Network Hardware Firewalls Buyers Guide
Primarily a firewall should be very carefully chosen on the security it provides. A firewall with high and in depth level of security mechanisms in place and being able to protect your company from the most advanced hacking methods as well as looking after the basic needs should be carefully analysed before making a decision.
There are many firewall vendors and we need to be sure we pick out the correct firewall for our organisation. As security threats have evolved gateway security vendors have had to keep up the pace with these threats.
Firewalls have always provided stateful packet inspection as a method in stopping attacks but today stateful packet firewalls on their own do not provide close to the adequate level of protection against advanced attacks. This is one reason why vendors have introduced the concept of UTM and have introduced tools such as IPS, DLP, anti-virus and other security protection features.
Below is a guide and some things to think about when looking for a firewall.
Page 1 (current page) covers Security,
Page 2 - Ease of Use,
Page 3 - Performance,
Page 4 - Fault Tolerance,
Page 5 - Installation and Deployment.
What are you looking for from a Firewall / Security Gateway Device / UTM?
Before we go any further the first and most important part of choosing a firewall is to jot down exactly what you are looking for within a firewall. For example you may already have a web filtering solution and a hosted anti-spam solution, so you may be looking for a firewall with the ability to provide SSL VPN, IPS and application control only.
You may even dig out your company’s IT security policy. In there you may find many of the answers. For example “It is forbidden for users to download music”, “Intrusions attempts against the network must be logged for at least 90 days”, and so on. This will help you create your own questions as well. You may also want to find out if the firewall can log to a Syslog server and if you can put a restriction on the amount of data, etc.
You might need to follow a certain regulation or standard such as PCI DSS or Code of Conduct (COCO) and in there it will specify criteria of requirements you need from a firewall.
Finally you may have some real life scenarios where students from a college were able to browse any website using a proxy in the cloud, or Bob was able to download lots of files using Kazaa, so some more requirements you are able to jot down and look for.
This is important because first the obvious, you want a firewall to do what you need it for, and second not all firewalls do everything. All vendors have their advantages and disadvantages. One vendor may be better because they have excellent and granular anti-spam capabilities where the other vendor has basic spam capabilities but a very granular and powerful web filter. Both vendors may not have any SSL VPN functionality, where a third vendor may provide SSL VPN, anti-spam and Web filtering, however all are very limited. A final example is one vendor has everything but is far more expensive than any of the others and so out of your budget.
Firewall Security Using Recognised Sources
Firewalls provide our network with the first layer of defence and so we need to be sure the vendor has taken steps to secure the firewall and it is hardened against any holes / weaknesses. Fortunately you don’t have test how harden a firewall operating system is yourself as there are industry security standards and third party organisations that provide technology security testing. They will tell you how well the firewall performed against their vigorous testing mechanisms.
Here are some of the most well known third party sources through out the world;
Common Criteria – An internationally recognised standard that test and evaluate the security assurance provided by solutions. This will basically tell you the minimum level of protection a firewall will provide.
Gartner – Provide a review of the vendor’s product functionality, customer base, future road map, and so on. Gartner then place the vendor onto their magic quadrant which reflects how well they rate the firewall vendor.
FIPS 140-2 - Will test and certify the cryptographic modules within a firewall.
Virus Bulletin – How well an anti virus product performed against viruses. Virus Bulletin also tests Spam filtering technology.
UTM (Unified Threat Management) Security features
A UTM Firewall comes with additional security features. Some protection features or modules include gateway anti-virus, anti-spam protection, web filtering, IDS/IPS, DLP and application control. UTM devices offer a complete protection package, all in one solution and are ideal for small to medium sized businesses. Below we will look into what to look for within a UTM product when purchasing the extra features required.
Next-Generation firewalls provide tight control over applications rather than traditonal ports and services. Next-Generation firewalls gives you the ability to create rules based on users and appliacations and provide in depth reporting capabilities.
Web filtering is used for protection when browsing the web. Do you require web filtering for your users?
Web filtering modules within firewalls have matured over the last few years. They come with the ability to protect your users from surfing malicious sites, or even websites you as the administrator do not want them viewing such as social media websites. There are other customisable features as well such as the ability to allow and deny specific users at certain times of the day. You can block a category like “Sport” but allow a certain URL within the sports category as an exception? Some aspects to review are;
Is it granular and flexible in settings? Can you re-categories websites to different categories?
Look for features such as the ability to block certain website categories such as social networking sites at certain times of the day for certain users.
