Security

10 things to look for in a hardware-based firewall

The firewall you choose can have a major impact on your organization's security and productivity. Here are 10 factors you don't want to overlook.

The firewall you choose can have a major impact on your organization's security and productivity. Here are 10 factors you don't want to overlook.


Firewalls play a critical role in protecting an organization's network from a never-ending list of Internet-borne threats. Firewall selection also often determines how easily remote locations connect to centralized systems to access essential resources or to complete important tasks. When you choose a hardware-based firewall, consider these 10 factors to ensure that your business maximizes its investment, security, and productivity.

Note: This article is also available as a PDF download.

1: Trusted security

Numerous entities market unified threat management devices. With a variety of business models, some network security devices include a broad range of features and services at premium prices, while others include only essential services but for lower cost.

Be sure to select a well-recognized and trusted platform. Barracuda, Cisco, SonicWALL, and WatchGuard are among the brands having carved market share, and they've earned that market share for good reason: They deliver trusted security. Whichever brand you select, confirm that the firewall is ICSA certified, the industry standard for packet inspection.

2: Approachability

Global multinational enterprises typically require excessive security controls, but even those organizations that need tremendous protection don't have to limit themselves to command-line-only configured equipment. Many firewall models deliver tight security and offer GUI-friendly administration.

The benefits are several. GUIs help prevent installation mistakes. GUIs make it easier to diagnose and correct failures. GUIs make it easier to train staff and implement changes, upgrades, and replacement.

When selecting a hardware-based firewall, consider the benefits of approachability. The easier a platform is to administer, the easier it will be to locate professionals capable of installing, maintaining, and troubleshooting the platform.

3: VPN support

A firewall's purpose isn't just to keep hackers and unauthorized traffic out of the network. A good firewall also establishes and monitors secure channels, enabling remote connectivity. Look for a hardware-based firewall that supports both SSL- and IPSec- protected VPN connections from similar devices (for point-to-point or site-to-site VPNs), as well as secure connections from traveling employees.

4: Capacity

Firewalls, due to their network role, typically serve as an organization's Internet gateway. Smaller offices may leverage a firewall in a dual capacity, to serve as both a security device and as a network switch. Larger organizations, meanwhile, usually just drop the firewall into a larger architecture in which the firewall's only role is to filter traffic.

Confirm that a firewall can manage assigned loads. This means ensuring that it has the appropriate number of Ethernet ports and the appropriate speeds (10Mbps/100Mbps and/or 1000Mbps, if necessary). But there's more. Ensure that the firewall you select and/or maintain has the CPU capacity necessary to perform packet inspection, gateway security services, and routing functions.

Pay close attention to the manufacturer's recommendations for maximum node support. Exceed a router's capacity and you'll experience errors, flat-out traffic denials due to lack of licenses, and/or unacceptable performance.

5: Technical support

Hardware fails. Worse, just because a device is new and fresh from the factory doesn't mean it will work properly. Check that 24x7 technical support is available and implement technical support contracts with the firewall's manufacturer.

Before purchasing, call a manufacturer's technical support team and ask configuration and deployment questions. The quickness and accuracy of the responses you receive will reveal much as to the service you will receive when the unit fails in the field.

6: Secure wireless

Even if an organization doesn't believe it's needed, consider hardware-based firewalls that include wireless network features. IT staff can deploy the units with the wireless service disabled. The costs of adding WLAN functionality to a new purchase are incremental, yet when guest access or network flexibility is required, secure wireless connectivity is just a few clicks away (and an entirely new router need not be purchased). And as an organization's needs change, the WLAN functionality may prove necessary.

7: Gateway security services

Many organizations successfully reduce costs by centralizing virus, spyware, and spam protection on their firewall. When comparing firewall capabilities and determining total costs of ownership, factor the cost savings that can result if you deploy these services on the firewall device, versus a traditional domain controller or other server.

8: Content filtering

While many IT departments are migrating to OpenDNS for content filtering purposes, some firewall manufacturers offer Web filtering subscriptions. The benefit is that all the network services associated with a business, from gateway security services to content filtering, can be consolidated on a single device. The drawback is that you have to pay for the privilege.

When reviewing potential hardware-based firewall solutions, consider your organization's needs and budget. Determine whether content filtering should be administered from the firewall. If the answer is yes, select a firewall that supports reliable, proven content filtering.

9: Advanced monitoring and reporting

Firewalls manage critical network tasks. Repeatedly throughout just one business day, a single router can block thousands of intrusion attempts, detect consolidated attacks, and log failing or failed network connections. But this information is helpful to network administrators only if it's available in a readily accessible format.

Look for firewalls that not only monitor important events, but that also log this data in compatible formats. A good firewall should generate email alerts, too, at least for critical events.

10: Failover

Some organizations require WAN failover, or redundant Internet connections with automatic fault detection and correction. Many firewall models don't have support for automatic failover. If that feature is critical to your organization, confirm that the model you select includes seamless failover; don't assume high-end firewalls include such functionality by default.

