Network Firewalls - Recommendations and Reviews
Last reviewed - July 2012
Astaro who is owned by Sophos provides a feature rich UTM firewall solution in appliance, software and virtual platforms. Astaro is the surprise package of the firewalls we have reviewed. We were not expecting anything more than just another firewall, however Astaro does have unique capabilities and is a very good all rounder.
Some key features which stood out are:
--Astaro provides a search box where you can search for just about anything such as firewall policy rules by typing in a search term.
--Astaro comes with a built in web application firewall for protecting web applications such as IIS and Apache servers. The web application firewall is simple to configure unlike dedicated WAF solutions, however it is not designed for serious WAF security.
--Astaro comes with flexible role management functionality such as assigning a user with email security management tasks for managing email security settings, IPS auditing for viewing IPS alerts and reports, spam quarantine management so a dedicated admin can release email, report auditing for external auditors and so on.
-- Astaro has support for both IPSec and SSL VPN and their SSL VPN can also provide site to site capabilities. There are number of client options for remote access including the support for Cisco VPN client.
-- There is the ability to print the entire configuration for auditing purposes, which is a useful feature for record keeping and troubleshooting. The configuration is easy to read and follow. You are able to click the XML style report sections such as the 'Web Security' section and you can then view web settings defined within the firewall from the XML report. This really is a fantastic feature to have for troubleshooting purposes.
-- Finally Astaro provides a powerful online help facility and is an easy product to administer.
We would recommend Astaro for organisations with small to medium size networks.
Check Point Software Technologies have been the no 1 enterprise firewall vendor for many years. Having tested Check Point in a lab version (R75.40) and and seeing constant positive feedback and reviews from third party sources such as peer security professionals and expert technology testers Check Point have been leading the way for pure firewall requirements. Check Point have also made massive improvements to their UTM functionality such as web filtering and security, DLP and application filtering technology.
Check Point have introduced Next-Generation firewall capabilities in their new range of 2012 firewalls. Check Point have also introduced a number of additional features and blades in their new version of R75, providing a total of 12 blades.
Check Point provides more deployment options than any other vendor and comes with a very powerful and feature rich management console known as Smart Console which consists of different management utilities.
The downsides to Check Point firewalls are cost and complexity in their licensing. They can be double the price in comparison to some of their competitors. Maintenance and support of the product is another downside. Due to the various ways Check Point is deployed and because it is usually deployed in a distributed architecture with Gateway, Management Server and SmartCenter utilities on different physical appliances and platforms, it can be difficult to maintain and support, and for new users it is a difficult product to grasp.
Cisco Systems is a world leading networking vendor and delivers a portfolio of security solutions. Cisco's range of both enterprise and UTM firewalls offer solid features and competitive options.
Although we feel Cisco are not as half as strong in the security field as they are in the networking comms field, we still recommend Cisco because they are an internationally known vendor, they have excellent training services and we have seen their solutions deployed in all types and sizes of networks. Cisco receive positive feedback from customers of Cisco firewalls.
We do feel however in some areas such as Next-Generation functionality and application awareness, Cisco do have some catching up to do.
Fortinet is a world class UTM firewall vendor who have expanded their portfolio to a range of other network solutions. We have played, tested and deployed Fortinet firewalls in corporate environments. Fortinet as a UTM firewall is simply a leader.
Fortinet firewalls support just about everything and more. Deployment options include NAT, bridge and as a sniffer. As well as granular threat prevention features such as AV, DLP, web security, spam filtering, application control, IPS, NAC, Fortinet has the ability to manage wireless access points and detect rogues access points, provide WAN optimisation, ability to deliver load balancing of servers (In fact almost everything a dedicated ADC offers) and have a granular SSL VPN. The SSL VPN provides NAC functionality and virtual desktop functionality. Also the product has the ability to provide application layer traffic shaping and filtering on applications, vulnerability scanning, GEO location aware so you can block traffic based on the country, virtual domains so you are able to provide multiple virtual firewalls from one appliance, patented hardware acceleration technology and many other capabilities.