You would also want to check if the vendor outsource's their UTM features such as web filtering. Some firewall vendors do not provide their own web filtering research team. They provide the user interface but outsource the categories and updates from a third party. A third party company will check and update millions of sites everyday, re-categorizing websites, adding new sites, looking for sites which are harmful, etc, provide the power behind web filtering technology. Firewall vendors usually provide this as an optional add on and are partnered up with a third party vendors who provides the database of millions of categorized websites. However this would all be part of the firewall interface and integrated tightly with the firewall settings and policy rules. Websense and Commtouch Global View are one of the most popular web security vendors and provide this type of service to some firewall vendors.
Reporting is very important as you want to know which websites have been visited the most, which user is browsing which sites, and from these analyses you are able to make further decisions in deciding what further websites to allow and block. Your reports may need to be as granular as for example viewing reports on a set of chosen users, a certain time of the month and day on them users, excluding google.com and yahoo.com from your report. What is the reporting functionality like? Can you find out which users have been accessing illegal sites? What about the top 10 websites users have been visiting on a monthly basis?
Which VOIP protocols do you use at your organisation, and which ones does the hardware firewall support for VOIP protection? Cisco SIP and H.323 for Net meeting are common examples, and this all depends on which ones you use at your company. Again it all depends on what your company's requirements are.
Some VOIP protection features and protocols are;
NAT for all VOIP protocols
DOS protection for VOIP
IPS / IDS
Do you require any IPS or IDS protection (Intrusion Prevention System/Intrusion Detection System)?
Intrusion detection and prevention systems provide a clever way in detecting attacks in the fact that they monitor behaviour of traffic and inspect specific commands against a database of signatures. They are then able to make a final decision into denying or allowing the traffic.
Look for types of operating systems, applications and protocols the IPS system supports and look for granularity in general within the IPS system.
Does the hardware firewall support any DOS (Denial of service attack) and DDOS (Distributed denial of service attack) protection?
These are type of attacks intended to harm your servers in ways that it has been overwhelmed by requests, and has resulted in a substantial performance affect or is unable to continue providing a service.
Common DOS and DDOS prevention features to look for are;
Dropping spoofing attacks,
Dropping UDP flood attacks,
Dropping ICMP flood attacks,
Dropping SYN flood attacks,
Dropping IKE flood attacks,
Dropping Port scan attacks,
Gateway Anti Virus
As viruses are no longer just a threat via email, other channels such as social networking, Instant Messaging and the Web in general must be scanned to block known and unknown malware.
Does the firewall support a strong and reputable anti virus scanner on the gateway? Does the package support anti-phishing, anti-spyware, Adware, Trojans and worms and potentially unwanted programs?
You can check to see if the vendor has it’s own anti-malware research team or if they outsource this service. When you know which anti virus product they use, you can use third party organisations such as Virus Bulletin to see how well rated the product is at stopping malware.
Does the firewall provide anti-spam protection?
Spam has been an ever growing problem and has hit un-imaginable figures. E-mail is the most popular form of communication, which makes e-mail protection critical.
When it comes to spam, just like web filtering, you would need to look deep within the feature set and ensure you have flexibility and granularity within the anti-spam features.
Flexibility for anti spam should be analysed in two main areas. The first is to give you the ability to define and fine tune your spam filter, and providing you with detailed control so you are able to define what spam is to your company and what is not spam. This can be a feature for user level as well, not just domain. So for example Bob may regard an email as spam where Sally does NOT regard that same email as spam.
The second area is content control. For example you may require the firewall’s anti spam content feature to block all encrypted e-mail inbound, except for a specific group of users if the email comes from a specific group of external users.
Most importantly you need to analyse how the product performs under production. Do they actually stop the amount of spam they specify? Do they result in too many false positives or false negatives? You can either use sources such as Virus Bulletin or put it into production when evaluating the product to get a real feel of how the product performs.
On the other hand you may not want anti spam protection at all on the UTM appliance. A dedicated anti spam appliance like any other dedicated appliances gives you more granularity. Email is an everyday tool, heavily used and the most popular form of communication today. It usually requires rules to be very granular for most companies. For example executable attachments should be blocked company wide, but mp3 and other audio and video files should be blocked for all employees with the exception of managers and directors. Again it is the same as anything else, ensure you know what you require from an email and anti spam security and then you are able to know weather a UTM or a dedicated appliance is the right choice. This can go for IPS and Web protection as well.
