Product Group Tests

Firewalls (2007)

Group Summary

We find Secure Computing's Sidewinder 7.0 to be an enterprise firewall with all the features an organisation could ever need, which is why we award it our Best Buy.

For its large feature set and easy-to-use interface, we rate the SonicWall PRO 4100 our Recommended product.

Scroll To Full Group Summary Below

Click for a side by side comparison of products
Click for a side by side comparison of products

Full Group Summary

Thanks to technological advances and increased capabilities the lines between firewall and other anti-malware products is becoming increasingly blurred. Justin Peltier looks at a disappearing breed.

In today's computing environment there are two great tools used by almost every organisation for protection: the firewall and the virtual private network (VPN). The former is still the primary mechanism for protecting the infrastructure of a company, whereas the latter becomes more about enabling connectivity to the infrastructure.

Firewalls come in different basic types. Proxy-based versions terminate the time-to-live field in the IP header as the packet is processed. They must protect all layers of the OSI model, including the application layer. A proxy-based firewall has to maintain two separate data streams: client to proxy firewall and proxy firewall to destination. This is the most complex type of firewall, often referred to as third-generation technology.

Then there are stateful inspection-based firewalls, which provide a state table to keep track of all open connections. They make filtering decisions based on information in the state table or database. This type maintains a single stream of data.

The firewall is configured for uni-directional traffic, such as outgoing traffic for a web request, and the corresponding response packet is dynamically opened to allow the response traffic in for a period of time, for example between 30 seconds and three minutes.

Or the firewall can work through packet-filtering. This uses source IP, destination IP, source port and destination port to determine if a packet is permitted, but does not terminate the time-to-live field in the IP header. A packet-filter firewall does not use a state table or database for filtering of traffic. It is the most basic type of firewall and is often referred to as the first generation.

Traffic is seen as uni-directional. This means that, for an outgoing web request, a static response rule has to be allowed through the firewall. This response traffic can be permitted through the firewall at any time, which reduces the overall security of the screening, as these response rules are constantly configured in a static manner to allow the traffic in.

Technological advances

In reality, most actual firewall products are a combination of the types described above. Some mix stateful inspection with packet-filtering technology, while others use all three types of firewalling technologies. Increasingly, pureplay firewall products are converging with anti-malware and intrusion prevention/detection system products, which is one of the reasons why this year's group test for this category has ended up with fewer products than previously.

Firewalls are more advanced than they were even a few years ago. The technology has evolved from primarily inspecting the TCP and IP headers of the message to what is now known as deep-packet inspection, which filters not just at the header level, but also looks into the data portion of the packet.

In other words, whereas yesterday's firewall would simply check that a request was on the appropriate port, such as port 80 for a web request, today's incarnation goes beyond the port information to determine if the payload or data portion of the packet is an actual request or a buffer overflow attack.

This provides a much greater level of protection, and firewalls now encompass technology that was exclusively part of intrusion detection or intrusion prevention systems not too long ago.

The technology really has evolved, and most firewalls now provide additional features such as anti-virus, strong user authentication and dynamically loaded rule set based on login information rather than IP address. They may even encompass content filtering that will block a user's request for inappropriate content.

How we tested

We installed the firewalls in the lab and configured a simple rule to log all outgoing web requests to see if the request was actually logged and available from the reporting mechanism of the firewall product.

The configuration and installation varied in the time it took from under ten minutes in the case of the SonicWall Pro 4100 to more than an hour with the Sidewinder and the StoneGate.

The devices in this review were all appliances. While there are several manufacturers with software-based offerings that provide security through an installation on top of an underlying operating system such as Windows or Linux, the products we tested were mostly installed as part of their own core operating system and were not dependent on another OS.

- For details on how we test and score products, visit http://www.scmagazineus.com/How-We-Test/section/114/

All Products In This Group Test