Wayne Rash: How To Shop For A Small-Business Firewall
So your business has outgrown the el cheapo hardware firewall you picked up at the mall? Learn how to find top-of-the-line capabilities without paying top-of-the-line prices.
October 14, 2004
My friend Louise had a problem. Her financial conferencing company was growing to the point that she needed to add employees. One employee had to work remotely. The data she had on her network was getting more and more valuable. I could hear the concern in her voice when she called. Clearly, her business had outgrown the simple wireless firewall/router that was currently connecting the business to her DSL line. Her question: what to do that would allow secure remote access while also protecting her business from the depredations of the barbarians on the Internet. She needed a better firewall, and she needed a remote access server that would support an incoming VPN.
Your business may not need to accommodate a VPN, but it's a certainty that you need a firewall of some description, even if it's a router set to default-deny. But for most companies, the real answer is a product that is secure and easy to manage. After all, most small businesses don't have a IT staff and can't afford to pay for unlimited consulting time. A practical solution has to be something that the person tasked with supporting the computers can manage without a lot of extra effort.
Fortunately, there are many firewalls that meet the minimum requirements. They are reasonably secure, and anyone with minimal training can set them up. In many cases, they can be purchased for around a hundred dollars at Circuit City or CompUSA. These firewalls are actually included in many wireless access routers from Netgear, D-Link, or LinkSys.
But many businesses need more. Not surprisingly, the same vendors make more advanced products.
Also, some enterprise firewall companies are making their products available in versions for small offices and home offices.First, here's what you can expect in just about any SOHO firewall:
- Real firewall functionality, including the ability to hide your IP address, reject external attempts to access the network, prevent responses to ping packets and similar traffic. You might also see packet inspection, so that you can keep out types of traffic you don't want, such as instant messaging or peer-to-peer connections.
- Network management capabilities, including network address translation, DHCP client and server, DNS forwarding, logging, and a Web-based management GUI.
- Security features such as the ability to originate a VPN tunnel.
- If a wireless access point is included, the ability to encrypt the wireless traffic.But chances are you need more than that. For example you might want a firewall that can reject denial of service attacks, ferret out worms and viruses, prevent access to certain Web sites or even filter out spam. And, of course, you could very well want the ability to support remote users securely or handle some basic intrusion prevention and detection tasks.
On the other hand, the product has to be affordable.
I took a quick look at some of the products available, and I found a couple that seem to work for Louise and her company. The first is D-Link's DFL-80, which supports her basic requirements completely. It's not even very expensive, at around $250. It will let her remote user connect through a secure VPN tunnel. However, it won't scan for viruses or spam.
Louise might be better off with the Fortinet Fortigate 60. This is a higher-performance device from a company that also makes enterprise and service-provider products. It does deep packet inspection, filters worms, viruses and spam, updates itself automatically, and is available in a version that also includes a wireless access point. However, it costs about $700 for the standard version, and about $900 for the Wi-Fi version.
There are others out there, notably from SonicWall.In Louise's case, and in yours, what really matters is what the firewall does in addition to just blocking access attempts and worm probes. A firewall can do many things, but to work for your business, they have to be the right things.
Wayne Rash is a writer based near Washington, DC. He was one of the first to create secure networks for the military and for other government organizations, and he has written about security for over twenty years. You can reach him at [email protected]. Contact the editor of Security Pipeline at [email protected].
You May Also Like