More than once I’ve been asked by professionals and non-professional alike how to choose the right firewall for their business. There are many options to choose from, so if you even attempt to try and pick one, you may fall down a rabbit hole. There is just way too much information out there for anyone to quickly decide “what is good” and what is “not so good”. In addition to technology & features, cost is obviously an important factor to consider. For those of you with small studios I will attempt to help to understand what to look for and why. This may get a bit technical but I will do my best to keep it simple. Let’s do this!
The Basics…
Let’s start with some basics. Firewalls are designed to be the first line of defense for any external threats. Many probably have heard the terms “routers” and “firewalls” and some of you may think it is the same thing. While the routing functionality is similar with the two, the way it does routing and how it deals with traffic is very different. That is why a home router is never recommended to secure an environment (your office, or even your home). Some routers offer more features than others but in general firewalls will alway do a better job in protecting your internal assets.
The way we communicate on the Internet is based on Internet Protocol (IP) traffic. One side initiates the connection and the other side responds to it. When you browse your favorite website, your computer essentially initiates the conversation with the webserver and the web server responds back with the information you are seeking. Firewalls are basically the traffic cop monitoring these sessions to make sure nothing “bad” is happening during the conversation. Most advanced firewalls are stateful firewalls which really means they will follow the conversation from beginning to end (from the time you started browsing the web server, to when you close the connection with the web server).
Features & Subscriptions
With that in mind, firewalls will have many features to secure these communications. Some features are better than others and some brands are more cutedge as to how they handle traffic. Firewall vendors make their money primarily by selling subscriptions to customers and these subscriptions will have features enabled to provide better security. Most brands will have several subscription levels and depending on your investment appetite, and the need to be more secure, these subscriptions/options can get expensive fast. Remember that one of the basic requirements for TPN compliance is to have an active subscription with your firewall vendor. Let’s look at some basic functionality those subscriptions will offer to their customer base.
Intrusion Prevention Service (IPS)
This is the most basic service that will allow the firewall to observe any known odd behaviors some bad actors will attempt to use. Most attacks today are automated to determine if the firewall is able to protect from basic attack methods. IPS will allow your firewall to detect and prevent these attacks. By having a subscription the firewall vendor will continue to monitor the internet for new threats and will update your firewall with the latest protection
Anti-Virus (AV)
The AV service is very basic and covers you from any known virus threats when users attempt to download specific file types. Some firewalls will do more than others by scanning more file types, and look at the traffic with a better magnifying glass, but the idea stays the same. Once again, the vendor will continue to provide updates to your firewall when a subscription is purchased
Geo Location
This is another basic service that allows you to block specific countries from even attempting to connect to your firewall, or preventing users from accessing any IP addresses at specific geographic locations. IP addresses allocation continue to evolve and firewall vendors will track these changes and update your firewall automatically
URL Filtering
This service allows you to prevent/warn users from reaching specific sites based on categories. The service does more than that but it is designed to control who, when, and where when it comes to internet browsing. Once again, these categories are populated with thousands of sites added to the Internet on a daily basis. Categories can include harmful sites, porn, social media, and so on.
Others
There are many other features that require subscription services that some of you will find more useful than others. These can include services to protect Domain Name Service (DNS) attacks, botnet attacks, application control (smart engine to detect specific applications used on the internet), Data Loss Prevention (DLP), and many more.
Selecting a Firewall
Those of you that already have some kind of IT presence will most likely follow the advice and decision of the IT person in charge. An IT person will most likely have a favorite product they like to work with. Almost any firewall brand will have multiple models to select from so picking the right model is important. If you don’t have an IT person on staff, you will want to pay close attention.
