Today's centrally managed, software-based firewalls go well beyond packet filtering. Although interrogating a network datagram for IP addresses and port numbers is still a prerequisite, vendors, such as those in this Buyer's Guide, are including more functionality. To distinguish between excellent and run-of-the-mill firewalls, you need to look at a product's level of automation, additional features, and ease of management.
In the past, network administrators spent hours figuring out the optimum order of filter rules. Today's firewalls have predefined rules and actions that let you choose from predefined strength levels (e.g., Paranoid, Intranet, Trusting). Traditional firewalls delineated only a perimeter and perhaps a higher-risk demilitarized zone (DMZ). Now, several products let you assign different levels of trust to perimeter-crossing "zones," so you can prioritize foreign traffic and packets traveling inside the organization.
Configuration wizards help you set up additional rules, define a DMZ, and simplify tasks. Most of today's firewalls check for the latest updates and patches and run periodic checks. Some firewalls are updated almost as frequently as antivirus scanners. Firewall updates include bug fixes, increased functionality, and increased ability to recognize new types of threats.
In many cases, if a firewall notices a persistent threat, the firewall automatically takes action, such as blocking all future requests from the same source or helping track down the offender. Although firewall logs and alerts are still short and to the point, most vendors make expanded explanations of threats available.
One of the best features available is application filtering (aka application-level firewalls or application blocking). Authors of viruses, Trojan horses, worms, and malicious software (malware) have learned that certain IP ports in a firewall (e.g., port 80) are almost always open from the inside out. After an attacker installs a malicious program inside a protected perimeter, the program can search for an open port or attach to an existing proxy client and remain unmolested. Application filtering lets only pre-approved client executables pass through open ports. Look at how the firewall determines what constitutes an approved application: Some firewalls only verify the program's name, but others contain a database of executable traits (e.g., hash algorithms, size, dates, internal coding checks) on each approved application.
Good firewalls not only block unapproved packets but also use Intrusion Detection System (IDS)like functionality to identify well-known attacks. Firewalls often behave as centralized antivirus managers to distribute forced updates to attached workstations.
Firewalls often act as privacy gateways, block unwanted advertisements and forbidden (e.g., adult, violent) content, and provide VPN capabilities. Some firewalls include interfacing APIs so that the firewall works with other products that inspect network traffic. Other vendors offer emulated environments so that potentially malicious code can be executed without causing harm. Clearly, today's firewall has to be more than a packet filter.
Network administrators prefer to manage firewalls from a centralized, Web-based console. Look for products that provide several levels of alerts, logging, and automatically generated statistical reports. The most scalable solutions offer enterprise security policies that automatically generate rule sets and permissions. Of course, automation and good feature sets mean nothing if the firewall doesn't work. Many firewalls are tested, approved, and certified by organizations such as the International Computer Security Association (ICSA).
Future firewalls will be friendlier and more feature-packed, with logs that report only necessary information and improved responses to attacks. Soon, to the dismay of firewall purists, administrators might not even need to know much about protocols and rule sets.