Firewalls provide important network and computer-system protection for businesses and home users. Today's firewalls come in two distinct flavors: host-based firewalls that protect individual computers and network-based firewalls that you place at strategic chokepoints on your network. Most large organizations use network-based firewalls. However, even in large, well-protected enterprises, host-based firewalls can provide a solid second level of defense from worms or other malicious traffic that might breech your primary network firewall. This Buyer's Guide describes some of the features to consider when you buy host- and network-based Windows firewall software.
Firewall rule sets detect and block anomalous and unwanted traffic. The rule sets consist of individual ACLs that define the traffic that's permitted through the firewall. Be sure to examine how the firewall constructs ACLs and how you make changes to them. For example, does the firewall use a GUI or command-line syntax? Which tools and protocols, such as HTTP Secure (HTTPS) or Secure Shell (SSH), does it use for remote management? Does the firewall support real-time logging of dropped packets, which helps you troubleshoot firewall operations and detect rogue activities? If the log events are exportable to a common (i.e., SNMP or syslog) or delimited format, you'll be able to use the plethora of log-analysis tools that are freely available.
Most modern firewalls include Intrusion Detection System (IDS) functionality. IDS identifies (and usually blocks) known exploits before the rule set processes them. For example, IDS might drop a Denial of Service (DoS) attack that's embedded within a protocol that your rule set would have allowed. IDS sophistication and features vary by vendor.
Several network firewall architectures exist—from simple single firewalls to dual back-to-back firewalls that create a perimeter network to triple firewalls that have legs for demilitarized zone (DMZ), private, and public networks. Do some research before you decide which architecture you want to deploy, then compare firewalls that support that design. Firewalls route packets from one network to another and most can perform Network Address Translation (NAT), which hides a larger number of private IP addresses behind a few public IP addresses. Some network firewalls also provide VPN server functionality. Several VPN technologies (e.g., IP Security—IPSec, PPTP) are available, so consider which solution is most compatible with your environment. VPNs historically have had problems crossing firewalls that are configured for NAT. If you're a small office/home office (SOHO) user, look for firewalls that support IPSec or PPTP passthrough to ensure that you can connect to your company from behind your home firewall.
Some firewalls provide more sophisticated control—such as antivirus scanning, Web-content filtering, or other application-layer filtering—over the traffic that passes between networks. To enable these features, vendors often charge extra subscription fees that add to the recurring cost of the software, so be sure to check the details.
Consider where to deploy your dedicated network firewalls and whether you need high availability. Redundant hardware and software licenses for firewalls that are clustered for failover or load balancing can add to your cost.
Because of the proliferation of remote users and worms, host-based firewalls play an increasingly important role in securing workstations from internal attacks that bypass the network firewall. Host-based firewall software must coexist with users' day-to-day tasks, such as using Microsoft Office or surfing the Web.
Because host-based firewalls are installed on client computers, many products control which applications can access the network. Some products profile computers by building up a rule list as programs attempt to access the network. For enterprise deployments, look for centralized management capabilities, which aggregate workstation data into reports and let you push host-based firewall policies to remote computers. Also, consider location-detection features that assign additional rules to protect laptop computers when they're connected to remote networks.
Host-based firewalls typically assign ACLs on a per-user basis, which provides additional flexibility and security. Instead of basing ACLs on individual IP addresses (which an attacker can spoof or change), host-based firewalls authenticate users at any location and apply ACLs based on user roles.
Most reputable firewalls provide solid protection—if they're configured correctly. But an incorrectly installed firewall can cause a false sense of security or a disruption in your business service. Carefully scrutinize the literature, product manuals, and other information to ensure that you're truly guarding what you've set out to protect.