When your office network is connected to the Internet, it's practically a sitting duck for hackers. Today's high-speed Web connections are always "on," which means that your computers are vulnerable to attacks. The same network that makes it easy for you and your colleagues to exchange data and share office resources also provides opportunities for outsiders to gain access.
That's why every Web-connected business needs a firewall, a hardware device or software program that stands between the Internet and your company's local area network (LAN) to keep computers and data secure, and hackers at bay. Without a doubt, a firewall offers the best Internet security that money can buy. You're not just purchasing security -- you're also buying peace of mind.
Hardware firewalls, the focus of this guide, are small devices that physically connect to the Internet modem or router. Software firewalls are programs that install on a LAN computer. For more on choosing between a software or hardware firewall, please refer to the accompanying sidebar, "Software or Hardware?"
True Web Protection
Firewalls use several techniques to maintain LAN security and keep hackers out. The first line in the sand is a technique known as Network Address Translation. NAT converts multiple IP addresses (the designations for each computer on a LAN) into a single address seen by outside users on the Internet. This technique hides the individual addresses of the office computers that reside on a business' LAN.
NAT is a simple technique that hides internal computers from outsiders; however, skilled hackers are familiar with methods to get by NAT. For this reason, many firewalls use another technique, known as stateful inspection technology, which carefully tracks the flow of data in and out of the network, and verifies that the data originates from known, legitimate sources.
What Else To Look For
While most business owners view firewalls as devices that only prevent outside access to a LAN via the Internet, it can also control how users access the Internet by blocking undesirable Web pages through a process known as content filtering.
Firewalls should be able to create log files that provide such important information such as how long it has been running and the amount of traffic it has processed. Most systems identify hacking attempts, determine where they came from and what the intruder attempted to access, and offer immediate intruder alerts via e-mail. Many also support virtual private networks (VPNs), which allow companies to securely connect two sites and set up encrypted remote-access sessions. VPN features may be included with a firewall, or be available as an option. Finally, any good protection device must be easy to install and configure, and most are configured through a menu that appears in a standard Web browser.
3Com Internet Firewall DMZ
Reasonably priced, and offering adequate capability, 3Com's Office Connect Internet Firewall DMZ is a low-end solution. It offers Internet security for up to 100 users, and a demilitarized zone (DMZ) port that lets businesses connect a Web server. Its set of features, however, generally pales against other firewalls.
The Internet Firewall DMZ installs between a company's Ethernet hub or switch and its Internet modem or router. It mainly relies on NAT to allow users to connect to the Internet via a single IP address, and hide LAN computers from hackers on the Internet.
The DMZ also offers protection from hackers who may try to use Java, ActiveX, and cookies to attack a network. The firewall can be configured to block these applications, or only allow those that come from trusted or legitimate sites. This security unit analyzes the bandwidth usage of a company's Internet connection, and allows administrators to create the firewall via its Web interface.
The Firewall DMZ can prevent LAN users from accessing questionable and specified Internet sites based on URLs or keywords, and log employee attempts to access off-limit sites. 3Com offers an optional Web Site Filter that extends this capability by providing a database of thousands of controlled sites that are organized in pre-defined categories such as pornography and racial intolerance. 3Com updates the category lists each week. Simply specify the categories that users are banned from accessing. The Internet Firewall DMZ comes with a one-month free trial for this service. A 12-month subscription is $162.
C&C Films, Ltd., is an Emmy award-winning firm that produces commercials for such clients as Burger King, Coca-Cola, and more. The 10-person company protects its network with a 3Com firewall. According to Steve Conners, president and CEO, his company wanted a firewall to prevent outside sources from corrupting the office network. He chose the 3Com firewall because his company was already using a 3Com network router, and was pleased with its performance. After configuring the 3Com firewall, a process Conner says was totally painless, he hasn't noticed any difference in the daily performance of the network. But Conner says that's a good thing, because it means there have been no problems with hackers. "We are very pleased with our firewall," says Conners. "Since installing the firewall, there has been no down time with our computer network or our Internet access. This is key to our business and our clients."
Compared against the others, the Internet Firewall DMZ is a low-cost alternative at $1,240. When we tested it, it lacked VPN capabilities, but at press time 3Com announced that is adding VPN support. Even with VPN support, the Internet Firewall DMZ generally offers fewer features than the others reviewed here.
Internet Firewall DMZ
The NetScreen 10's comprehensive security and full range of features make it a clear standout, and one to consider. To start, the NetScreen 10 relies on NAT and a technique known as port-address translation to hide computers (IP addresses) on the office LAN. Like the other firewalls, it comes with a DMZ port that isolates host servers from the rest of the office LAN, and offers its own user authentication. The firewall also uses sophisticated stateful inspection firewall technology for more-thorough security. The NetScreen 10 is designed to support an unlimited number of users.
The NetScreen's VPN features are equally impressive. The firewall can act as a fully-integrated VPN gateway that transports encrypted data over the Internet. On the other hand, it lacks built-in content-filtering features to limit users' access to undesirable Web sites, although it does support a third-party service for this purpose.
A big plus is the NetScreen's traffic-shaping feature that monitors, analyzes, and allocates network bandwidth in real time. As a result, it adjusts the bandwidth and assigns priorities based on application, user, IP address, or time of the day, and generates graphical reports. Also, the browser-based management system allows for real-time monitoring and logging, and the system offers e-mail alerts and solid analysis tools.
