A firewall is the most important piece of equipment protecting your entire network, and many criteria differ depending on the model and supplier. Certain features are included on some firewalls, and not others. Many suppliers try to get your attention with what initially appears to be a very low purchase investment; however, when you upgrade to get all the features you want, the total price becomes much higher.
How to choose a firewall with the right combination of value, security level, scalability, and support for your size of organization?
Here are the main factors to consider. Many of the terms have links to Wikipedia definitions for further information on each of the criteria and features considered. For further information, or to book a demo with our NetSentron experts at KDI to find out if it is right for you, contact our sales team, here.
Sizing
| Criteria | Considerations | Small Organizations | Medium Org’s & Enterprises |
|---|---|---|---|
| # IP Addresses to Protect |
Licensing? (Yes or No) * Unlimited or Limited number of licensed devices * All products have performance limits |
Upgradable? Consider Growth Needs |
Upgradable? Consider Growth Needs |
| # Concurrent Connections | Number varies by Firewall model | Upgradable? Consider Growth Needs |
Upgradable? Consider Growth Needs |
| Performance (Throughput, VPN, UTM/Filtering) |
* Check firewall’s specs for each function * Throughput includes ALL traffic through all ports * Consider # of users, type of media, Web servers, link speed * UTM performance can be much lower than stateful performance. |
Upgradable? Consider Growth Needs |
Upgradable? Consider Growth Needs |
| Configuration (#Ports, LAN, DMZ, WAN) |
Check if ports are FIXED function or CONFIGURABLE, and if sufficient # provided |
ICSA | ICSA, Common Criteria EAL4+ |
| Type of VPN Access | * IPSEC most common supported * PPTP supported by some firewalls only * SSL/VPNs usually a separate product, but some firewalls include SSL access for small # of users |
PPTP or IPSEC may be good enough depending on the security level required. Firewall + SSL/VPN may be sufficient for a small numbers of users. |
IPSEC is the more secure option. May have to buy separate SSL/VPN product for optimal performance for some firewalls. |
Security Level
| Criteria | Considerations | Small Organizations | Medium Org’s & Enterprises |
|---|---|---|---|
| Certifications/ Compliance |
* ICSA is the basic certification level * Common Criteria (EAL4+ is desirable |
ICSA | ICSA, Common Criteria EAL4+ |
| CERT Advisories (Vulnerabilities found) |
Vendors whose products have few vulnerabilities, and patch (fix) them quickly are desirable |
Fewest number possible, quickly fixed by vendor patch downloads |
NO vulnerabilities desirable, any found quickly resolved by vendor |
| Protection Architecture
|
*Stateful Firewal is the basic business requirement * Stateful and Proxy firewall can provide additional protection for internal networks * Look for Secure OS, robust design, and good reputation * IPS (signature based) is sufficient * Layer 7 Unified Threat Management is another great option * Evaluate the quality and types of content filtering in UTM |
Minimum: Stateful- or Proxy-based Layer 7 Antivirus and IPS Desired: Complete UTM |
Minimum: Stateful- + Proxy- based complete UTM + IPS + Anomaly Protection |
Reliability, Redundancy & Support
| Criteria | Considerations | Small Organizations | Medium Org’s & Enterprises |
|---|---|---|---|
| Redundant Architecture
|
Mission Critical firewalls need some or all of these features: * Dual power supply * RAID Disk or Solid State * WAN Failover and balancing * High Available (unit to unit) failover (2 units) High Availability can be Active-Active or Active-Passive |
Desired: WAN failover required for Mission Critical installations |
Required |
| Support |
Choose appropriate support level from: * 8 hours / 5 days a week * 24 hours / 7 days a week |
Minimum: 8/5
Desired: 24/7 if Mission Critical |
24/7 |
| Warranty & Response Time
|
Choose appropriate level to guarantee business continuity from: * 1 or 3 year warranty is typical * Depot service (mail-in) = slowest * Next Business Day Onsite = next best * 4 Hour Onsite = best |
Minimum: 1 yr. warranty
Desired: Next business day onsite |
Minimum: 3 yr. warranty & next business day
Desired: 3+ yr. warranty & 4 hour onsite |
Management & Reporting
| Criteria | Considerations | Small Organizations | Medium Org’s & Enterprises |
|---|---|---|---|
| * Network Management tools and logs * Bandwidth monitoring * Traffic shaping * Basic logs and reporting |
Balance number of tools with administrator skill level. May be critical with high number of PCs on network |
Basic reporting | Enterprise-level tools and reporting required |
Pricing
| Criteria | Considerations | Small Organizations | Medium Org’s & Enterprises |
|---|---|---|---|
| * Initial Purchase Price for appliance * Additional subscriptions for Gateway, Security etc. * Support, Warranty & Repair fees * Installation fee |
Choose an appliance that will grow with you. Choose a vendor who can provide you with other IT solutions. |
Find balance between short term costs, security exposure, and growth support |
Focus on longer term potential risk of loss of assets/income |
Find out how NetSentron’s features meet your Firewall needs.