In addition, make sure the model you select supports the failover methods your organization will use. For example, a unit possessing two RJ-45 WAN Ethernet ports will do no good if the second connection is to run off a cellular card. In such cases, appropriate integrated USB support for GSM cards or adapters may be required.


Check out 10 Things... the newsletter

Get the key facts on a wide range of technologies, techniques, strategies, and skills with the help of the concise need-to-know lists featured in TechRepublic's 10 Things newsletter, delivered every Friday. Automatically sign up today.

About

Erik Eckel owns and operates two technology companies. As a managing partner with Louisville Geek, he works daily as an IT consultant to assist small businesses in overcoming technology challenges and maximizing IT investments. He is also president o...

13 comments
kiroshima_sylvia_250
kiroshima_sylvia_250

The initiative taken for the concern is very serious and need an attention of every one. This is the concern which exists in the society and needs to be eliminated from the society as soon as possible. I subscribe to Insider Score, and that is correct there has been scant insider buying. Insider Score's market wide buying indicator tracks very closely my sentiment indicators. ========================= Serve Technology

chrisflusche
chrisflusche

I don't see Check Point listed, and it should be. Check Point products protect the networks of all Fortune 100 companies. They make a great firewall / UTM product called Check Point UTM-1 Edge. This is an excellent product for small and medium sized businesses. I've been using them for almost ten years, and they just keep getting better. Yes, it costs a little more than some of the other options, but the difference is worth the cost.

ederkley
ederkley

This is probably more an issue for the smaller consumer-level router/firewall devices but could be easily overlooked when developing specifications.

me19562
me19562

Look for Common Criteria EAL4+ Protection Profile certified products and also research, analyze and understand all the optional features, support services and licensing options before buying.

dfirewall
dfirewall

First, do not limit yourself to hardware based firewall. Assuming you mean a UTM appliance. There are several build your own firewalls For example: GTA GB-Ware is ICSA certified and has same feature set as top end firewalls. Astaro has build your own with many appliance features. Untangle has build your own. list goes on ....... With one of these software firewalls you can build a firewall with hardware specification, which will match any sold by large manufacturer. Most of these have hardened OS as well. Another advantage is in software such as GTA's GB-Ware. It is designed to grow with hardware. Hardware becomes EOL while software version allow you move to different platforms. Options - look out for the Sonicwall and Cisco response - Oh for that option you need upgrade OS and they end up charging more money to get service you really need. I hate being nickel and dimed. Charge me all up front. Warranties - Let me tell you I was SHOCKED find out my ASA 5505 had 90 day warranty. My Xbox360 has longer warranty (Which I needed).

cmatthews
cmatthews

Sorry for a first post to be slanted this way, but true HBF's have not been in use for over a decade. "Hardware" plants the idea that a box cannot be compromised because there's no software inside. Indeed all routers have an OS inside (surprise to many, it's usually Linux or a compact variant thereof) and one of the great questions to ask is this: Will my manufacturer axe the support for my firmware after just 12, 24 or 36 months? (Firmware is software stored in the flash ROM inside these mini-headless PC's we call firewalls and/or routers). Chances are, if "the box" we buy is an established model and we buy it on sale, it will soon be succeeded and support for the software (ahem, sorry firmware) will die within 24 months. I don't buy cars that way either - many feel the same. At the expense of 30-50% more power consumption than the mentioned brands, some of us prefer to retrofit P3 systems with SUSE-Shorewall, Smoothwall or IP-Cop (depending on the user-level and amount of time required for learning..). In the end, the firewall is cheap (almost free) and it's repairable, but with higher power consumption (10-cents vs. 5-cents a day). This however, is a good basic list - though I don't see anyone has added anything.. Another thing to mention is the ability to drop certain IP-ranges, blocking IM, limiting bandwidth per client and outbound port blocking. BTW, I've done content filtering using free Smoothwall (DansGuardian or URLfilter.net) in 20 auto-dealerships for over 7 years. To try your hand at it, Google 3 words: "Smoothwall homebrew mods" for extra Sorceforge addons to add just about any feature you like. A P3-450 and 256-512meg is usually enough and any hard disk will do. We mustn't feel bad retiring some old dime-box routers either - they still have some use - if you disable DHCP, you can use them as merely a switch - Cheers!

cmatthews
cmatthews

Chris, on that 100% thing... There needs to be some clarity. They bought ZoneLabs I think in 2004 and thereafter, those marketing types have been running that line into the ground. (The CP logo's been around since ZoneAlarm 7.0) Yeah, it's good stuff (we used them at BMO) but just because some teleworkers use a piece of their vast line of products, doesn't mean the entire F-100 uses their UTM..

The 'G-Man.'
The 'G-Man.'

Should read dedicated firewall device as opposed to hardware firewall.

dfirewall
dfirewall

Right, Cisco ASA GTA's GB-Ware Asto Are all dedicated devices

kmdennis
kmdennis

Look for Fortigate! They are not that easy to configure but are very good when properly configured. There is also ZyWall which is not that easy to configure either. As soon as I finish my degree, I will learn some more programming and write some kind of gui that is easy to understand and configure. It should not be that difficult.