How to Choose the Right Enterprise Firewall
Shopping for an enterprise firewall can be a daunting task. However, with a little background knowledge, an understanding of firewall features, and knowing what questions to ask the vendors, you'll end up with just the right firewall for your organization.
Types of Firewalls
One of the first things you need to figure out is what type of firewall best suits your needs.
There are six basic types of firewalls:
- enterprise software-based firewalls
- enterprise hardware-based firewalls
- SOHO software firewalls
- SOHO hardware firewalls
- specialty firewalls
All of these firewall types typically offer stateful packet inspection or proxy capabilities. Stateful packet inspection and the ability to proxy are different techniques that firewalls use to make decisions on what traffic to allow or deny into and out of your intranet. While in the early days of firewall development, most firewalls offered either one or the other of these types of traffic passing architectures, today, leading firewalls with hybrid architectures offer both techniques to secure your intranet traffic.
Stateful packet inspection firewalls examine protocol packet header fields while proxy firewalls filter services at the application level. Stateful packet inspection firewalls learn and remember connection states and evaluate new traffic transactions against prior connection histories. Proxy firewalls are able to create virtual connections and can hide the internal client IP address making it more difficult to discern the topology of the protected intranet.
Firewall Types Explained
Embedded firewalls are firewalls that are embedded into either a router or a switch. Sometimes embedded firewalls come standard with certain routers, and other times you can purchase an add-on firewall module to install into a router or switch that you already have. Embedded firewalls are sometimes referred to as choke-point firewalls.
Due to the wide variety of different protocols used on the Internet, not all services are handled efficiently by embedded firewalls. Because embedded firewalls work at the IP level, they will not be able to protect your network from application level exploits such as viruses, worms, and Trojan horse programs. In some cases, embedded firewalls might offer greater performance gains, but they typically offer fewer features for protecting your networks. Embedded firewalls are often stateless in nature, and pass packets without consideration of prior connection states.
Software based firewalls are software packages containing firewall software that you install on top of an existing operating system and hardware platform. If you have a server with an enterprise class operating system that is available for use, purchasing a software-based firewall is a reasonable choice. As well, if you are a small organization, and want to combine a firewall with another application server (such as your web site server), adding on a software-based firewall is reasonable. If you are a large organization, you will probably want to create a security perimeter network known as a DMZ (demilitarized zone) and will therefore probably want to separate your firewall from all other applications. Software-based firewalls come in both small office/home office (SOHO) models and enterprise models.
Hardware-based firewalls are the same thing as appliance firewalls. The entire firewall is bundled into a turnkey system and when you buy it, you get a hardware device that has the software already inside it. Hardware-based firewalls, or appliance firewalls, also come in both SOHO and enterprise models.
Specialty firewalls are firewalls with a certain application focus. For example, there are some security servers with built-in firewall-type rules that are made particularly for filtering content, or security messaging servers. MailMarshal and WebMarshal are good examples of firewall-type products with a messaging and content filtering focus. A product that is not marketed as a firewall, but offers firewall-type rules and application lockdown features is OKENA's StormWatch. As security technologies become more advanced, sometimes the product segments start to blur and you need to understand what the product actually does, and not rely on its vendor marketed product definition.