Jump to reviews
The firewall is the first line of defence into the network and the growth of the internet has made these devices more important than ever.
Recent years have seen an evolution of the product past the simple packet filtering stage of old. Now, all firewalls are based on stateful inspection engines - a technology invented by Check Point to track sessions.This is important when using technology such as FTP. It may have a well-defined port, 21, but this is only used to set up a connection. File transfers are negotiated to run on a higher port number.
Stateful inspection engines can see an FTP conversation in process and open up a higher port. Packet filtering firewalls can't see the transaction in process, so either all of the high ports have to be left open or FTP will fail.The importance of firewalls has also shifted so that devices aren't just on the edge. It's now common to firewall network segments from each other. After all, you want to make sure your finance server is protected from all attacks including internal.
The biggest change that this has made is that firewalls will now carry more ports than before. It also means that for internal use they must have faster firewall engines to keep up.
For this test we shipped in six of the best firewall appliances on the market to look at. The range of devices tested runs from firewalls marketed at small office to those aimed at the major enterprise. However, missing from the test are Nokia and Cisco. Nokia pulled out of the test at the last minute, and Cisco sent a product, but it arrived too late for inclusion.
We tested the units on test with a Spirent Communications (www.spirentcom.com) SmartBits SMB6000 chassis using Fast Ethernet copper ports. Using the WebSuite software, we tested each firewall for performance by testing the number of sessions per second that each device could handle.
WebSuite builds a session by requesting a server connection from a specific port. By incrementing the requesting port, the software can request 65,500 sessions from one IP address. To get the maximum number of sessions, we attempted to build all 65,500 at 500 sessions per second. If the firewall made all connections, then we added a further 65,500 connections on a different IP addresses.
To stress test we built 10,000 sessions over 50 IP addresses (200 sessions each) and ramped from 1,000 to 10,000 sessions per second. This shows the point where the firewalls started to drop connections.
Comment on this article
Reviews
Check Point Firewall-1 NG
NetScreen 208
Cisco PIX 525
SonicWall Pro-300
Symantec VelociRaptor
WatchGuard FireBox 4500
The Business Case
As the internet and web sites have become more important, so have firewalls. From a finance point of view they may seem superfluous, but there's more to them than this.
By filtering all traffic in and out of the corporate network, the firewall can cut out a lot of attacks at the front line. A properly configured firewall will defend internal services that don't need to be externally visible.When the cost of repairing a breach is considered, then a firewall suddenly doesn't seem like an expensive choice.
A lot of the products on review here will also perform attack mitigation. When a denial of service attack comes in, the firewall can block the packets. This keeps the network running, with potentially huge savings.
A firewall-free network is completely exposed to the outside world. This makes security harder, as every computer has to be watched and updated to prevent a breach.
Firewalls block access to services that don't need to run externally, and give that extra layer of confidence.
While it's easy to see a firewall as an edge device, there's also the internal case to consider. Most attacks come from inside the company.
If the firewall is just at the edge, the internal network is completely exposed to all internal users. For financial and email servers, there are monetary and legal issues surrounding a security breach.
In this case firewalls should also be installed inside the network. Departments can then be logically separated from each other. This will cut down on internal attacks and provide additional logging material to help deal with malicious users.
As only some departments need to directly interact it restricts server access to the only people that need it.
