If you think about it, it can be regarded as 10 warnings of firewall management. It is worth the reference of firewall managers. Note that managers are not only administrators, but also decision makers.
Repeat:
Firewall evaluation-buy
Article 1: Do not mistakenly trust the astonishing numbers of vague lab conditions
I have read countless firewall product advertisements, and the nominal 4G throughput is dazzling. However, if I leave words like "64-byte packets", "line rate", and "several minutes, the sales staff will swallow the throughput first. Therefore, you cannot trust the data provided by the vendor. You must compare the test results with the test results of the standard experimental conditions, or re-build the environment for testing.
Article 2: Do not like numbers, but do not consider manageability
During the evaluation, users often pay too much attention to performance figures. However, for actual network security management, 2% of the differences between the two products and 5% of the differences are even 10% of the differences, can it bring about the essential difference? Is it convenient to operate a firewall configuration interface? Is there a complete log management function? Can logs be stored on this wall? Is there a monthly CPU and memory statistics function? Can I conveniently query configured policies ...... Compared with performance figures, the evaluation seems impractical, but the question is "Who knows "!
Article 3: do not focus on fancy functions, but do not understand the Hidden Worries of performance
In the past few years, firewalls have many functions, such as access control, anti-virus, intrusion detection/defense, and VPN. They are called heterogeneous functions or unified Threat Management, just like a grocery store. These features are "fancy" because they start up, and the performance of hardware resources is far beyond human imagination. Therefore, do not include these in function items when preparing the evaluation scheme?
Article 4: Do not look at high-performance hardware architecture unscientific
The performance of the hardware firewall is inseparable from the hardware architecture. The so-called high-performance hardware architecture corresponds to the traditional X86 industrial computer architecture, which is commonly known as NP and ASIC. For high-performance hardware architecture, we can neither care about nor be superstitious. But at the same time, we should not overemphasize "NP" "ASIC", because the strongest is not necessarily the best and most suitable for you.
Article 5: do not consider your network characteristics or your own security strategy
It is not scientific to test the firewall based on the characteristics of the user's network environment. The firewall test indicators are not designed based on its own security strategy, but also deviated from the original intention of the product application. Network features tell users what kind of packets they are running on their own network, what components, protocols, and so on. The security strategy tells the user what the firewall has bought to do, how it should be deployed, how it should be configured, and how it should be managed. We need to "select" for "department", "configuration", and "management" and "test ".
Article 6: do not be vigilant against cheating in tests
Product sales and purchase are commercial activities, so businesses have to guard against spoofing. In testing, they must be vigilant against cheating. Assume that a few vendors have created a high-performance "competitive beta" product dedicated for testing, and a few vendors have made some effort in the equipment (such as using a network cable for direct connection ), the entire test result is unfair to other honest vendors.