Application aware firewalls can identify applications based on context and able to block, allows or apply traffic shaping on them.
Applications are not as easy to block without specific application signatures. This is because as many applications have transformed into web based applications they all run over HTTP, and you can’t block HTTP as you will be blocking the use of browsing all websites. These types of applications are also known as layer 8 applications. So firewall vendors have introduced specialised signatures for common applications. For example many vendors support application signatures for Facebook applications. So you can create a rule saying all employees are allowed to browse Facebook in lunch hours but they can’t access applications within Facebook, as Facebook Applications are known to contain malicious threats.
Some vendors have the ability to apply traffic shaping to applications as well. Imagine a rule you can configure to allow Youtube videos, however making sure that youtube can only take up 10% of your overall bandwidth.
You will almost definitely have a data leakage policy as today many organisations do. So a firewall that is able to control and filter out confidential data over HTTP, SMTP, FTP and other channels may be important to you. When we say confidential data the firewall vendor will already have built algorithms so that it is able to detect common types of sensitive data such as credit card information and social security numbers, and should give you the ability to specify simple and advanced DLP rules as well.
Secure Remote Connectivity
Does the firewall support both IPSec and SSL VPN for remote users?
IPSec and SSL are used for remote user connectivity. It is when an employee needs access to their corporate network from home or anywhere in the world providing they have an internet connection. All firewalls support the use of IPSec and almost all now support the use of SSL. SSL is great for remote user VPN access as it is very easy to use and does not require client software.
SSL VPN’s however are getting rich in functionality as well providing user portals and different tools and utilities such as bookmarks and application proxies, ability to do online meetings and share desktops and so on. So it is important that you analyse the SSL VPN module.
For IPSec you would want your firewall to support the latest encryption and authentication algorithms such as AES and RSA for encryption and digital certificates for authentication. However you would also want to support older algorithms as well to eliminate any compatibility issues with other firewalls when setting up VPN’s.
Firewall Operating System
Is the OS (Operating system) customized and hardened?
You would want to look for a firewall with a purposely built customised hardened OS. This would eliminate security flaws found in general purpose operating systems. Best way to test this is to go by Common Criteria and if the vendor has been evaluated and assigned an EAL marking.
Identity Based Access Control
What type of access control and user authentication does the firewall support?
Simplest form would be username and password. This is ok for a very small network, but nothing beyond.
Most organizations use Window’s Active Directory or some other form of LDAP. Ensure the firewall supports the type of directory you will authenticate to. This can be when integrating with web filtering software so you are able to identify who is who when they browse the web, for VPN’s when they are remotely connecting to the network or so policy rules for custom ports can be setup giving only a subset of users privilege to use these. Other common authentication protocols used are Radius, Cisco's TACACS and RSA's Secure ID two factor authentication. If your company is currently using one of these authentication methods then you need to ensure they are compatible with the firewall. Below are a few other authentication methods to keep in mind.
Diameter (Improved version of Radius)
Does the firewall support single sign on feature?
If you restrict your users to the internet or any other resources through your firewall then a user may have to log on twice. The first time they log on will be to log into windows, and then if they wanted to browse the web they would have to specify their username and password again which can be irritating.
Well the single sign on feature eliminates this issue, and once configured the firewall will know when a user has authenticated into Windows. Most firewalls have their own single sign on capabilities using remote agents. Kerberos is an example of third party single sign on authentication protocol which is free for use. Another area to check for single sign on is on the SSL VPN portal. It would be a pain logging into the portal and logging into an RDP session or web session again.
Firewall Subnetting – Separating the DMZ from LAN
How many LAN, DMZ and WAN ports are required?
Usually at the minimum an organization would require three physical Ethernet ports. The first would be for the internal network and another for the perimeter / DMZ network used for public facing servers such as web servers and SMTP servers. The last port would be required to connect to the outside world. However your company may require more LAN ports used for segregating departments into separate LAN segments, for example HR, Finance, Operations, etc. Splitting network segments will contain attacks, and so not spreading threats from one network to the other. These departments cannot speak to each other either unless a specific rule exists on the firewall so containing HR data from everything else for example. Alternatively VLANS can also be used which are logical interfaces, that is if you already use them within your infrastructure.
Finally all this on a UTM firewall can be a burden, so having two or more firewalls in high availability scenario would be a wise choice. This means if one firewall fails the other firewall will still process traffic as normal.
For further reading, there's some excellent electronic ebooks available for download from eBooks.com