Feb 23 2007

Finding the Perfect Firewall

Before you buy, make sure you know what you want to keep out — and let in.

Ask yourself one question: “Am I feeling lucky?” Well, are you? You’re going to need luck if you entrust your business data to the kindness of strangers across the Internet.

All you need to do is plop a professional-grade firewall between you and the world. But is it really that simple? Before you rush ahead, examine the full scope of your needs, explore your choices and understand a product’s limitations — as well as its featured functions.

Needs Assessment

At my company, we recently switched our firewall to better handle several other network changes and upgrades. I would love for you to learn from my experience, rather than repeat what I consider a painful process. If I could do it all over again, I would. And this time, I would take my own advice and not accept the advice of subject-matter experts at face value. “In the multitude of counselors, there is safety,” I remember thinking. Every vendor told me to choose the same product, and I followed those recommendations only to learn afterward that they didn’t fully know the product’s limitations.

All data entering or leaving your company will pass through the firewall. It can keep out unwanted intruders but also hamper critical connectivity. For example, your firewall may interfere with links to your Web site (if hosted locally or not), access to other Web sites, remote virtual private network users, wide area network connections, Internet updates and Voice over Internet Protocol telephone calls. It may also interact with server certificates, Web e-mail, handheld device connections and Domain Name System requests.

To make sure you understand what you want your future firewall to keep out, thoroughly catalog and prioritize all your needs. There may not be a system within your price range that meets all of your diverse needs, and ultimately some things may need to be left out or more money must be budgeted. But there is another dark and insidious reason: maintaining VPN services.

Once a VPN is available, users expect it to work at all times from all locations, yet not all firewalls will accept a connection from the built-in Microsoft Windows client. Additionally, some firewalls on the remote end will block VPN connections altogether. Meanwhile, your remote users may instinctively seek out locations around the globe where a VPN connection is nearly impossible and then call in asking that you remedy the situation.

VPNs factor heavily into modern firewalls. VPN client software generally uses one of four available protocols to connect to your business across the Internet, encrypting all communications so the data is as safe as possible. Two major problems persist, however.

The first occurs when a remote user is in a location behind a firewall outside of your control, such as an airport, hotel or Internet café. These firewalls tend to allow all IP traffic (http and https), which is great for most people, but they often block the protocols you need to connect with most VPN clients. There is only one solution: a VPN client that can work using https. Such firewall products will cost more.

The second problem arises if your firewall works only with its own VPN client, as opposed to the built-in Windows client, and perhaps the company does not offer a client for you. This is a problem — especially for devices running Windows Mobile. Take it from me: If your company depends on connectivity from anything other than Windows XP Professional, have the vendor certify that you will be able to connect to their product. (Cisco Systems went one better and had their engineers test my setup to my specifications before offering me a price.)

Even so, when I upgraded my company’s firewall recently, I neglected to insist upon connectivity for Windows Mobile. Shortly thereafter, this became a critical feature. My final choice does not support clients running it, nor does the vendor expect to do so in the foreseeable future. This is quite frustrating.

The Choices

Three popular firewall options include SonicWall’s Pro 2040 Standard, Cisco’s Adaptive Security Appliance 5510 and WatchGuard’s Firebox X 550e. Cisco offers a Secure Sockets Layer VPN option.

All three products inspect the network layer, opening and closing ports like any router, but they also each perform stateful filtering, which works at the transport layer and inspects packets for their intended destination. If that destination did not request that particular packet, it gets rejected. This type of stateful inspection lets the systems administrator block any information to or from a particular address.

At the application layer, these products also will inspect entering and departing packets for inconsistencies and patterns in the application layer, which would indicate problems, such as potential network attacks.

Three Firewalls Side by Side

  SonicWall Pro2040 Standard Cisco ASA 5510 WatchGuard Firebox X 550e
Allows VPN connections Yes Yes Yes
VPN client Concurrent Concurrent Concurrent
Hardware warranty 1 year 90 days; extended options 1 year
Ethernet ports available WAN, LAN, DMZ, optional WAN, LAN, DMZ, optional WAN, LAN, DMZ, optional
Application layer filtering Yes Yes Yes
Supports Windows mobile clients No Yes Yes
Standard price $1,500+ $1,200+ $1,900+
Ease of use Easy to moderate Moderate Moderate to difficult

All three of these choices are powerful and will certainly get the job done. Factor in yearly renewal costs to determine total cost of ownership.

CEO Takeaway
As with any product selection, do thorough homework before making any decisions. How can anyone tell you if their device will do all that you need if you don’t even know what you need?

• Pay attention to the facts, not vendor hype.
• Layer your security solutions. All the firewall power in the universe cannot protect mobile users who aren’t behind it. Don’t forget about them. A professional firewall coupled with firewall software for all mobile devices is a necessary part of modern business.
• Do not skimp on budget. It’s hard to buy too much firewall, but it can be bad to buy too little.
Jeremy Dotson is a LAN administrator for Tronair (www.tronair.com), a manufacturer of aircraft ground support equipment in Holland, Ohio.