For thorough security, plus an ability to adjust network traffic, the NetScreen 10 is hard to beat. At almost $4,000, it's expensive, but you definitely get what you pay for.
A mid-priced solution, the SonicWALL XPRS offers good security for unlimited users, as well as optional support for VPNs. Like the 3Com and NetScreen firewalls, the SonicWALL offers a port that connects to the Internet router, a LAN port that connects to the office network, and a DMZ port that accepts the public server. For security, the SonicWALL uses NAT, as well as more sophisticated stateful packet inspection, Java, ActiveX, and cookie blocking.
If there's an attack on the network, the device sends alerts via e-mail. Its Internet-filtering feature selects categories of Web sites to block or monitor from pre-defined lists, which may be customized. Also, administrators can define time periods and days during which content filtering is activated. The device can block URLs based on keywords and keep ActiveX, Java, and cookies off of the office LAN.
For more-thorough content blocking, SonicWALL offers an optional Content Filter List Subscription, which SonicWALL updates weekly. A subscription for content filter updates costs $695 per year, and SonicWALL lets you try the service for free for 30 days.
The SonicWALL XPRS allows users to define network access rules and block traffic such as Internet chat from the LAN to the Internet. The unit also periodically checks the SonicWALL FTP site to look for new software releases, and notifies IT personnel when a new version is available for download. The firewall supports VPNs through a $695 upgrade. It also offers adequate logging features to help administrators view status, and offers logs that may be viewed through a Web browser.
MacKenzie-Childs Ltd., a New York-based design and production firm, discovered that its 125-node network was being infiltrated by outsiders. One day while working with the server, Ken W. Morehouse II, the company's senior systems engineer, noticed that without any traffic coming from the company's LAN, the server utilization and its connection was at 70%. After looking further into the phenomena, he verified that someone was hacking into, and using, the company's server.
Morehouse purchased and installed a SonicWALL firewall, and over the next day he received some 30 e-mail logs from the firewall that indicated intruders were trying to gain access. He's happy to say that none succeeded. "We now have a clean Internet connection and we have our bandwidth back," says Morehouse. "I am so happy that I didn't need to spend $10,000 to $20,000 to protect our network from hackers."
We, too, liked the SonicWALL's thorough security. While the NetScreen 10 offers the most capabilities, at about $2,200 the SonicWALL can be had at a much lower price.
$2,195 ($695 VPN Upgrade)
The low-priced leader of the firewalls here, the WatchGuard SOHO supports up to 50 computers. The WatchGuard SOHO is the only firewall we reviewed that lacks a DMZ port, but it does include a built-in four-port Ethernet hub. It's clearly designed for smaller businesses. If your company has more than 50 users, WatchGuard sells its formidable Firebox II, the next model up, which supports up to 500 users. The price points are wide-ranging: The SOHO lists for $450, and the Firebox II lists for $4,990.
The SOHO relies on NAT and stateful packet inspection, and also offers thorough authentication features. VPN features cost an additional $450, but the SOHO with a VPN option can be purchased for $600 (the SOHOtc).
The firewall controls user access over Web sites. The company's decent WatchGuard Live Security Service is a subscription-based service that sends software updates and offers technical support. It's a good value; free for the first year, and $95 each year thereafter.
The SOHO creates log files that provide information on the device's run-time, the amount of traffic that has passed, and blocked sites that users have tried to access. It also identifies any hacking attempts, and offers intruder alerts via e-mail.
Pleasanton, Calif.-based Martin Staffing Resources has been using a WatchGuard SOHO for about five months. The 20-employee firm provides corporations with temporary and permanent administrative personnel. "We had it up and running in 15 minutes," says Bud Gray, the firm's MIS Director. Using WatchGuard SOHO's reporting logs, Gray says that he sees an average of five attempts a day by hackers who are trying to gain access into the company's network. "The WatchGuard SOHO successfully blocked all of the attacks," says Gray. "Now, I can focus on other things."
The WatchGuard SOHO is well positioned as a low-priced firewall that offers decent features. For smaller companies, it's one to consider. We are also impressed with the features in WatchGuard's more powerful and expensive Firebox II, but it's clearly a better fit for larger companies.
$499 ($599 VPN Upgrade)
WatchGuard Technologies Inc.
What We Think
Buying the right firewall is a balancing act between needing necessary security features and deciding how much to spend. In terms of value, we liked the SonicWALL XPRS for its moderate price of $2,195 and its powerful features. Like the higher-end firewalls, the SonicWALL offers ports for connecting to the router, office LAN, and public server. It uses stateful packet inspection to provide solid security, and allows users to define network access rules and block traffic, such as Internet chat. It also automatically searches for new software releases.
For protection at any price, we liked the NetScreen 10 for its comprehensive security and built-in VPN support. The greatest advantage to the NetScreen that sets it apart from all others is its traffic-shaping features that monitor, analyze, and allocate network bandwidth in real time. The NetScreen is definitely one to consider when price is less of a concern.
You wouldn't leave your company's building unlocked at night, and for the same reasons you don't want to leave your office network unprotected without a firewall. It's common sense for business in an information age.