10 things to look for in a hardware-based firewall

The firewall you choose can have a major impact on your organization's security and productivity. Here are 10 factors you don't want to overlook.

The firewall you choose can have a major impact on your organization's security and productivity. Here are 10 factors you don't want to overlook.

Firewalls play a critical role in protecting an organization's network from a never-ending list of Internet-borne threats. Firewall selection also often determines how easily remote locations connect to centralized systems to access essential resources or to complete important tasks. When you choose a hardware-based firewall, consider these 10 factors to ensure that your business maximizes its investment, security, and productivity.

Note: This article is also available as a PDF download.

1: Trusted security

Numerous entities market unified threat management devices. With a variety of business models, some network security devices include a broad range of features and services at premium prices, while others include only essential services but for lower cost.

Be sure to select a well-recognized and trusted platform. Barracuda, Cisco, SonicWALL, and WatchGuard are among the brands having carved market share, and they've earned that market share for good reason: They deliver trusted security. Whichever brand you select, confirm that the firewall is ICSA certified, the industry standard for packet inspection.

2: Approachability

Global multinational enterprises typically require excessive security controls, but even those organizations that need tremendous protection don't have to limit themselves to command-line-only configured equipment. Many firewall models deliver tight security and offer GUI-friendly administration.

The benefits are several. GUIs help prevent installation mistakes. GUIs make it easier to diagnose and correct failures. GUIs make it easier to train staff and implement changes, upgrades, and replacement.

When selecting a hardware-based firewall, consider the benefits of approachability. The easier a platform is to administer, the easier it will be to locate professionals capable of installing, maintaining, and troubleshooting the platform.

3: VPN support

A firewall's purpose isn't just to keep hackers and unauthorized traffic out of the network. A good firewall also establishes and monitors secure channels, enabling remote connectivity. Look for a hardware-based firewall that supports both SSL- and IPSec- protected VPN connections from similar devices (for point-to-point or site-to-site VPNs), as well as secure connections from traveling employees.

4: Capacity

Firewalls, due to their network role, typically serve as an organization's Internet gateway. Smaller offices may leverage a firewall in a dual capacity, to serve as both a security device and as a network switch. Larger organizations, meanwhile, usually just drop the firewall into a larger architecture in which the firewall's only role is to filter traffic.

Confirm that a firewall can manage assigned loads. This means ensuring that it has the appropriate number of Ethernet ports and the appropriate speeds (10Mbps/100Mbps and/or 1000Mbps, if necessary). But there's more. Ensure that the firewall you select and/or maintain has the CPU capacity necessary to perform packet inspection, gateway security services, and routing functions.

Pay close attention to the manufacturer's recommendations for maximum node support. Exceed a router's capacity and you'll experience errors, flat-out traffic denials due to lack of licenses, and/or unacceptable performance.

5: Technical support

Hardware fails. Worse, just because a device is new and fresh from the factory doesn't mean it will work properly. Check that 24x7 technical support is available and implement technical support contracts with the firewall's manufacturer.

Before purchasing, call a manufacturer's technical support team and ask configuration and deployment questions. The quickness and accuracy of the responses you receive will reveal much as to the service you will receive when the unit fails in the field.

6: Secure wireless

Even if an organization doesn't believe it's needed, consider hardware-based firewalls that include wireless network features. IT staff can deploy the units with the wireless service disabled. The costs of adding WLAN functionality to a new purchase are incremental, yet when guest access or network flexibility is required, secure wireless connectivity is just a few clicks away (and an entirely new router need not be purchased). And as an organization's needs change, the WLAN functionality may prove necessary.

7: Gateway security services

Many organizations successfully reduce costs by centralizing virus, spyware, and spam protection on their firewall. When comparing firewall capabilities and determining total costs of ownership, factor the cost savings that can result if you deploy these services on the firewall device, versus a traditional domain controller or other server.

8: Content filtering

While many IT departments are migrating to OpenDNS for content filtering purposes, some firewall manufacturers offer Web filtering subscriptions. The benefit is that all the network services associated with a business, from gateway security services to content filtering, can be consolidated on a single device. The drawback is that you have to pay for the privilege.

When reviewing potential hardware-based firewall solutions, consider your organization's needs and budget. Determine whether content filtering should be administered from the firewall. If the answer is yes, select a firewall that supports reliable, proven content filtering.

9: Advanced monitoring and reporting

Firewalls manage critical network tasks. Repeatedly throughout just one business day, a single router can block thousands of intrusion attempts, detect consolidated attacks, and log failing or failed network connections. But this information is helpful to network administrators only if it's available in a readily accessible format.

Look for firewalls that not only monitor important events, but that also log this data in compatible formats. A good firewall should generate email alerts, too, at least for critical events.

10: Failover

Some organizations require WAN failover, or redundant Internet connections with automatic fault detection and correction. Many firewall models don't have support for automatic failover. If that feature is critical to your organization, confirm that the model you select includes seamless failover; don't assume high-end firewalls include such functionality by default.

In addition, make sure the model you select supports the failover methods your organization will use. For example, a unit possessing two RJ-45 WAN Ethernet ports will do no good if the second connection is to run off a cellular card. In such cases, appropriate integrated USB support for GSM cards or adapters may be required.

Check out 10 Things... the newsletter

Get the key facts on a wide range of technologies, techniques, strategies, and skills with the help of the concise need-to-know lists featured in TechRepublic's 10 Things newsletter, delivered every Friday. Automatically sign up today.


Erik Eckel owns and operates two technology companies. As a managing partner with Louisville Geek, he works daily as an IT consultant to assist small businesses in overcoming technology challenges and maximizing IT investments. He is also president o...

Editor's Picks