johnboyhome
asked on
Firewall comparison
I am trying to compare the pros & cons and relative value of 4 firewall products: Cisco PIX501, SonicWall Soho3, Contivity 600 & 100 and Linksys. It's tough finding an unbiased comparison. Does anyone know where I can find this information?
The real question is "what is the problem you're trying to solve?"
If this is for your home network, go with the $100 Linksys and stop worrying about it.
If this is for SOHO's that connect back to a larger company network via VPN or some such, I'd go with the same kind of firewall/vpn gear the main company network uses if at all possible so you can have centralized rules administration.
If it's for a stand-alone small/medium business, go with something you can easily manage complex rules on, like the Cisco, the Sonicwall, the Netscreen, or CheckPoint's SofaWare box.
If it's for a larger business that's going to need multiple firewalls, multiple DMZ's, very complex firewall rules, lots of VPN connections, etc., etc. you're looking at the higher-end Cisco's, the Netscreens, and the various CheckPoint incarnations from Nokia/Intrusion/Stonesoft/
If this is for your home network, go with the $100 Linksys and stop worrying about it.
If this is for SOHO's that connect back to a larger company network via VPN or some such, I'd go with the same kind of firewall/vpn gear the main company network uses if at all possible so you can have centralized rules administration.
If it's for a stand-alone small/medium business, go with something you can easily manage complex rules on, like the Cisco, the Sonicwall, the Netscreen, or CheckPoint's SofaWare box.
If it's for a larger business that's going to need multiple firewalls, multiple DMZ's, very complex firewall rules, lots of VPN connections, etc., etc. you're looking at the higher-end Cisco's, the Netscreens, and the various CheckPoint incarnations from Nokia/Intrusion/Stonesoft/
Hello,
-Yeah Chris is right.. Im pushing netscreen because I like them so much, but they are definatly not in the "home market" price range.
-Yeah Chris is right.. Im pushing netscreen because I like them so much, but they are definatly not in the "home market" price range.
I'll definitely agree that the Netscreen's are nice, though...
Yes, it depends on your application. But IMHO cisco boxes are *unnecessarily* difficult to configure.
Not quite on-topic I know, but don't discount the open source solutions (especially the PF packet-filtering package within OpenBSD, see http://www.google.co.uk/search?q=howto+openbsd+firewall+pf&ie=UTF-8&oe=UTF-8&hl=en&meta= )
You will find that because the 'open' products are open, they are VERY well audited by some very, very smart people. And they are scalable to handle big, big sites and traffic loadings if that's what you want.... and oh yeah, they're free too :-)
Not quite on-topic I know, but don't discount the open source solutions (especially the PF packet-filtering package within OpenBSD, see http://www.google.co.uk/search?q=howto+openbsd+firewall+pf&ie=UTF-8&oe=UTF-8&hl=en&meta= )
You will find that because the 'open' products are open, they are VERY well audited by some very, very smart people. And they are scalable to handle big, big sites and traffic loadings if that's what you want.... and oh yeah, they're free too :-)
I'd agree with Crossley.
Most of the time, a software firewall is a much better solution than a hardware firewll; don't believe the hype to the contrary, which is basiclly a regurgitated sales pitch.
Here are the simple facts:
1) A lot more people with at least as much skill and technical knowledge work on the Free solutions than work on all the commercial solutions, combined.
2) The Free solutions are updated much more frequently. Security flaws, if they ever even make it to the production branches, are fixed in hours or even minutes instead of days, weeks or longer.
3) Price. The Free solutions are well, Free. Free in both the speech _and_ the beer sense. Time isn't free, I know, but I'll get to that in a second.
4) Scalability. Software solutions are as scalable as you want them to be. Need a faster backbone? Get a faster NIC. Tables growing large? Get more RAM.
[rant]
I would never use any incarnation of windows nor any incarnation of linux as a firewall in an environment where I actually worry about what's behind the firewall. MS products are notorious for their security holes and also for the terrible time it takes these holes to be plugged. Linux, IMHO, is to *nix as Windows 9x is to Windows NT; why use the underpowered little brother when the more capable big brother is just as workable?
Personally I use FreeBSD for firewalls, web servers, email servers, file servers.. * servers.. ;)
I find linux to be too "childish" and immature, and OpenBSD to be a little too slothful when it comes to keeping up with the times. FreeBSD benefits from the decades of history behind all the BSD variants, as well as from strong cross-pollination with them; fixes in OpenBSD for example usually translate directly to fixes in FreeBSD and are incorporated immidiately. I typically run RELENG_X_Y (-SECURITY branch) for firewalls and RELENG_X (-STABLE branch) for servers.
Most of the time, a software firewall is a much better solution than a hardware firewll; don't believe the hype to the contrary, which is basiclly a regurgitated sales pitch.
Here are the simple facts:
1) A lot more people with at least as much skill and technical knowledge work on the Free solutions than work on all the commercial solutions, combined.
2) The Free solutions are updated much more frequently. Security flaws, if they ever even make it to the production branches, are fixed in hours or even minutes instead of days, weeks or longer.
3) Price. The Free solutions are well, Free. Free in both the speech _and_ the beer sense. Time isn't free, I know, but I'll get to that in a second.
4) Scalability. Software solutions are as scalable as you want them to be. Need a faster backbone? Get a faster NIC. Tables growing large? Get more RAM.
[rant]
I would never use any incarnation of windows nor any incarnation of linux as a firewall in an environment where I actually worry about what's behind the firewall. MS products are notorious for their security holes and also for the terrible time it takes these holes to be plugged. Linux, IMHO, is to *nix as Windows 9x is to Windows NT; why use the underpowered little brother when the more capable big brother is just as workable?