Cost
Let’s be honest here. This is the most important factor for a small studio. You always want to get the most bank for your buck, but cost is critical to many of you. Ask yourself, “What is a high cost for you?” “What is the value of a firewall or security?” “Is $500 too much?” “Is $10,000 too much?”. Everyone is different here. I can tell you that any firewall under $1,000 is not worth the time, or money. Unless you need the absolute basics, and have an office with only one or two people, paying less than that for a firewall is going to cost you later (this is obviously my opinion!). Your overall cost will be impacted by several factors:
- Size – How many people can connect to the Internet through the firewall? How much Internet bandwidth do you have? Is there a need to move data between internal networks (Such as the IO process)? How fast? Is it rack mounted or tabletop?
- Number of ports – Most small firewalls will come with 4-8 ports which should be more than enough for smaller environments. What kind of ports (1GB, 10GB, etc…), and how many, will increase the overall cost.
- Subscriptions – As discussed earlier, the more advanced features you select, the higher the cost is going to be.
- Brand name – Just like any other market, brands with better reputations will almost always cost more. In most cases it is certainly justified, but in some cases it may be more than you’re willing to spend.
Features
Subscriptions come in many flavors. Most basic subscriptions cover you for the most common attacks and should suffice for smaller studios. If security is a mindset in your organization, I recommend looking at a higher subscription level to provide even more coverage from more sophisticated attacks.
Functionality
Many Studios may only care about browsing the internet safely and feel protected. However, there are other reasons where you should pay special attention to:
- Data transfer – The speed at which data can be transferred between networks will be directly impacted by the model you select. In most cases it’s not about the brand you choose but rather the size of the firewall and its ability to handle external and internal traffic. Pay close attention to the speed at which the firewall is able to handle throughput. If you have data IO set up in your environment and the traffic routing is occurring on the firewall (both networks are set up on the firewall), the speed at which the firewall is able to transmit from one network to another will be impacted by how fast the firewall is able to do so.
- Management Interface – How you manage the firewall can be crucial as a deciding factor. Some interfaces are more complicated than others, and some use an application or a browser to manage its hardware. Find out how the interface looks and how easy it is to navigate through setting it up. Most vendors will offer videos that you can find on Youtube or other locations. If you feel confused by the interface, look at another brand.
- WiFi – Some firewalls provide some kind of WiFi integration. Some tabletop models will offer built in WiFi while others will offer WiFi integration with their WiFi products. If you don’t have WiFi configured, this could save you some time and money, but can also introduce another level of complexity. Make sure you understand the process of how to add the WiFi and how to configure it before buying the firewall. If you already have WiFi, firewalls will just see it as part of its network so there is no concern there.
- Support – Most firewall brands come with various support options. Some will offer you to pay more for their premium support, while others have only a single layer of customer support. Either way, do some research prior to the purchase and review their available support options. Check out reviews to see what other people think of their support and make sure you understand what is included with your support tier. Try to stay away from vendors offering only email or chat support
Buying the Firewall
Once you find the right firewall, it is time to purchase it! Some brands will allow you to purchase it directly from them, while others will force you to go through a partner/reseller. Purchasing it directly from the manufacturer seems to make the most sense but be wary of price and the acquisition process. Look up the model number you selected and compare costs of the exact same part number (Do not be fooled by similar part numbers as they may offer a completely different product).
Should you go through a reseller, have a conversation with them first. Make sure you feel comfortable with their level of knowledge and their ability to guide you through the process. Some resellers will even offer some kind of help with the initial setup of the firewall free of charge. Make sure to ask for the lead time as some models take longer to arrive than others.
In Conclusion
Buying your first firewall is a big step. Most firewall owners will remain with the brand as long as the vendor is easy to work with, support is good, and product is easy to use. Switching firewall vendors is doable, and sometimes recommended. Take your time to do the research and find the right one to get. Gartner is a world known organization that examines/researches various technologies and publishes their findings annually. You will need to be a member to get those reports, but luckily some firewall vendors will proudly display their findings on their website or even a quick Google search of “Gartner Magic Quadrant next generation firewalls” will show you who the leaders are in this space. If you can get the full report through a vendor or a reseller, even better.
At Zalcore we can take you through this process if you feel overwhelmed or don’t have the time to do it all by yourself. Contact us today to learn how!