Firewall Products

You can find a wide variety of firewall products on the market today, comprising three basic physical firewalls: software based, appliance based, and integrated. Software-based firewalls, as discussed previously, typically run on top of a commercial operating system, such as Sun Solaris or Microsoft Windows. Appliance-based firewalls are purposefully designed devices in which the filter and inspection software is tightly integrated into a custom-built or hardened operating system. These firewalls include the Cisco PIX products as well as Juniper's NetScreen firewalls and the Symantec Enterprise Firewall. Finally, there is the integrated firewall, which is somewhat of a synthesis of other products with the traditional firewall. Whereas in the past multiple security devices such as firewalls, VPNs, and intrusion detection systems were all based on different devices, recent movement in the industry tends toward integrating all three devices into one platform. This synthesis has the benefit of reducing the number of hardware devices that require administration and thus lowering the administrative overhead necessary to deploy and manage these devices. Examples of integrated firewalls include the Cisco ASA and the TippingPoint X505 devices. The following sections discuss each of these firewall products in further detail.

Software Firewalls

Software firewalls are installed on top of an all-purpose generic operating system. Software firewalls include the Sun SunScreen firewall, IPF, the Microsoft ISA Server, Check Point NG, Gauntlet, Linux's IPTables and FreeBSD, and OpenBSD's pf packet filter. Typically, the vendor's firewall software suite includes patches as well as configuration changes that must be applied to harden the underlying operating system from attack or to include a kernel module or driver for the firewall to operate properly. The primary advantage of such firewalls is that you can task them to be multipurpose in nature. For example, a firewall can also be a Domain Name System (DNS) server itself or it can be the spam filter. Software firewalls lend themselves to multipurpose roles much more easily than dedicated appliance firewalls.

A significant disadvantage to these firewalls is the need to consider the potential vulnerabilities of the underlying operating system. Consider, for example, the SunScreen firewall and the Microsoft ISA firewall. Both are installed on top of a base operating system of Solaris or Windows 2000/2003, respectively. As new vulnerabilities are discovered in various aspects of the operating system, the administrator must consider whether to install the vendor patches or whether to forego the patches because of potential adverse effects on the firewall. What are the potential effects of patches? The firewall may not function properly after the installation of a patch. In many cases, the vendor (either the operating system manufacturer or the firewall software vendor) tests patches for compatibility with the firewall software and releases a bulletin recommending the installation or cautioning against the installation of the patches.

Additionally, in an enterprise environment, a software firewall may sometimes cross the "political" line between the systems group and the network group. The question of "who owns the box?" needs to be resolved. The systems group may claim that because the system has a generic operating system installed that the system belongs to them; similarly, the network group may claim that because the system role is that of a firewall it is under their administration. Issues such as this can crop up in larger environments.

The primary benefit of software firewalls is the ability to use commodity hardware for the device such that if the device should fail, then replacement of hardware is relatively straightforward. A significant drawback to software firewalls is that the firewall software vendor and the operating system vendor may simply point fingers at one another and blame the other whenever a problem arises that causes the firewall software or the operating system to fail. This issue normally does not apply when the firewall vendor and the operating system vendor are the same, as with Linux-based firewalls, Microsoft ISA Server, or OpenBSD's IPF running on OpenBSD.

Other drawbacks to software firewalls include the requirement to lock down the underlying operating system, maintaining patches of the underlying operating system, and potentially poorer performance because the operating system has not been tuned for a high-performance environment. Finally, software firewalls tend to underperform compared to appliance-based firewalls, because software firewalls typically do not run on an operating system that has been explicitly tuned for peak performance as a firewall.

In smaller environments, these issues typically do not come into consideration because the systems and network group may not be distinctly separate. Also, software firewalls can be useful low-cost devices for the technically savvy home user. However, for the more typical home user, the low-end appliance-based firewalls (such as Linksys, D-Link, and NETGEAR) provide greater benefit because of the ease of setup and the low maintenance they require.

Appliance Firewalls

Appliance firewalls are firewalls that are integrated tightly with custom-built hardware (or in some cases commodity hardware) and provide firewall services to a network. Appliance firewalls include the Cisco PIX, NetScreen firewalls, SonicWall appliances, WatchGuard Fireboxes, and Nokia firewalls all the way down to the Linksys, D-Link, and NETGEAR products for home users. The underlying operating system need not be a custom operating system. It can be a highly customized version of a commodity operating system as in WatchGuard's use of Linux or Nokia's use of FreeBSD as their base operating systems.

In many cases, appliance firewalls offer better performance relative to software firewalls because of the nature of the customized underlying operating system and the use of specialized processors and application-specific integrated circuits (ASICs) for data processing and handling input and output (I/O) requests. Additionally, these firewalls may have the benefit of fewer moving parts by eliminating the hard disk (or disks as the case may be) of the software firewalls. As firewalls have matured and become more complex, the gap between the appliance firewall and the software firewall has dramatically closed. Many of the features that have typically been the province of appliance firewalls have been filtering down into software firewalls.

Perhaps the main benefit of the appliance firewall may be technical support. As mentioned previously, with a software firewall at least three (and possibly more) vendors may be involved in the firewall: the hardware vendor, the operating system vendor, and the firewall software vendor. As is the case with many different parties involved in a given device, each will typically point the finger at the others whenever something goes wrong. With the appliance firewall, there is only one vendor for the entire device. If a failure occurs, that vendor is called on to make things right.

Other benefits typical of appliance firewalls are overall better performance, tighter security of the firewall operating system, and lower overall cost than commercial software firewalls.

The drawbacks of a single vendor for handling issues with the firewall is if the vendor chooses to discontinue a specific firewall model in favor of a more recent model, the possibility that the vendor will no longer be in business in the future (either due to bankruptcy or acquisition by a competitor), and the possibility that if a bug is found in the firewall software (or the underlying operating system) the vendor may determine when or whether to release a patch.

Additional drawbacks to appliance-based firewalls are that they may lack advanced features and functionality that software-based firewalls provide. It can also be more difficult to provide additional security functions, such as spam control, when compared to software-based firewalls. This drawback results from the fact that it is generally a trivial task to add additional applications to a software-based firewall; you simply install the new application. Appliance-based firewalls frequently require the implementation of additional hardware to provide similar functionality, increasing the complexity of the potential solution.

Integrated Firewalls

Integrated firewalls are multipurpose devices that combine the traditional firewall with other features such as remote-access VPN, LAN-to-LAN VPN, intrusion detection or prevention, spam filtering, and antivirus filtering. These devices are designed to provide an "all-in-one" approach to network-edge security by collapsing the responsibilities of several devices into one device. The benefit of integrated firewalls is that they simplify the network design by reducing the number of devices on the network as well as provide a single system for administration, thereby reducing the administrative burden on the network staff. Another benefit is the potentially lower cost of the device versus multiple devices from multiple vendors.

The major drawback is that the failure of such a device can lead to multiple exposures. Additionally, the complexity of such a device may make it difficult to troubleshoot connectivity problems because of the interaction of different capabilities in the device and how they affect the underlying fundamental operation of a firewall. Although an integrated firewall may be lower in total cost of ownership (TCO), the upfront cost may be significantly more. If a single integrated firewall is more costly than the component devices that provide similar functionality and only provides a marginal cost-benefit, it may be difficult to justify the purchase of an integrated firewall.