Personally I use FreeBSD for firewalls, web servers, email servers, file servers.. * servers.. ;)
I find linux to be too "childish" and immature, and OpenBSD to be a little too slothful when it comes to keeping up with the times. FreeBSD benefits from the decades of history behind all the BSD variants, as well as from strong cross-pollination with them; fixes in OpenBSD for example usually translate directly to fixes in FreeBSD and are incorporated immidiately. I typically run RELENG_X_Y (-SECURITY branch) for firewalls and RELENG_X (-STABLE branch) for servers.
Hello
-asymmetric I agree with you that you can build a firewall with OpenBSD or other unix flavor's & the software is free. The realitly is everyone needs a firewall but most people do not posses the inclination or ability mount up a unix firewall. You can regurgitate all the "open source, free, community support" pitches you like. We all know them as they've been around since the seventies.
-Given that most people considering implimenting a firewall in a commerical environment are aware of the "free options" & choose an expensive hareware applicance, (Most actually run a unix flavor as the core OS) & this is reflected world-wide in the huge booming applicance market. One can argue that avoiding everything related to mounting a unix based firewall, (that you are comfortable is configured properly as a firewall) is pretty much the whole point of why this is the market trend..
-asymmetric I agree with you that you can build a firewall with OpenBSD or other unix flavor's & the software is free. The realitly is everyone needs a firewall but most people do not posses the inclination or ability mount up a unix firewall. You can regurgitate all the "open source, free, community support" pitches you like. We all know them as they've been around since the seventies.
-Given that most people considering implimenting a firewall in a commerical environment are aware of the "free options" & choose an expensive hareware applicance, (Most actually run a unix flavor as the core OS) & this is reflected world-wide in the huge booming applicance market. One can argue that avoiding everything related to mounting a unix based firewall, (that you are comfortable is configured properly as a firewall) is pretty much the whole point of why this is the market trend..
I hear your point. I think the (associated) problem is that a lot of people buying a commercial f/w expect just to plug the product in, and POW! instant security. I'm sure you'd agree, one of the benefits of building your own firewall is that as a result of the process you (tend to) *really* understand what's going on.
What I'm trying to say I suppose is that it matters an awful lot less what platform your firewall is running on; and an awful lot *more* whether you have it correctly configured for your reqts.
One of the particular problems I have with the off-the-shelf boxes is that they seem (to me) to unnecessarily obfusticate the configuration process... and I think there is nothing worse than a false sense of security.
Rgds to all - M
What I'm trying to say I suppose is that it matters an awful lot less what platform your firewall is running on; and an awful lot *more* whether you have it correctly configured for your reqts.
One of the particular problems I have with the off-the-shelf boxes is that they seem (to me) to unnecessarily obfusticate the configuration process... and I think there is nothing worse than a false sense of security.
Rgds to all - M
Housenet
Pitches aren't just pitches; they're information.
The commercial sources may well be using *nix variants or derivations; but they usually aren't nearly as configurable as the whole OS itself. I've used everything from the application level firewalls for windows, to standalone windows firewalls running things like PktFilter and Checkpoint FW1, all the way to Pixes and even more exotic hardware. In all this experience, none of them were as configurable, powerful or secure as the *nix based OSes, free or not.
Crossley:
I agree with your first point.. building it yourself is very educational, and will ultimately result in a better understanding and a more secure system.
I do think that it matters just as much what your platform is. You can 'correctly' configure a Windows 95 box as well as can be, and it will still matter a great deal in regard to security. ;)
Pitches aren't just pitches; they're information.
The commercial sources may well be using *nix variants or derivations; but they usually aren't nearly as configurable as the whole OS itself. I've used everything from the application level firewalls for windows, to standalone windows firewalls running things like PktFilter and Checkpoint FW1, all the way to Pixes and even more exotic hardware. In all this experience, none of them were as configurable, powerful or secure as the *nix based OSes, free or not.
Crossley:
I agree with your first point.. building it yourself is very educational, and will ultimately result in a better understanding and a more secure system.
I do think that it matters just as much what your platform is. You can 'correctly' configure a Windows 95 box as well as can be, and it will still matter a great deal in regard to security. ;)
You should spend $600-800 on a computer with lots of ram, 2 or more good network cards aka 3com, and a fast processor. Then you should download the free version of smoothwall (www.smoothwall.org) and install it on this dedicated firewall machine. If you like it, buy the corporate version. It is much better. I have tested multitudes of the "free" firewalls and smoothwall is one of my favorites. I have a few more I would reccommend but only if you are used to Slackware or OpenBSD systems such as the Sentry Firewall (www.sentryfirewall.com)
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area for this question:
I recommend: moderator decide.
if there is any objection or other expert commentary to this recommendation then please post in here within 7 days.
If you feel that your question was not properly addressed, or that none of the comments received were appropriate answers, please post a request in Community support (with a link to this page) to refund your points. https://www.experts-exchange.com/Community_Support/
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
thanks,
lrmoore
EE Cleanup Volunteer
---------------------
I will leave a recommendation in the Cleanup topic area for this question:
I recommend: moderator decide.
if there is any objection or other expert commentary to this recommendation then please post in here within 7 days.
If you feel that your question was not properly addressed, or that none of the comments received were appropriate answers, please post a request in Community support (with a link to this page) to refund your points. https://www.experts-exchange.com/Community_Support/
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
thanks,
lrmoore
EE Cleanup Volunteer
---------------------
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
-I would only seriouly consider the cisco & over all of them, I'd choose a netscreen.. easy to manage, fastest vpn performance, features up the wazoo.. Search on independant testing with a focus on netscreen products, you'll see what I mean..