The best firewall is ....

How we tested

Contents
Introduction
 Cyberguard SG710
 Fortinet FortiGate 200A
 Juniper ISG1000
 Lucent Brick 150
 Netgear FVX538
 Network Box RM-300
 SonicWALL PRO 5060c
 Symantec SGS 5420
 WatchGuard X1000
 Specifications
 How we tested
 Editor's choice
 About RMIT
We have a publicly addressable C-Class network space (253 public IP addresses) just for the lab alone, so luckily we were able to turn off all our own firewall rules on a range of our network and set up each of the vendors' devices on its own IP address. This simulates a typical network edge or perimeter firewall deployment, and each machine had one or two PCs or notebooks connected to it on the inside or LAN ports so that we could create policies and monitor traffic both in and out.

The last firewall review that we performed in the March 2004 edition of Technology & Business Magazine included a basic ability test. We ran a simple leaktest which is a simulated Trojan from the inside of the network. I also ran NMAP port scans against the inside and outside of the devices and a remote vulnerability scan on each device and devices situated on the network, so that we could be assured the scan was coming in remotely.

For internal purposes there are a plethora of capable vulnerability scanning and reporting software tools and hardware appliances such as Computer Associates' eTrust Vulnerability Manager Appliance or NetIQ's Vulnerability Manager Software.

This type of basic testing is a necessary to evaluate a firewall for the specific configuration a company will have in its environment. Once purchased and deployed it is necessary to regularly run similar pen-tests (penetration tests) and vulnerability scans to highlight any new found threats and take action.

It is now rather passé and redundant when used in relation to a review and is only a snapshot of the devices configuration and potential vulnerabilities at that one point in time. Most users would not purchase a firewall and simply connect it and run it under default configuration for many reasons. Most security vendors now wisely set their devices to -block all" from the factory, requiring administrators and operators to set up their own rules when the device is installed and initially configured on the network. If a product has a vulnerability that was known or detected by a scanning tool the vendor will usually be on it, ensuring that a patch was available as soon as possible.

This is not to say that security administrators can take a back seat approach and let the vendors drive them. Businesses should regularly stage and perform their own pen-testing of their network devices and resources to ensure that they are up-to-date and their network is as secure as they can make it at that point in time.

The next test that can be performed on these devices is a loaded throughput or performance test, while the lab is more than capable of performing this type of testing, the variance in potential environments, devices and configurations hinders a truly comparative performance test. At the end of the day each company will have their own varying amount of filtering policies, procedures that need to be applied, not to mention unique network load -- a performance test in this instance would be purely academic and of no real relevance.

We therefore decided to setup and run the individual firewalls and take a look at the devices and their management and identify strengths and weaknesses with an emphasis on the unique features between vendors. Also to take a look at the logging and reporting systems of each vendor and see how well they interoperated with third party reporting and analysis systems.

The benefit of having our own public facing IP range enabled us to set up each device on an open address and log all the traffic against that machine from the outside -- Script Kiddies running port scans and various other foot printing tools.

< Prev 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Next >

Like this article? Click below to send it to your mobile for free!

Talkback 23 comments

  1. Checkpoint Anonymous -- 09/08/05

    How can you test all firewalls and leave the marketleader out ? All these are toys ! :)checkpoint rules

  2. Hardware firewalls Craig Ringer -- 10/08/05

    This review appears limited to dedicated hardware firewalls.

    That's not the extent of the offerings available. In particular, *BSD and Linux have very useful built-in firewalls that can be used to protect a network. You spend more time setting it up, but get more control and pay less for the hardware.

    1. There are NO such things as Hardware Firewalls Craig S Wright -- 05/09/05

      There are NO such things as Hardware Firewalls

      Just pre-packaged boxes. Even the PIX is just an Intel based host with an OS

    2. Rubbish... Anonymous -- 15/10/05

      The Juniper range contain dedicated purpose built chips.

    3. Hardware Firewalls Donovan Marsden -- 21/05/07

      There are such things as hardware firewalls This prepackaged boxes contain firmware (hardware) not software so hardware firewalls refers to media. Not to mention that all it's electronics are dedicated to the firewall job!

