How to choose the right firewall for small/medium/large application environments

Firewalls are common, but not readily available. When it comes to security refinement analysis, the gateway based firewall is best, followed by the stateful detection firewall, but the stateful detection firewall provides the weakest security processing capability. However, in terms of manageability, the order is just the opposite: stateful detection firewalls have the best "plug and Play" and the weakest application agent firewall. So how do you know what kind of firewall is right for your network? Which one can achieve the best balance between security, functionality, cost and ease of management?

To solve these problems, you may want to analyze three kinds of applications: small offices, large and medium-sized offices in demand, and large offices with complex requirements.

Small office. Small offices are obviously less likely to manage users and machines. They are often less likely to be targets of attack. And you only need access to a very small number of Internet services: E-mail, the web, and sometimes the streaming media you need. In this case, almost any firewall is capable. Because generally speaking, the smaller the office size, the fewer users, the lower the risk faced.

As a result, simple packet-filtering firewalls are sufficient for small offices, such as those that are randomly brought by many DSL or cable routers. These include broadband routers from companies such as D-link, 3Com, Netgear and Linksys. In addition, WatchGuard Firebox Soho, Symantec Firewall 100, global technology company Gnat, NetScreen and SonicWALL SOHO and other firewalls are fully applicable to this environment. Check Point and Cisco offer small office versions of FIREWALL-1 and PIX, but the price is a little more expensive.

Large and medium-sized offices of general demand. "General" refers to basic or standard Internet services. Of course, the definition of "general" will change over time, but for the present practical application it includes the following services: Web, e-mail, streaming media, and a small amount of file transfer and terminal access.

Almost any function is not limited to a simple static filtering firewall to meet this requirement. The application Agent firewall is also capable of this task, but there are few purely gateway-based application firewalls. Many of the major brands ' firewalls are hybrid, such as Cyberguard, Firebox, PIX, NetScreen, SideWinder, Raptor, and FireWall-1, and in some cases allow users to select agents, state detection, or dynamic filtering. Any of these firewalls are appropriate if configured to allow as many services as possible to use the security agent. e-mail should always use proxies, and firewalls should allow only e-mail to and from the specified e-mail server. All Web Access from the inside to the Internet should be agent-enforced. If a common service does not have an agent, it is also a good idea to use dynamic state filtering.

Complex and large environment. Of course, large companies with many users and many complex services with problems are more challenging. A "problematic" service is a seemingly simple service that actually requires a firewall to open multiple ports, such as VoIP and NetMeeting. Both services require open ports for more than 25 different services, so you should use an Application gateway firewall, or just a tightly controlled environment (for example, starting a service from an internal network, a set of IP addresses, and only at a specific time period). In addition, if you install firewalls in complex, large environments, you should use firewalls that support centralized firewall management and configuration functions, such as PIX, Cyberguard, Firebox, FireWall-1, NetScreen, and SideWinder G2.