As enterprises lock down their networks with an ever-expanding arsenal of security technologies, hackers have moved on to easier pickings—smaller businesses. Historically, Internet security has been less of an issue for smaller companies, but thats changing. Securing a small- office network now requires several different technologies. Security expert Sanjaya Sood, during a speech at the Infosec Security Conference at the United Nations headquarters in September, likened the use of a traditional firewall alone to “using the Great Wall of China for modern warfare.”
Still, a firewall remains the first line of defense. And the timing has never been better to buy these devices; their costs have dropped while their capabilities have increased significantly.
No longer just firewalls, most of the devices in the range of $400 to $900 are referred to as security appliances. This change in nomenclature was inspired by the addition of virtual private networks (VPNs) and other features.
Firewalls make use of Network Address Translation (NAT), a standard for translating a single public IP address into multiple private addresses. But their primary defense against hackers is Stateful Packet Inspection (SPI), which uses a predefined or editable rule set to determine whether packets will be forwarded or denied. Many firewalls also offer intrusion detection, content filtering, and intuitive Web interfaces.
Some companies can afford to spend more on firewalls—in the range of $2,000 to $3,000. They get devices with higher throughput, increased scalability, and application proxies, which go beyond rule-based SPI security by validating traffic based on an applications parameters for specific ports.
Assess Your Needs First
Assess Your Needs First
Forewarned is forearmed, and when buying a firewall you should carefully consider the present and future needs of your organization. Think about how large your company is and how soon you project business and network growth. If you expect fast growth, look for scalable products.
Ease-of-use factors are important, too. What is the skill level of the person responsible for maintaining the device? Will that person be a dedicated administrator with security training or someone with much less experience? Even the simplest products can offer dizzying arrays of configuration options.
Administrators with less experience will need a firewall with a self-explanatory interface, such as that of the SonicWall SOHO3. More seasoned administrators might want command line interface access to the firewall through Secure Shell—available in the ZyXEL product. It lets administrators configure the firewall remotely, without opening a Web port.
Equally important considerations are whether the device has a built-in DHCP server and whether it has any backup for dynamic DNS, as with an outside DNS provider.
If high availability and fail-over are important to your organization, a firewall with dual WAN ports and an additional serial port for an external modem—such as the Symantec Firewall/VPN 200—can ensure youre covered. Other firewalls, such as the SonicWall and WatchGuard products, provide fail-over but only with the purchase of an additional device.
Keep in mind that your network applications must work smoothly with the firewall and vice versa. Being able to configure TCP and UDP port selections freely and segregate network traffic could be very important. For example, if you do videoconferencing, youll probably need a firewall that is capable of dynamically opening ports, such as those from SonicWall, Symantec, and WatchGuard.
More for Your Money
More for Your Money
The products in our roundup are for small companies with 20 to 50 employees; they cost between $400 and $900, and all use both NAT and SPI technologies. All the devices in this roundup offer VPNs of varying types; in fact, many manufacturers have begun marketing this feature over those of the firewalls proper. (This story focuses on the devices firewall functions; VPNs will be the focus of a future story.)
Companies with 50 to 500 employees should consider more robust and complex 1U- or 2U-size firewalls, which cost from $2,000 to tens of thousands of dollars. Very small offices would be fine with low-cost broadband routers with SPI firewalls; these devices can be had for $200 to $300 (see “Keep Hackers Out: Personal Edition”).
Although they are multifaceted, any of these firewalls should be considered just one part of a small-office network. The IT security community generally recommends that firewalls be integrated with strong authentication, intrusion detection and prevention solutions, antivirus protection, and content filtering to provide adequate security.