Upcoming Events

Cloud Connect
Santa Clara
Feb 13-16, 2012

Cloud Connect brings together the entire cloud eco-system to better understand the transformation we're experiencing and promises to be the defining event of the cloud computing industry. Learn about the latest cloud technologies and platforms from thought leaders in Cloud Connect’s comprehensive conference.

Register Now!

F E A T U R E

Defense Mechanisms

November 12, 2001
By Mike Fratto

There's no question that firewalls are a key weapon in the IT arsenal. From a business perspective, the case for purchasing the right firewall for the job at hand is simple: Downtime costs money. Lost data costs money. A hacked site that makes your company look idiotic can cost you mind share and brand credibility. But just as the amount of barbed wire or the number of dead bolts you install depends on the area to be protected, you have to pick the right firewall for the task.

We've seen it again and again: As technology product categories mature, they become more specialized. Firewalls are no different. They are applications that must be deployed and must be managed, monitored and maintained, just like any other application.

Why an application? Because one firewall does not fit all needs. A wide range of desktop firewalls is available, hosting providers can purchase collocated or SOHO firewalls, and enterprises can provide significant improvement in reliability with high-availability firewalls. A hosted environment needs firewalls that can be managed separately and provide high-availability features. SOHO (small office/home office) firewalls that an MSP (managed service provider) would deploy require strong multiunit/multicustomer management. The same technology, in some cases the same products, should be selected and deployed based on specific needs.

What Do Readers Think?

Check out our e-poll results on personal firewalls.

We have identified four major firewall application areas: the high-availability firewall guarding the network perimeter, collocated firewalls aimed at the xSP multitenant market, SOHO firewalls that an MSP would deploy and administer, and centrally managed desktop firewalls aimed at the corporate desktop. And each has its own requirements.

Our Testing

While each review in this package focuses on specific features and deployments, we did see some trends. From a security standpoint, the firewalls we tested provided the functionality they claimed, passing and blocking traffic according to our security policy. Management and reporting play a key role in a successful large-scale rollout: Administering 1,000-plus firewalls requires strong bulk configuration and tiered management capabilities. In all cases, we found event logging to be a mixed bag, ranging from useful to pathetic.

We all have experienced catastrophic firewall failures. The debate over ASIC-based appliances versus the general-purpose hardware-OS firewall goes beyond mere performance. ASIC-based firewalls recover faster and more reliably than the general-purpose firewalls. That in itself is a compelling argument. In addition, if the problem is software, then a fast recovery method is integral to keeping your data flowing. The last thing you want to do is spend hours installing and configuring a general-purpose OS, then setting up the firewall on top of that. This further strengthens the case for ASIC-based firewalls.

Of course, as Gigabit Ethernet picks up steam, firewalls are being used to support much higher bandwidth networks. This is a leap in magnitude of performance over Fast Ethernet, and even vendors' own published numbers are below the top end of 2 Gbps. More important, it's not the amount of data traveling through the firewall that causes performance degradation; there is strong evidence that state-table management is still a huge problem, as we saw firewalls collapse under the weight of a Class Bworth of client IP addresses (65,535 distinct addresses).

Each firewall has its strengths and weaknesses and was scored accordingly. In fact, no single vendor's products swept the reviews, which confirms what we suspected all along: The requirements of the application should drive the technology purchasing decision, not the other way around.