Product Group Tests

Firewalls (2009)

Group Summary

For its strong feature set, ease of use and good value, we rate Barracuda Web Site Firewall 460 our Best Buy.

Our Recommended award goes to SonicWALL NSA 240. Its easy-to-use interface, combined with a huge number of features, make it a great value product.

Scroll To Full Group Summary Below

Click for a side by side comparison of products
Click for a side by side comparison of products

Full Group Summary

The technology has just turned 12, but new-age firewalls are recovering their value. By Justin Peltier

Prayer is sometimes said to be the last refuge of a scoundrel, but its secular equivalent the firewall is often the only refuge for a computer network. Lisa Marie Presley files for divorce from Michael Jackson, Garth Brooks refuses to accept his American Music Award for favourite overall artist and Phil Collins announces he is leaving Genesis to focus on his solo career. What do these events have in common? They all happened in 1996, the year that firewalls and stateful inspection were on the tongue of just about every network and security professional. At the time, there were fewer than 3,000 CISSPs worldwide.

The technology that is the primary security mechanism has just had its 12th birthday, and while the internet, networks, attacks and systems have all changed, the firewall is still there.

At many conferences this year, I have advocated taking firewalls by their network cables and throwing them in the river.

Firewalls were a technology to protect devices and applications that never had security in mind while they were developed. Now operating systems and applications (and soon IPv6) will all have been developed from the start with security playing a central role.

It used to be secure enough to block telnet to our Unix-based firewall, but attack sophistication was changed forever, when, in 1997, Aleph One released Smashing the Stack for Fun and Profit. This paper allowed the hacker community to stand on the shoulders of giants. Attackers didn't need to know the level of operating system architecture, as they did before the release of the article - everything was simplified.

In today's environment, the port blocking by most firewalls is mostly a sense of false security. The first major change hit when encryption became almost a de facto standard for many common applications. Firewalls cannot see into the encrypted traffic to determine what the traffic actually holds. For the non-encryption problem, the actual solution is to turn off all non-business-critical ports on the target device itself, instead of depending on a device blocking the connection attempt one step closer to the internet.

As attacks have evolved, the arguments for firewalls have also evolved. If a port needs to be open for business reasons, the port needs to be left open through the firewall. If a port is not business-critical, the port should be turned off. In fact, I would say that firewalls solve the wrong problem. We need ports to be open, we need to connect to the internet and turning off the business is counterproductive. The real problem with network traffic is not the destination, but rather who sent the traffic in the first place. Authentication is the key, not paranoid blocking and passing all encrypted traffic.

You may have already guessed that this month we tested firewalls, both application- and network-based. Previously, we tested network access control (NAC) and that seemed like a better solution than firewalls, from concept through to implementation. But, if we at the lab have learned one thing, it is to test before forming an opinion on a product.

In this month's review, we decided to focus on the improvements to the firewall over the last 12 years. In short, we were looking for what used to be the non-firewall that now is part of the firewall. And the results were surprising. The devices we were testing were more like some sort of mutant security device than the firewall of 12 years ago. These devices read into the data portion of packets to determine the attack from legitimate requests. There were other firewalls that terminated encrypted tunnels in order to judge the contents of the request first. There were even devices that could hardly even be called firewalls anymore.

We saw these firewalls with new eyes, because they could actually block attack traffic on business-critical ports and they could function more like an IDS than an IDS could ten years ago. These firewalls didn't just check the incoming traffic, but protected against data leakage as well. What really changed our minds about firewalls during the testing was when the firewall devices would ask for authentication before allowing the traffic to pass.

These firewalls were very close to using 802.1x for the authentication protocol.

Imagine: the firewall is now talking to the Radius server to authenticate the user before granting traffic. It is tough now to call these devices firewalls, since they have changed as much as, if not more than, the electronic frontier around them.

All Products In This Group Test