Very often I hear some things like... "What's the best firewall in the market?" What Firewall should I buy for my Company?"
The answer is: "Depend on what type of network you need to protect"
It's not the same a network with 100 users than other critical and redundant network with 50,000 users and 300 servers...
In my opinion these are the essential question you need to thinking about.
Features
- How many maximum firewall concurrent sessions are need it?
- How many firewall new sessions per second do you have in your network?
- How many firewall throughput do you need?
- How many VPN tunnels and VPN Troughput do you need?
- What VPN protocols do you want to use (IPSec, L2TP, PPTP)
- Do you require high availability (load balancing, failover)?
- Do you need cobber, fiber, 10-100-1000-10000 Mbps interfaces?
- Are you currently using IPv6 o it will be implemented in the future?
- How many concurrent session and throughput will you need in the future?
Commonly, throughput is calculated by the manufacturers in a Lab with a certain packet sizes and not in a real World
- Control Application
- Antivirus
- IDS/IPS
- AntiSpam
- URL Filtering
- SSL decryption
- Date Loss Prevention
- DHCP
- Bandwidth Management
- Wan Optimization
- Web Cache
- Proxy
- ...
Throughput decreases when you enable policy rules with:
- Antivirus
- IPS/IDS
Vendors
There are a lot of Firewall manufacturers. We can talk with Palo Alto Networks, Fortinet, Checkpoint, SonicWall, Whatchguard, Cisco, Juniper, Stonesoft... How we choose?
I think this is the more difficult decision.
A manufacturer has a strong network firewall but his Antivirus is really bad. Another manufacturer has 10GB firewall interfaces and a great throughput capabilities but hasn't Control Application.
Maybe two of them have the same features (more or less) but one of them is a visionary and works with a better technology and the other has a great base installed and better technical support...
In our opinion, the best option is to select 2 or 3 and request a demo in a production environment.
There are companies working on comparing these products like Gartner (who every year release his "Magic Quadrant "), NSS Labs... But take care because there are reports of Enterprise Firewalls, Next Generation Firewalls (NGFW), Unified Threat Management Firewalls (UTM)... There are same manufactures that are evaluated in differents reports with diferent results...
For example:
Magic Quadrant for Unified Threat Management
Magic Quadrant for Enterprise Network Firewalls
What's the different between Next Generation Firewall and the Unified Threat Management Firewall? In the next posts we will talk about it...
Costs
Another thing to keep in mind is the costs. You need to have to bear in mind the price of:
- Appliance
- Licences * : AV, AntiSpam, IDS/IPS...
- Hardware Support: 4 hours, next day...
- Technical Support: 8x5, 24x7, 4 hours...
Summary
It is hard to hit 100% when you are choosing a hardware-based firewall but if you follow these steps, you may be having a good choice:
- Studying the requirements of your network and select the firewall features.
- Chose extra features you need. Antivirus, IPS, AntiSpam...
- Select 2 o 3 vendors and make a test in a Lab. Then make a test in an environment production.
- If you know people that's works with your selected vendors, talk with them a request a recommendations and asking their experience.
what about cyberoam firewall, best or not
ReplyDeleteI've never managed Cyberoam devices... I can tell you anything about it, sorry...
DeleteWhat do you think of Stonesoft firewalls?
ReplyDeleteI've never worked with Stonesoft firewalls before. I heard that their firewalls are really good in an environments with a high bandwidth... I could help you with other manufacturers but not with this...
DeleteThis comment has been removed by the author.
ReplyDeleteHello javier, How do you rate Sonic Wall, hope you have reasonable experience with NSA devices - how do you rate in scale of 0 to 5, zero being less useful & flexible & 5 is best?
ReplyDeleteMany thanks in advance.
MAK
Hi MAK,
DeleteI've not worked with SonicWall in criticial infraestructures yet so I don´t have an opinion about it, sorry.
Regards