Perimeter

8/21/2010
05:56 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Choosing The Right Firewall For Your Small Business

After the last post, Four Must-Have SMB Security Tools, readers had a lot of questions about selecting the right firewall for an SMB. Although I've answered each of those emails, those questions are a great segue to this topic: choosing the right firewall for your SMB.

After the last post, Four Must-Have SMB Security Tools, readers had a lot of questions about selecting the right firewall for an SMB. Although I've answered each of those emails, those questions are a great segue to this topic: choosing the right firewall for your SMB.If you're not sure where to start, there are some key questions you should think about and have ready for discussion with your potential firewall vendor or integrator. Keep in mind, each environment is unique, and a quality integrator might have additional questions for you. Having been on the other end of the stick for many years, I encourage you to actively engage in any discussions a vendor initiates and answer any questions he or she has. The "please just quote me on XYZ" attitude can leave you with a product that might not meet all your needs. Take the time, do it the right way, and I can almost guarantee you'll be pleased with the results.

Bandwidth sizing One of the first considerations for a firewall or any device that sits at the WAN is the throughput. You'll need to know your current WAN bandwidth from your provider as well as any burstable limits. For example, you may have a 10mbps link with the capability to burst to 25mbps. Couple that information with any data you have on current usage and then identify potential bandwidth growths in the coming years. You should plan enough room for growth for however long you plan to have that box in place. Look at the stateful throughput and maximum connection numbers on firewalls you're considering. These numbers will help filter out a bulk of products and models from your potential list and narrow your field to two - three models per vendor.

Layered security The next key question will be whether you plan to add additional gateway security services to your firewall or unified threat management (UTM). Personally, I suggest doing so whenever possible. Most UTMs license security features per box instead of per user, so it's a great way to add a layer of security for a nominal fee. Common gateway security services are antivirus, anti-spyware, and IDS/IPS. Here's the important part: If you're adding gateway security to your firewall, it will affect the performance. Don't worry; that's not a bad thing unless you started with too small of a box. Revisit the first question and weed out any boxes that can't handle security services with the bandwidth you need. Remember to consider your future needs and size appropriately. Look at the UTM throughput numbers for products you're considering. At this point you'll have just one -- two models per vendor to consider.

Remote connections Here's where we get into considerations a lot of people overlook. Check out your current firewall configuration very carefully, and make sure you can identify all the functions it's currently performing. Of specific note are remote connections, including site-to-site VPNs and remote access VPNs for employees or partners. It's unlikely your VPN needs will dictate the size of the box, but you may need additional licenses, and in some cases, unique remote access needs require some unique products. If you're currently supporting remote access via IPsec VPN, you'll want to understand the impact firewall and VPN client software changes may have on your users. Sometimes it's more of a headache than you want, but proper planning can help mitigate the level of frustration.

Physical interfaces Although rarely an issue in smaller organizations, it's certainly advisable to be sure any firewalls you're considering support the appropriate physical connections you need. Most common are gigabit copper ports, but you may need a firewall that supports expansion or flex modules for SFP/fiber, T1, or ADSL connections.

Advanced features If your organization has some specific issues or needs to address, be sure and discuss those with your integrator or vendor. In certain product lines, many vendors offer advanced features that may be of interest to you -- such as layer 7 application firewalls to address peer-to-peer traffic and bandwidth-hogging applications. Others offer content filtering as an add-on or as part of a security bundle. Again, these add-ons can be much more cost-effective on a firewall since they're usually licensed per box and not per user; content filtering is a great example of that. You may need advanced archiving or logging options for your compliance needs. Other advanced features that may determine your firewall selection include single sign-on functions, options for redundancy and high availability, and dynamic routing protocols supported. For example, if you plan to use BGP for a private MetroE network, your options will be different than those for OSPF or RIP.

These are just a few of the considerations when selecting a firewall for an SMB. If you're in the market for a new firewall, think it through and dedicate the appropriate amount of time to selecting the right product for you. Replacing firewalls is not a task to take lightly and it's definitely not something you want to do more often than is absolutely necessary.

Jennifer Jabbusch is a CISO and infrastructure security specialist at Carolina Advanced Digital. By day she architects enterprise security solutions and by night, well, she does the same thing. For Dark Reading, she melds her enterprise experience and intimate knowledge of small business operations to deliver relevant security guidance for SMBs everywhere. Jennifer Minella is VP of Engineering and consulting CISO at Carolina Advanced Digital, and an author, speaker and consultant for infrastructure security for government, education and Fortune 100 and 500 corporations. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Number of Retailers Impacted by Breaches Doubles
Ericka Chickowski, Contributing Writer, Dark Reading,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14492
PUBLISHED: 2018-07-21
Tenda AC7 through V15.03.06.44_CN, AC9 through V15.03.05.19(6318)_CN, and AC10 through V15.03.06.23_CN devices have a Stack-based Buffer Overflow via a long limitSpeed or limitSpeedup parameter to an unspecified /goform URI.
CVE-2018-3770
PUBLISHED: 2018-07-20
A path traversal exists in markdown-pdf version <9.0.0 that allows a user to insert a malicious html code that can result in reading the local files.
CVE-2018-3771
PUBLISHED: 2018-07-20
An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browser.
CVE-2018-5065
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have a Use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
CVE-2018-5066
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.