Welcome back to our discussion of popular firewall appliances! In this two-part series, we're examining solutions and making recommendations based on the size of your organization, the level of security you require, and the cost of the solution. In "Firewall Appliances, Part 1" July 2005, InstantDoc ID 46588, we looked at solutions appropriate for low-security small-to-midsized businesses (SMBs). Now, in Part 2, we examine solutions more geared toward high-security SMBs and enterprise branch offices.

In contrast to low-security SMB environments, high-security SMB environments require a much higher level of firewall security. Higher security requirements are either mandated by law, necessitated by the nature of the business (e.g., a highly competitive industry that values the protection of trade secrets), or based on the business owner's willingness to spend the requisite funds to provide a good level of network protection at a reasonable price. High-security SMBs treat firewall security the same way they regard automobile insurance, errors and omissions (E&O) insurance, and health insurance. They're willing to pay the price up-front to prevent potential personal and business disasters.

High-Security Environment Concerns
For a listing and explanation of the basic features we targeted in our examination of firewall appliances, see Part 1 of this series. In addition to these features, high-security environments must address several further concerns when shopping for the right appliance:

  • You should log outbound access from the corporate network to the Internet. Logging must include, at a minimum, the username and application that the user utilized to connect to resources through the firewall. The name of the sites and the content accessed should also be included.
  • You should put in place a mechanism for enabling the firewall to block the use of applications that are known risks to network and data integrity—for example, peer-to-peer (P2P) and Instant Messaging (IM) applications.
  • The firewall should be able to stop inbound and outbound exploits by performing both stateful packet and application-layer inspection on all interfaces, including the VPN interfaces.
  • The firewall should be able to perform stateful packet and application-layer inspection on connections allowed inbound through the firewall to the corporate network so that remote users can access business-critical information when they aren't in the office. Stateful inspection should also be performed on data that's encrypted over the wire.
  • To stop or mitigate worms, viruses, spyware, and other data-integrity threats at the perimeter, application-layer inspection should take place at all perimeters.
  • If you require inbound or outbound access to business-critical information, you should enable some method of failover.
  • Although some small businesses have high security requirements, those businesses are still small, and they probably don't have the IT budgets available to larger businesses or enterprise environments. Our experience with high-security SMBs suggests that the average company is willing to spend as much as $3000 for a security solution that will last 3 to 4 years. The amortized daily cost of the security investment—about $2 per day—is low compared with potential financial losses the business might incur if it were to choose a low-security solution.

    Appliance Options
    Table 1 shows a selection of available firewall devices that offer a reasonable level of network security to the high-security SMB. The SonicWALL Pro 3060 and Cisco Systems' Cisco PIX-515E-R-DMZ are traditional hardware firewalls. Network Engines' Microsoft ISA Server 2004­based NS6200 firewall and Symantec's SGS 5420 firewall represent appliances that are typically called "software" firewalls—they either run on general-purpose OSs or have hard disks, or both. The NS6200 represents a "third generation" of firewall because it combines a hardware firewall's stability and reliability with a software
    firewall's flexibility, security enhancements, and update agility to meet current security threats. The SGS 5420 lies somewhere in between: It doesn't run on a general-purpose OS, but it does use hard-disk storage.

    From a network-security standpoint, the Network Engines and Symantec appliances are our top picks, beating out the traditional stateful-packet-inspection hardware firewalls. The key difference is the level of application-layer inspection these two devices provide, compared with the SonicWALL and Cisco devices.

    Although you can use on-box or off-box application-layer inspection add-ons (e.g., antivirus checking, download filtering, mail filtering, pop-up blocking, spyware checking, Web filtering) to enhance all the firewalls in this class, these types of features add significantly to the cost of each of these devices. Such increases in cost might move them beyond the price point that high-security SMB owners can tolerate.

