How should I select a suitable firewall?

Firewalls are very common, but not comprehensive. Speaking of Security refinement analysis, it is best to use a gateway-based firewall, followed by a state detection firewall, but the state detection firewall provides the weakest security processing function. However, for ease of management, the order is the opposite: the state detection firewall has the best "Plug and Play", and the application proxy firewall is the weakest. So how do you determine which type of firewall is suitable for your network? Which one can achieve the optimal balance between security, function, cost and ease of management?

To solve the above problems, we may analyze three application environments: small office, medium and large office with general requirements, and large office with complex requirements.

Small office.

Few users and machines need to be managed in small offices. They are usually not easy targets. In addition, you only need to access a very small number of Internet services: email, web, and sometimes streaming media. In this case, almost any firewall is competent. Generally, the smaller the office size, the fewer users, and the lower the risks.

Therefore, for small offices, simple data packet filtering firewalls are enough, such as those that come with DSL or cable routers randomly. These include broadband routers produced by companies such as D-Link, 3Com, Netgear, and Linksys. In addition, watchguard's firebox Soho, Symantec's firewall 100, global technology's gnat, netscreen, SonicWall Soho and other firewalls are also fully suited to this environment. Check Point and Cisco provide FireWall-1 and pix for Small Office versions, respectively, but the price is a little higher.

Medium-and large-size offices.

"General" refers to basic or standard Internet services. Of course, the definition of "general" will change over time, but for actual applications, it includes the following services: web, email, streaming media, and a small amount of file transmission and terminal access.

Almost any function is not limited to a simple static filtering firewall. The application proxy firewall is also competent for this task, but currently there are few pure gateway-based application firewalls. Many of the main brands of firewalls are hybrid, such as cyberguard, firebox, pix, netscreen, Sidewinder, Raptor, and FireWall-1, in some cases, allow users to select proxy, status detection or dynamic filtering. If you configure as many services as possible to use security agents, any of the above firewalls is suitable. Always use proxy for email. The firewall should only allow email access to the specified email server. Proxy should be applied for all web access from the Intranet to the Internet. If a common service does not have a proxy, it is also a good way to use dynamic status filter.

Complex Large environments.

Of course, large enterprises with many users and many problematic complex services are more challenging. "Problematic" services refer to services that seem simple but require the firewall to open multiple ports, such as VoIP and netmeeting. Both services need to open ports for more than 25 different services, so you should use the application gateway firewall or be limited to strictly controlled environments (for example, starts services from an internal network or a group of IP addresses, and only works for a specific period of time ). In addition, if you install a firewall in a complex, large environment, you should use a firewall that supports centralized firewall management and configuration features, such as pix, cyberguard, firebox, FireWall-1, netscreen, and Sidewinder G2.

Remember that these are guiding principles. The firewall mentioned in this article is just an example. If properly configured, any firewall of each type and any other firewall that is not mentioned are competent.