  3. ISA Firewall? Anonymous -- 15/08/05

    Excuse me, but where was the ISA firewall in your test? Was there a reason for leaving the ISA firewall out?

  4. ISA Firewall? Anonymous -- 15/08/05

    Excuse me, but where was the ISA firewall in your test? Was there a reason for leaving the ISA firewall out?

    1. Talk is only about Hardware firewall. Vijay -- 18/05/07

      here the talk is only about the hardware firewall not about the software firewall...

      ISA 2000 till 2006 plays good role in application layer firewalls, when u talk about the hardware level, packet filtering and ip spoofing etc we need to go for hardware based firewall...

    2. ISA Appliances Gladys I. Rodriguez -- 03/08/07

      I think everyone forgets that ISA is also is also sold as an appliance: http://www.microsoft.com/isaserver/howtobuy/hardwaresolutions.mspx, because people say well in runs on top of Windows OS. But Cisco runs on top of their IOS, Juniper has DX OS, WatchGuard has Firebox X, etc. Microsoft just provides the extra control for what type of box the users choose to run their Firewall.

  5. Why didn't you guys include the Check Point offering in your comparison of Firewall products? They have a very good end to end security offering and they play very hard in the enterprise space (and have also brought the same technology down to the mid tie Anonymous -- 22/08/05

    Why didn't you guys include the Check Point offering in your comparison of Firewall products? They have a very good end to end security offering and they play very hard in the enterprise space (and have also brought the same technology down to the mid tier and SMB products as well)

  6. Astaro Firewall not listed?! Anonymous -- 29/08/05

    I can't believe you would do a round up with out including Astaro Firewalls in the mix. They are by far the most powerful and flexible for business.

    www.astaro.com

  7. Cisco Anonymous -- 29/08/05

    WHAT ABOUT CISCO'S PIX???

  8. No Kickbacks from the Big Guns! Anonymous -- 08/09/05

    noice, no checkpoint, pix nor isa. What creditability does this mag have?

  9. Derek Jolowisz Anonymous -- 29/09/05

    :-)

  10. Software firewall packages Anonymous -- 25/11/05

    would have been nice to see products like smoothwall, included.

  11. Checkpoint Anonymous -- 09/07/07

    I'm glad some of you are getting Checkpoint to work. I can't get onto the net, firmware upgrades have now prevented me from talking to the firewall. I using a $10 hub, seems to work better. Asking for an RMA right now.

  12. Sonic What, Watchguard!?!?! Anonymous -- 04/09/07

    Can't believe watchguard was even mentioned this cannot even be compared to the likes of Juniper ISG, Checkpoint and ASA/PIX in a corporate environment.

    AS
    Sell my house
    www.cheshiremoves.com

  13. Symantec Anonymous -- 11/10/07

    Has anyone ever tried to contact Symantec about the Symantec SGS 5420?

    I've tried many times and no one there knows anything about it - they just transfer me to some guy in an Indian call centre trying to sell me antivirus!!!!!!!!!!!!!!!!!!

    anyone got a real number to call?

    Cheers

    Justin

    1. Symantec support Anonymous -- 18/02/08

      Dont waste your time, they are dropping firewall support in 2009.

    2. Symantec SGS - What to do with old box? Anonymous -- 27/09/08

      We have SGS v3.x appliance which will be retired next year. Is it possible to install some thing like 'Astaro' into the box since Symantec only believes in 'end-point' security?

  14. no Cisco? Anonymous -- 29/05/08

    there are probably more Cisco firewalls installed in the world than all other brands combined. Not to say Cisco firewalls are the best, but to ignore the biggest player?
    btw, I have ASA 5505 at home, loving it.

  15. Cisco ASA 5505 Anonymous -- 25/06/08

    Most of us can't afford a $600+ firewall at home.

  16. Good Firewall, {The Best} Pat Cormier -- 12/10/08

    Why don't someone mention [Sunbelt Kerio Personal Firewall} I've been using it for years, and I find it better than any of the rest.

Add your opinion


Back to top

Featured