Tactical Advice

Finding the Perfect Firewall

Before you buy, make sure you know what you want to keep out — and let in.
This story appears in the March 2007 issue of BizTech Magazine.

Ask yourself one question: “Am I feeling lucky?” Well, are you? You’re going to need luck if you entrust your business data to the kindness of strangers across the Internet.

All you need to do is plop a professional-grade firewall between you and the world. But is it really that simple? Before you rush ahead, examine the full scope of your needs, explore your choices and understand a product’s limitations — as well as its featured functions.

Needs Assessment

At my company, we recently switched our firewall to better handle several other network changes and upgrades. I would love for you to learn from my experience, rather than repeat what I consider a painful process. If I could do it all over again, I would. And this time, I would take my own advice and not accept the advice of subject-matter experts at face value. “In the multitude of counselors, there is safety,” I remember thinking. Every vendor told me to choose the same product, and I followed those recommendations only to learn afterward that they didn’t fully know the product’s limitations.

All data entering or leaving your company will pass through the firewall. It can keep out unwanted intruders but also hamper critical connectivity. For example, your firewall may interfere with links to your Web site (if hosted locally or not), access to other Web sites, remote virtual private network users, wide area network connections, Internet updates and Voice over Internet Protocol telephone calls. It may also interact with server certificates, Web e-mail, handheld device connections and Domain Name System requests.

To make sure you understand what you want your future firewall to keep out, thoroughly catalog and prioritize all your needs. There may not be a system within your price range that meets all of your diverse needs, and ultimately some things may need to be left out or more money must be budgeted. But there is another dark and insidious reason: maintaining VPN services.

Once a VPN is available, users expect it to work at all times from all locations, yet not all firewalls will accept a connection from the built-in Microsoft Windows client. Additionally, some firewalls on the remote end will block VPN connections altogether. Meanwhile, your remote users may instinctively seek out locations around the globe where a VPN connection is nearly impossible and then call in asking that you remedy the situation.

VPNs factor heavily into modern firewalls. VPN client software generally uses one of four available protocols to connect to your business across the Internet, encrypting all communications so the data is as safe as possible. Two major problems persist, however.

The first occurs when a remote user is in a location behind a firewall outside of your control, such as an airport, hotel or Internet café. These firewalls tend to allow all IP traffic (http and https), which is great for most people, but they often block the protocols you need to connect with most VPN clients. There is only one solution: a VPN client that can work using https. Such firewall products will cost more.

The second problem arises if your firewall works only with its own VPN client, as opposed to the built-in Windows client, and perhaps the company does not offer a client for you. This is a problem — especially for devices running Windows Mobile. Take it from me: If your company depends on connectivity from anything other than Windows XP Professional, have the vendor certify that you will be able to connect to their product. (Cisco Systems went one better and had their engineers test my setup to my specifications before offering me a price.)

Even so, when I upgraded my company’s firewall recently, I neglected to insist upon connectivity for Windows Mobile. Shortly thereafter, this became a critical feature. My final choice does not support clients running it, nor does the vendor expect to do so in the foreseeable future. This is quite frustrating.

The Choices

Three popular firewall options include SonicWall’s Pro 2040 Standard, Cisco’s Adaptive Security Appliance 5510 and WatchGuard’s Firebox X 550e. Cisco offers a Secure Sockets Layer VPN option.

All three products inspect the network layer, opening and closing ports like any router, but they also each perform stateful filtering, which works at the transport layer and inspects packets for their intended destination. If that destination did not request that particular packet, it gets rejected. This type of stateful inspection lets the systems administrator block any information to or from a particular address.

At the application layer, these products also will inspect entering and departing packets for inconsistencies and patterns in the application layer, which would indicate problems, such as potential network attacks.

Three Firewalls Side by Side

  SonicWall Pro2040 Standard Cisco ASA 5510 WatchGuard Firebox X 550e
Allows VPN connections Yes Yes Yes
VPN types IPSec, L2TP, PPTP IPSec, L2TP, PPTP, SSL IPSec, PPTP
VPN client Concurrent Concurrent Concurrent
Hardware warranty 1 year 90 days; extended options 1 year
Ethernet ports available WAN, LAN, DMZ, optional WAN, LAN, DMZ, optional WAN, LAN, DMZ, optional
Application layer filtering Yes Yes Yes
Supports Windows mobile clients No Yes Yes
Standard price $1,500+ $1,200+ $1,900+
Ease of use Easy to moderate Moderate Moderate to difficult

All three of these choices are powerful and will certainly get the job done. Factor in yearly renewal costs to determine total cost of ownership.

CEO Takeaway
As with any product selection, do thorough homework before making any decisions. How can anyone tell you if their device will do all that you need if you don’t even know what you need?

• Pay attention to the facts, not vendor hype.
• Layer your security solutions. All the firewall power in the universe cannot protect mobile users who aren’t behind it. Don’t forget about them. A professional firewall coupled with firewall software for all mobile devices is a necessary part of modern business.
• Do not skimp on budget. It’s hard to buy too much firewall, but it can be bad to buy too little.
Jeremy Dotson is a LAN administrator for Tronair (www.tronair.com), a manufacturer of aircraft ground support equipment in Holland, Ohio.
Sign up for our e-newsletter

Security

Heartbleed: What Should Your... |
One of the biggest security vulnerabilities has almost every user and every industry...
Why Businesses Need a Next-G... |
Devices investigate patterns that could indicate malicious activity.
Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....

Storage

The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Businesses Must Step Careful... |
Slow and steady wins the race as businesses migrate IT operations to service providers,...
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...

Networking

Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Hardware & Software

Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....
New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.