Fortinet seem to innovate faster than any of it's competitors and all development is based in house. Fortinet do not buy third party anti-virus or integrate with a WAN optimisation vendor, etc, all their work is of their own. The interface is a powerful browser based GUI which provides granular features in all areas, it really is a beast of a UTM firewall. Fortinet also offer enterprise / ISP carrier appliances and virtual appliances. Fortinet as an enterprise firewall is also amongst the best.
The downsides to Fortinet is support, it's usually a slow winding process. Also the anti-spam functionality is not that great although they do a very powerful dedicated anti-spam solution. On most appliances for reporting functionality a dedicated reporting appliance is required known as a FortiAnalyzer.
Fortinet do innovate very quickly. However the drawback to this was we found software bugs on a few occasions on their latest releases of the product. That said they are also quick to correcting any software issues.
Finally Fortinet do not have any per user pricing schemes so when you buy the hardware you are able to filter as many users as the appliance can handle which is an excellent advantage against some of it's competitors.
Juniper Networks is another world class vendor providing a wide range of firewalls from small and medium branch office firewalls through to the enterprise ISP level. We like Juniper because they are a mature vendor, are a reputable security and networking vendor and have made great progress with their Junos OS delivering a single OS for routing switching and security.
Juniper's new range of SRX firewalls running Junos OS provide UTM functionality which offers web filtering, IPS, anti-virus and have the ability to filter against applications.
Like Cisco however we do feel Juniper need to enhance their firewalls into Next-Generation firewalls or provide some further capabilities around application control. Juniper's management GUI is very basic and we do feel they are strolling way behind in this area as well.
Mcafee have a large range of IT security products. Mcafee's firewall is a good option for enterprise customers but lacks some options to be classed a true UTM firewall. For example Mcafee do not offer SSL VPN or anti spam functionality. That said SSL VPN is on the road map and Mcafee utilise their Global Threat Intelligence service in order to block spam, so their is some spam filtering capabilities.
Mcafee offer flexible options such as virtual and appliance based firewalls. Mcafee partner with Riverbed for their WAN optimisation capabilities. We have tested and played with the Mcafee firewall and it proves to be a solid firewall, easy to use, and comes with a product known as Application Profiler which is a GUI based network analyser and a great troubleshooting/analysis tool. Mcafee firewall is able to integrate with their EPO central management software. We like Mcafee as they are a large and reputable security focussed vendor and provide huge portfolio of security solutions. Mcafee, like Sonicwall and Fortinet do not have per user pricing options and so you can filter as many users required.
Palo Alto Networks is relatively a young security vendor who are rapidly growing and making some noise in the market. Palo Alto have a range of firewalls for both small and large networks. We like Palo Alto for their very well designed user interface that provides strong application awareness and filtering capabilities. Palo Alto are a clear leader in the Next-Generation Firewall market along side Check Point.
For a young vendor Palo Alto Networks seem to be an interesting vendor making the right noise on the market at present and one for the future. If you are looking for a strong Next-Generation firewall then we feel Palo Alto is amongst the best out there. However Palo Alto are still a relatively young vendor and we feel they are missing some fine granularity in other areas of the firewall.
SonicWALL who are owned by Dell, have been a specialist in UTM firewalls targeted at the small to medium businesses for many years. SonicWALL now have moved into the enterprise range as well. SonicWALL also offers point solutions such as e-mail, web, SSL VPN and backup. We have worked with and tested Sonicwall's small to medium sized appliances and they deliver excellent UTM capabilities. SonicWALL have also made excellent enhancements ensuring their product is functionally capable of Next-Generation firewall technology.
SonicWALL also provide wireless management capabilities from their UTM appliances for their wireless access points. We have seen SonicWALL deployed in medium sized business environments and customers of SonicWALL rate and recommend the product highly. Although SonicWALL now offer enterprise firewalls, we feel enterprise customers will not take them seriously in this area.
SonicWALL do not offer per user pricing. So when you purchase the hardware you are allowed to filter as many users as your appliance can physically handle, which we value as an excellent advantage.
Watchguard is a firewall security vendor with a strong UTM firewall product range. Watchguard have made efforts to simplify processes within the interface such as providing an easy to use drag and drop VPN interface. We recommend Watchguard because they have a mature solution, they have been around for a number years as a UTM vendor, Watchguard provide good support services and helpful documentation and have a strong presence in the UTM market.