Why an application? Because one firewall does not fit all needs. A wide range of desktop firewalls is available, hosting providers can purchase collocated or SOHO firewalls, and enterprises can provide significant improvement in reliability with high-availability firewalls. A hosted environment needs firewalls that can be managed separately and provide high-availability features. SOHO (small office/home office) firewalls that an MSP (managed service provider) would deploy require strong multiunit/multicustomer management. The same technology, in some cases the same products, should be selected and deployed based on specific needs.

What Do Readers Think? Check out our e-poll results on personal firewalls.

We have identified four major firewall application areas: the high-availability firewall guarding the network perimeter, collocated firewalls aimed at the xSP multitenant market, SOHO firewalls that an MSP would deploy and administer, and centrally managed desktop firewalls aimed at the corporate desktop. And each has its own requirements.

Our Testing

While each review in this package focuses on specific features and deployments, we did see some trends. From a security standpoint, the firewalls we tested provided the functionality they claimed, passing and blocking traffic according to our security policy. Management and reporting play a key role in a successful large-scale rollout: Administering 1,000-plus firewalls requires strong bulk configuration and tiered management capabilities. In all cases, we found event logging to be a mixed bag, ranging from useful to pathetic.

We all have experienced catastrophic firewall failures. The debate over ASIC-based appliances versus the general-purpose hardware-OS firewall goes beyond mere performance. ASIC-based firewalls recover faster and more reliably than the general-purpose firewalls. That in itself is a compelling argument. In addition, if the problem is software, then a fast recovery method is integral to keeping your data flowing. The last thing you want to do is spend hours installing and configuring a general-purpose OS, then setting up the firewall on top of that. This further strengthens the case for ASIC-based firewalls.

Of course, as Gigabit Ethernet picks up steam, firewalls are being used to support much higher bandwidth networks. This is a leap in magnitude of performance over Fast Ethernet, and even vendors' own published numbers are below the top end of 2 Gbps. More important, it's not the amount of data traveling through the firewall that causes performance degradation; there is strong evidence that state-table management is still a huge problem, as we saw firewalls collapse under the weight of a Class Bęworth of client IP addresses (65,535 distinct addresses).

Each firewall has its strengths and weaknesses and was scored accordingly. In fact, no single vendor's products swept the reviews, which confirms what we suspected all along: The requirements of the application should drive the technology purchasing decision, not the other way around.