Solutions Fast Track
Firewall Comparative Issues
If you take a look at the product lines of most of the major firewall 'appliance' vendors, you'll find from three to ten or more different models, not to mention a variety of different licensing schemes and plenty of 'add-ons' that enhance functionality and come at extra cost.
Constructing an intelligent comparison of the products of different vendors can be a daunting task, and often there is no clear-cut 'winner' in such a comparison. Instead, you find that making the right choice depends very much on your existing network infrastructure, the role you want the firewall to play, and a tradeoff of some features for others.
As you dig deeper into the comparative features, you begin to realize that a simple cost comparison is meaningless. A comparative analysis must also take into account the administrative overhead, licensing structure, and feature sets of the products being compared.
To those who may have the ultimate decision-making authority (the Chief Financial Officer, purchasing agent, or small business owner), cost is a very important consideration. It's important to remember, however, that cost involves a lot more than just the initial purchase price of an appliance or software/hardware package.
In comparing different products, you need to address each of the following: Capital investment, Add-on modules and enhancements, Licensing structures, Support, Upgrade, and Total Cost of Ownership (TCO)
In calculating the TCO for each of the competing products, you must consider not only each of the direct costs we discuss in the preceding paragraphs, but also indirect costs such as learning curve, administrative overhead, productivity and downtime costs.
Once we get cost issues out of the way and determine a budget within which we must work, the second broad category for comparison deals with the features and functionalities of each product.
General specifications relate to the included hardware (for appliances) or the minimum hardware requirements (for software firewalls), as well as how scalable, extensible and reliable the product has proven to be in deployment, and whether and how it supports high availability/fault tolerance features such as clustering/failover and load balancing.
Product data sheets from vendor Web sites can provide a starting point, but as you narrow down your choices, you'll want to dig deeper and read independent product reviews and/or talk to IT professionals who have personally worked with the particular products you're considering.
Some important firewall features to compare include Application Layer Filtering (ALF), protocol support, intrusion detection, firewall throughput and number of simultaneous connections supported, logging and reporting capabilities.
Most modern firewalls, other than those intended only as personal firewalls or 'telecommuter' models, include integrated VPN gateways. There are several factors to consider when comparing VPN support of different security devices.
Some factors to consider when comparing VPN functionality include VPN protocol support, types of VPN supported (remote access and/or site-to-site), VPN client costs and functionality, number of simultaneous VPN connections allowed, VPN throughput, VPN quarantine capabilities.
There are a number of features to consider in comparing Web-caching solutions. Which features you need will be dependent on factors such as the size and structure of your organization, how and how much external Web access is used by those on your network, and whether your organization hosts its own Web servers.
Some factors to consider when comparing Web-caching capability include forward-caching capability, reverse-caching capability, support for distributed and hierarchical caching, and use of caching rules.
Another factor that may or may not be important to your organization is whether the firewall product you're considering has been 'certified.' To be meaningful, certification should be done by an independent entity (not a vendor) based on a standardized course of hands-on testing in a lab (not just a 'paper' comparison of features).
ICSA Labs is the most well recognized organization providing testing and certification of firewalls and other network security products.
Comparing ISA 2004 to Other Firewall Products
Microsoft defines ISA Server 2004 as 'an advanced application layer firewall, VPN, and Web cache solution that enables customers to easily maximize existing IT investments by improving network security and performance.'
ISA Server 2004 includes the following key features: multi-layer inspection, advanced application layer filtering, secure inbound traffic and protection from 'inside attacks' via VPN client connections, integrated multi-networking capabilities, network templates, and stateful routing and inspection.
ISA Server 2004's ease of use features include: simple, easy to learn and use management tools; prevention of network access downtime; savings on bandwidth costs; integration with Windows Active Directory, third party VPN solutions and other existing infrastructure; a thriving community of partners, users and Web resources.
ISA Server 2004's high-performance features include: ability to provide fast, secure anywhere/anytime access; a safe, reliable and high-performance infrastructure; an integrated single-server solution; a way to scale out the security infrastructure; enhanced network performance, and reduced bandwidth costs.
ISA Server 2004 is a software firewall, which can be installed on Windows 2000 Server (with Service Pack 4 or above) or Windows Server 2003. Internet Explorer 6, or later, must be installed.
ISA Server is reliable, scalable, and extensible, and supports high availability through the Windows Server 2003 Network Load Balancing (NLB) service.
ISA Server offers compatibility and interoperability with Active Directory, with Exchange server and other Microsoft Server System products, and in a mixed network environment.
ISA Server 2004 provides administrators with a friendly graphical interface that not only has many advantages over most of its competitors, but also is a big improvement over the ISA Server 2000 interface.
ISA Server 2004 provides remote management capability through the ISA Server management console and the Remote Desktop Protocol (RDP).
