Finding the Perfect Firewall
Ask yourself one question: “Am I feeling lucky?” Well, are you? You’re going to need luck if you entrust your business data to the kindness of strangers across the Internet.
All you need to do is plop a professional-grade firewall between you and the world. But is it really that simple? Before you rush ahead, examine the full scope of your needs, explore your choices and understand a product’s limitations — as well as its featured functions.
At my company, we recently switched our firewall to better handle several other network changes and upgrades. I would love for you to learn from my experience, rather than repeat what I consider a painful process. If I could do it all over again, I would. And this time, I would take my own advice and not accept the advice of subject-matter experts at face value. “In the multitude of counselors, there is safety,” I remember thinking. Every vendor told me to choose the same product, and I followed those recommendations only to learn afterward that they didn’t fully know the product’s limitations.
All data entering or leaving your company will pass through the firewall. It can keep out unwanted intruders but also hamper critical connectivity. For example, your firewall may interfere with links to your Web site (if hosted locally or not), access to other Web sites, remote virtual private network users, wide area network connections, Internet updates and Voice over Internet Protocol telephone calls. It may also interact with server certificates, Web e-mail, handheld device connections and Domain Name System requests.
To make sure you understand what you want your future firewall to keep out, thoroughly catalog and prioritize all your needs. There may not be a system within your price range that meets all of your diverse needs, and ultimately some things may need to be left out or more money must be budgeted. But there is another dark and insidious reason: maintaining VPN services.
Once a VPN is available, users expect it to work at all times from all locations, yet not all firewalls will accept a connection from the built-in Microsoft Windows client. Additionally, some firewalls on the remote end will block VPN connections altogether. Meanwhile, your remote users may instinctively seek out locations around the globe where a VPN connection is nearly impossible and then call in asking that you remedy the situation.
VPNs factor heavily into modern firewalls. VPN client software generally uses one of four available protocols to connect to your business across the Internet, encrypting all communications so the data is as safe as possible. Two major problems persist, however.
The first occurs when a remote user is in a location behind a firewall outside of your control, such as an airport, hotel or Internet café. These firewalls tend to allow all IP traffic (http and https), which is great for most people, but they often block the protocols you need to connect with most VPN clients. There is only one solution: a VPN client that can work using https. Such firewall products will cost more.
The second problem arises if your firewall works only with its own VPN client, as opposed to the built-in Windows client, and perhaps the company does not offer a client for you. This is a problem — especially for devices running Windows Mobile. Take it from me: If your company depends on connectivity from anything other than Windows XP Professional, have the vendor certify that you will be able to connect to their product. (Cisco Systems went one better and had their engineers test my setup to my specifications before offering me a price.)
Even so, when I upgraded my company’s firewall recently, I neglected to insist upon connectivity for Windows Mobile. Shortly thereafter, this became a critical feature. My final choice does not support clients running it, nor does the vendor expect to do so in the foreseeable future. This is quite frustrating.
Three popular firewall options include SonicWall’s Pro 2040 Standard, Cisco’s Adaptive Security Appliance 5510 and WatchGuard’s Firebox X 550e. Cisco offers a Secure Sockets Layer VPN option.
All three products inspect the network layer, opening and closing ports like any router, but they also each perform stateful filtering, which works at the transport layer and inspects packets for their intended destination. If that destination did not request that particular packet, it gets rejected. This type of stateful inspection lets the systems administrator block any information to or from a particular address.
At the application layer, these products also will inspect entering and departing packets for inconsistencies and patterns in the application layer, which would indicate problems, such as potential network attacks.
Three Firewalls Side by Side
|SonicWall Pro2040 Standard||Cisco ASA 5510||WatchGuard Firebox X 550e|
|Allows VPN connections||Yes||Yes||Yes|
|VPN types||IPSec, L2TP, PPTP||IPSec, L2TP, PPTP, SSL||IPSec, PPTP|
|Hardware warranty||1 year||90 days; extended options||1 year|
|Ethernet ports available||WAN, LAN, DMZ, optional||WAN, LAN, DMZ, optional||WAN, LAN, DMZ, optional|
|Application layer filtering||Yes||Yes||Yes|
|Supports Windows mobile clients||No||Yes||Yes|
|Ease of use||Easy to moderate||Moderate||Moderate to difficult|
All three of these choices are powerful and will certainly get the job done. Factor in yearly renewal costs to determine total cost of ownership.
Does your company use Windows Mobile 5?
|27%||Yes, but only for some users|
|1%||Yes, for all users|
|Source: CDW poll of 281 BizTech readers|