Users, Locations, and Numbers

A consideration that should be very high on your list is how many users do you need to protect, and how many firewalls will you need? The number of users you are going to protect will determine whether you need an enterprise class firewall or a SOHO firewall. (You can certainly use an enterprise firewall, even for one user, but you might be paying a lot more than you need to pay, and might end up with features you will never use.)

Most SOHO firewalls can accommodate enough connection requests for up to 50 users. If you plan on protecting more than 50 users with your firewall, it's time to move up to an enterprise firewall. SOHO firewalls typically range in price from $30 to $500. The $30 firewalls are typically used for one person, one system. A $500 SOHO firewall is sufficient for a small field office of less than 50 people.

Enterprise firewalls, typically ranging in price from $500 to $20,000, are commonly used in organizations that require multiple firewalls that need to be managed from one location. This means that enterprise firewalls need to be able to communicate with some sort of central management console. Most vendors who make enterprise firewalls offer a central management console as an option.

Alternatively, there is a young and growing security market segment of Security Information Management (SIM) devices that can essentially be used as third-party management consoles. Both netForensics and e-Security make third-party SIMs that can integrate with various leading enterprise firewalls.

Depending on how your architecture your security perimeter network, and how much money you are able to spend, one robust firewall on your perimeter may be sufficient for your organization's needs. The important thing is to ask the vendor's you are interviewing how many users each firewall can support. Most reputable firewall vendors rate their firewalls for a certain range of user connections. Typically the more users you need to support, the more RAM and processing power you will need in your firewall.

A sizing guideline that will apply to most reputable firewall vendors is found in Table 1. Note that the RAM listed in Table 1 is what the firewall itself requires. If you have other applications running on your firewall system, you will have to take into account this amount of RAM, on top of what your other applications require.

Number of Users

RAM Needed by Firewall

Processing Power

# of Offices

Packet Filter

Throughput

Price Range

Under 50 (SOHO)

Less than 10 mb

~ 66 Mhz

1

Less than 10 Mbps

Less than $500.00

51-1000

65 mb

~ 200 Mhz

2-299

Less than 100 Mbps

Approximately $5,000.00

1001-5000

128 mb

~ 500 Mhz

300

Less than 200 Mbps

Approximately $ 10,000.00

Over 5000

256 mb

~ 500 Mhz +

Over 300

Over 200 Mbps

Approximately $20,000.00

Table: Guidelines for firewall sizing

If you plan on pumping streaming media through your firewall, or plan on using a VPN, both of these applications can benefit from more processing power, and more RAM.

The Trade-Offs

Software firewalls offer more flexibility than appliance firewalls, because you can choose what hardware platform you want to run the firewall on. However, sometimes having to make a decision on what hardware platform and operating system to build your firewall on, is not a decision that some information technology managers and engineers have time to make. If the concept of "I don't care what type of hardware platform the firewall runs on as long as it works," appeals to you, then an appliance firewall might be preferable. With an appliance firewall, you get a complete turnkey firewall bundled into one box. Because there are less procurement decisions to make, and everything comes pre-packaged as much as possible, getting an appliance firewall up and running usually is much faster than getting a software firewall up and running.