ISA Server 2004 provides improved logging and reporting through the dashboard, alerts, the sessions panel, connectivity monitors, the report configuration wizard, and the ability to view connection information in real time.
One of the major strengths of ISA Server 2004 is its ability to perform application layer filtering (ALF). The application layer filtering feature allows the ISA Server 2004 firewall to protect against attacks that are based on weaknesses or holes in a specific application layer protocol or service.
ISA Server 2004 includes the following features that set it apart from the competition: secure Exchange RPC filter, link translation filter, and the OWA forms-based filter.
ISA Server 2004 includes a collection of intrusion detection filters that are licensed from Internet Security Systems (ISS). These intrusion detection filters are focused on detecting and blocking network layer attacks. In addition, ISA Server 2004 includes intrusion detection filters that detect and block application layer attacks.
ISA Server 2004 supports the following VPN protocols: Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol/IPSec (L2TP/IPSec), and IPSec Tunnel Mode.
The ISA Server 2004 VPN feature supports two types of VPN connections: Remote Access VPN and Site-to-site VPN.
The ISA Server 2004 VPN quarantine feature increases the security of VPN client connections by 'pre-qualifying' VPN clients before they are allowed to connect to the corporate network.
In addition to ISA Server 2004's firewall and VPN features, the ISA Server 2004 firewall can also act as a Web proxy server. The ISA Server 2004 machine can be deployed as a combined firewall and Web-caching server, or as a dedicated Web-caching server.
ISA Server 2004 supports forward and reverse caching, and multiple ISA servers can be configured to use distributed and hierarchical caching.
Check Point's add-on modules have to be purchased at extra cost, in many cases for functionality that is included at no extra charge with ISA Server.
Check Point includes no Web-caching functionality; this must be added as an off-box solution or via add-on modules.
Check Point's SecureClient software costs extra, and is needed to add VPN client configuration verification, similar to ISA Server's VPN quarantine feature that is included at no extra cost.
Cisco PIX requires add-on third party products to provide functionalities such as deep content inspection that are included with ISA Server at no cost.
Cisco PIX includes no Web caching functionality; this must be added by purchasing a Cisco Content Engine or a third-party caching solution.
Enforcement of VPN configuration policy for PIX requires the proprietary Cisco Secure VPN client v3.x or above.
NetScreen requires that additional appliances or third party products be purchased to provide functionalities included with ISA Server (more sophisticated intrusion detection/deep content inspection, caching).
NetScreen uses a proprietary VPN client or security client (which includes personal firewall) that must be purchased at extra cost.
VPN configuration enforcement with NetScreen only enforces client firewall policy.
SonicWall requires that additional appliances or third-party products be purchased to provide functionalities included with ISA Server (more sophisticated intrusion detection/deep content inspection, caching).
NetScreen uses a proprietary VPN client that must be purchased at extra cost.
Downloading of client configuration data from VPN gateway requires security client.
WatchGuard does not include application proxies on its low cost models. ALF includes only HTTP, FTP, DNS.
WatchGuard provides no Web-caching functionality. Cost of adding a caching solution must be factored in when comparing cost with ISA server.
WatchGuard uses proprietary remote VPN client software that must be purchased at extra cost.
Symantec requires that additional appliances or third party products be purchased to provide functionalities included with ISA Server (more sophisticated intrusion detection/deep content inspection, caching).
Symantec provides no Web-caching functionality. Cost of adding a caching solution must be factored in when comparing cost with ISA server.
Symantec uses proprietary remote VPN client software that must be purchased at extra cost.
Blue Coat is the only one of ISA Server 2004's major competitors that includes Web-caching functionality.
Blue Coat does not include site-to-site VPN gateway or remote access VPN functionality.
Blue Coat requires that content filtering be done through a third-party service.
Open source firewalls are more popular with highly technical individuals (such as hackers) and those who advocate and are familiar with open source operating systems.
The cost advantage of open source firewalls is often offset by difficulty of use, lack of documentation, lack of technical support, and weak or missing logging and alerting features.
IPChains provides rudimentary firewall functionality and does not include services usually taken for granted in commercial firewall products such as ALF, VPN gateway, IDS, and others.
The Juniper Firewall ToolKit was developed by Obtuse Systems to run on Linux and BSD/FreeBSD. It was based on ipfirewall and offered as a toolkit for building proxy firewalls.
Ipfirewall is a kernel packet filter that comes with FreeBSD. It performs network-layer packet filtering only; application-layer filtering must be done by another program/service.
IPCop is a user-friendly firewall that runs on Linux and is managed from a Web UI, thus it can be managed remotely. It includes NAT functionality to protect a small LAN. It is based on the Smoothwall code and licensed under the GNU GPL. The firewall is based on ipchains.
IPCop was designed for home and SOHO users rather than enterprise-level networks.