Network Computingwww.networkcomputing.com

After assessing this challenge, some companies decide to build their own firewalls while others outsource to a managed service. But even if you use best-of-breed solutions and hire veteran security personnel, you can't guarantee your network won't suffer a break-in. And no vendor will make that guarantee either.

Below we detail the pros and cons of outsourcing versus insourcing, writing under the assumption that you have basic knowledge of firewall technologies. For a primer, see our Network Design Manual chapter on Internet firewall essentials at www.networkcomputing.com/netdesign/wall1.html.

Doing It Yourself
The three major considerations for installing your own firewall are the costs of equipment and software, experienced personnel, and maintenance and support.

Deciding between a hardware and a software solution can be difficult. Depending on licensing options, prices for software- only firewalls range from $2,500 to $18,000. Add another $9,000 to $15,000 for a beefy server, such as a

Sun Microsystems SPARC Ultra, to run it on, and the total goes from about $11,500 to more than $30,000. Then there's the task of hardening the OS, installing the software and configuring the firewall, which requires experienced personnel. OSes and firewalls have to be patched or updated periodically--a task that can be complex with software firewalls (while relatively simple with hardware firewalls).

Because hardware firewalls don't require any installation--and carry lower prices--the startup costs both in real dollars and resources also are lower. This is a point that hardware firewall vendors love to tout, and it's a significant one for shops where the advanced server-administration skills required to successfully install and configure an OS and firewall software are in short supply.

A comparison of the features of popular software firewalls, such as Axent Technologies' Raptor Firewall and Check Point Software Technologies' FireWall-1, with those of hardware firewalls, such as NetScreen Technologies' NetScreen-100 or Cisco Systems' PIX, shows that the software-based products support a greater number of dynamic protocols, such as RealAudio, NetMeeting and data-access protocols. And software firewalls typically offer additional security applications, such as virus-scanning, intrusion detection and content-monitoring. But if you don't need advanced protocol or application support, a network appliance may be the best value.