    In the end, the Network Engines firewall takes the nod over the Symantec appliance because it has the following features that are crucial to high-security environments:

  • Transparent authentication for all outbound connections through the firewall—In a well-designed high-security environment, two-factor authentication is required for domain logon. Transparent authentication prevents users from sharing user credentials to gain access to the Internet because the system never presents users with a logon dialog box. This feature improves the validity of log-file entries and subsequent investigations based on those entries.
  • Comprehensive logging of all inbound and outbound connections through the firewall—This logging, which includes usernames and applications utilized by the users to access any resource through the firewall, is essential if you're performing a compliance audit or during an administrative, criminal, or civil investigation.
  • Application-layer inspection of Secure Sockets Layer (SSL) tunnels—The ISA Server 2004­based NS6200 performs application-layer inspection on inbound SSL connections through the firewall. Such connections might be to proprietary data contained on a Microsoft Outlook Web Access (OWA) server or a Microsoft SharePoint Portal Server machine. Unlike the other firewalls in Table 1, the NS6200 can decrypt the SSL connection at the firewall, expose the application-layer headers and data to the firewall's application-inspection engine, then re-encrypt the data to provide a secure, encrypted connection from end to end.
  • Stateful packet and application-layer inspection on all VPN interfaces—This inspection includes remote-access VPN and site-to-site VPN gateway connections. VPN links have frequently proven to be the weak spot in many firewall installations because the typical VPN deployment treats VPN-connected hosts as "trusted" and doesn't expose them to application-layer inspection. This scenario has been a major cause of Blaster infection on networks that were otherwise protected from external infection. Risks similar to Blaster still exist, and VPN connections can still spread them. The NS6200 exposes VPN links to application-layer inspection and stops these exploits at the firewall.
  • Even with high-cost application-layer inspection enhancements, none of the other firewalls in Table 1 provide the security features that the NS6200 provides.

    Larger High-Security Environments

    High-security mid-to-large-sized businesses and enterprise branch offices share similar security requirements. Similar to the high-security SMB, they require comprehensive stateful packet and application-layer inspection, comprehensive logging, and user/group-based access control through the firewall. The primary difference between the high-security large-business environment and the high-security SMB environment is that larger companies have far more generous IT budgets that align with their security requirements.

    These offices don't need high-end, high-speed firewalls that cost $35,000, but they do need a high level of security. A single, successful application-layer attack can result in losses that number in the millions of dollars.

    Determining how much money organizations in this class are willing to spend on network firewall protection is difficult. Some companies are extremely security conscious and are willing to spend more than $10,000 for exceptional packet and application-layer inspection firewalls. On the flip side, many midsized to large businesses that require high security balk at paying more than $2500 for this crucial piece of network-security infrastructure. In general, we've found that most organizations in this class are willing to spend between $5000 and $6000 for advanced firewall
    protection.

    Table 2, page 9, shows a selection of firewalls typically deployed in larger high-security environments. The SonicWALL PRO 4060 and the Cisco PIX 515E-UR-FE-BUN are built on a traditional hardware-firewall foundation and provide similar levels of network security. Stateful packet inspection is the cornerstone of these security offerings, without requiring high-dollar add-ons. Both provide high network performance but lack load-balancing and failover capabilities, which are crucial for on-demand access to mission-critical data.

    In contrast, RimApp's ISA Server 2004­based RoadBLOCK F302PLUS firewall appliance provides comprehensive application-layer inspection at a reasonable price. Web site filtering, antivirus checking for Internet downloads, and antispam email filtering are available out of the box. In addition, with the help of Rainfinity's RainWall and RainConnect, the RoadBLOCK appliance supports load balancing and failover for both the RoadBLOCK firewall devices and ISP links. The RoadBLOCK appliance supports all the high-security features we discussed earlier for reporting and logging, as well as strong user- and group-based access control from inbound and outbound connections through the firewall.

    What's Right for You?
    The higher-end network firewalls in this article provide excellent security and high performance for the midsized to large business. Key features leading to the smartest firewall decision are application-layer inspection and comprehensive logging and reporting of user and application access. High availability is also important to keep in mind when you're shopping for a firewall appliance.