This installment of our “Best Of” series takes a look at firewalls. Every organization needs some sort of firewall to protect their network from external access. Firewalls come in many shapes and sizes, and SpiceHeads have a seemingly endless array of useful advice on what makes for a good firewall. This “Best of” summarizes the highlights of several hot topics for your reading pleasure. And, as you know, we always want to hear what you think.
What are my options?
Firewalls are a critical part of your network security, and the solution that is right for you depends upon your network type, the size of your shop, and of course your budget. Remember, though, you get what you pay for, and often an upfront investment pays off in terms of long-term benefits.
Firewalls come in two basic flavors: software and hardware. Functionally, the two aren’t so different. Hardware firewalls are basically a specialized device running software. They can be set-and-forget solutions if the default configuration works for your company. Plus, because they run on a dedicated, hardened device, they provide a higher level of security.
Software firewalls are installed on a local machine and require a bit more configuration. You also need to be aware of how many system resources your software firewall requires to run properly. And bear in mind that, if you compromise the computer, you compromise the firewall. However, if you have the skills to configure it correctly, a software firewall can be just as secure as a hardware firewall.
No matter what option you choose, make sure you follow industry best practices. And, if in doubt, turn to the Spiceworks community for help.
Hardware firewalls
Hardware firewalls are often stand-alone solutions that are set and forget (after some minor tweaking), making them attractive from a maintenance perspective. Many hardware firewalls are also unified threat managers (UTMs), meaning that in addition to being a firewall, they provide anti-virus capabilities, anti-spam, and URL filtering.
And, just to muddy the waters, some vendors provide both software and hardware versions of their products.
SpiceHeads in droves recommend SonicWALL. Adam6884 says,“SonicWALL does everything you want, SSO, AD integration, BW throttling, and a few secondary applications that integrate for further reporting.” Mike2764 can’t say enough good things about SonicWALL. “Its new application firewall gives you all sorts of fine-grained filtering options if you need it. It has signatures built in that are updated frequently that allow you to identify and block all sort of traffic.” He maintains that, though the interface can be daunting, “that’s because the device has a lot of features and functions, so it goes with the territory.”
For UTM, SpiceHeads give a lot of love to Astaro, now part of Sophos UTM. Nathan625 says “Astaro has great support and a reliable product.” Capt. Obvious posts, “Get an Astaro and enjoy life. We replaced our SonicWALL with one four years ago and I'd never go back.”
Another popular choice is WatchGuard. Rex A McDonald gives them a +1, saying, “Solid equipment, decent support options for the more basic licensing, great options, and as a multifunction device, I have had great results with mail/content/traffic/WOS from the WatchGuard XTM equipment.” TrapperDave cautions, however, that you “make sure to get as powerful a model as you can afford.”
Other firewalls praised by SpiceHeads include:
JKdeHaas says, “I've had good experiences with Check Point's UTM devices. Granted they're pricy and have a bit of a learning curve attached if you want to use the CLI, but they're rock solid and I've not had any major problems with them in the last 5 years of having them deployed.”
Software firewalls
Software firewalls can be installed on a PC or server and used either locally or across the network. They are often an attractive option for smaller budgets, because they can be a lot cheaper than their hardware equivalents. Many provide a freeware alternative, and there are some open-source options available as well.
Software firewalls that come up frequently in conversation include:
AndrewS174 recommends pfSense, saying that he “switched to pfSense due to its ability to work on a wide variety of hardware. Never looked back. It will do multi wan, failover with carp, site-to-site vpn, and much more.”
Some SpiceHeads use freeware in concert with their hardware firewall. Robert762 suggests taking advantage of the features of both, saying “Use the Cisco ASA for site to site and VPN users, and the Untangle for content filtering, spam filter, etc.”
Further reading…
Get more firewall advice, tips, and product reviews in the following threads:
- Hardware Firewall solution for SMB?
- What is the best UTM device?
- What firewall/solution should we buy?
- What are the main differences between software and hardware firewalls?
- What firewall products do you recommend?
Keep it coming
This post isn’t the final word on firewalls. Have we missed your favorite firewall hardware or software? Did we leave out something important? Post a comment below to keep the conversation going.
Have an experience with firewalls you’d like to share? Write a review in Spiceworks and spare your fellow SpiceHeads some headaches. Need help choosing the best option for you? Try our firewall and firewall software product selectors.