important if your network is running short on IP addresses. NAT helps convert private or illegal IP addresses into legal and public IP addresses. A side effect of NAT is that it hides the internal legal Internet addresses. (It should be noted that its original purpose was to accommodate networks that had run out of legal IP addresses.) The NAT used by the Fireboxes works in a one-to-many scenario; a single IP address can be rewritten to multiple IP addresses, which is useful for load balancing.
Something for everyone
The value small to medium-size businesses get from a WatchGuard firewall is hard to beat.
- The Firebox SOHO unit accommodates up to 50 users. It supports DSL, ISDN, and cable access, and includes a secure remote-access client. These small boxes go for $449, a cost of less than $9 per user.
- The Firebox II, operating at 200 MHz and housing 65 MB of RAM, accommodates up to 1,000 users and is ideal for small offices with branch offices and mobile users. A Firebox II can be purchased for $4,990, which brings the per user price to just under $5.
- For offices that need connections for 5,000 users, the Firebox II Plus is a better choice. It operates at 366 MHz, can house up to 256 MB of RAM, and supports 330 VPN branch connections. This box can be purchased for $9,990, bringing the per user price to less than $2.
- The all-new Firebox III 2500 can serve up to 5,000 users using a 500-MHz processor and 128 MB of RAM. This box can also support 330 VPN branch connections and operates at packet filter speed. It sells for $7,490, so the per user price for this speedy security appliance is less than $1.50 per user.
- If you need the functionality of the Firebox III 2500 but want to speed up your VPN connections, you'll want the Firebox III 4500, which has a built-in crypto accelerator and operates at 500 MHz with 256 MB of RAM. Operating at packet filter speed, this box accommodates 330 VPN branch connections and, at $9,990, delivers fast VPN service for just under $2 per user.
- Lastly, the HA add-on is available for all but the SOHO box, for $1,995. Purchasing the HA option is akin to getting a second firewall.
Room for improvement
The Fireboxes do not support enterprise single sign-on, and their logging capabilities could be more verbose. A bigger concern, though, is the fact that after adding or changing a firewall rule, the Firebox administrator must reboot the system for the new rule to take effect. Because of this design, firewall changes require advance planning and reboots typically need to be done during off-hours. According to WatchGuard, it is working on enhancing the Fireboxes so that a reboot after making a rule change is not necessary.
Enterprise configurations for mobile users using the Firebox management console are difficult; each Firebox must be updated individually, which doesn't scale well in large organizations.
UNIX shops might not like the fact that the management console runs only on Microsoft operating systems, although the Fireboxes do support the Syslog format and can be configured to log to any operating system.
With WatchGuard’s complete product line, IT departments can start with the minimal Firebox required for their organization and grow into a larger, more powerful box without having to retrain on a new firewall platform. The protection and value your organization will get from the sturdy Firebox will be well worth the investment.