Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

8/21/2010
05:56 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Choosing The Right Firewall For Your Small Business

After the last post, Four Must-Have SMB Security Tools, readers had a lot of questions about selecting the right firewall for an SMB. Although I've answered each of those emails, those questions are a great segue to this topic: choosing the right firewall for your SMB.

After the last post, Four Must-Have SMB Security Tools, readers had a lot of questions about selecting the right firewall for an SMB. Although I've answered each of those emails, those questions are a great segue to this topic: choosing the right firewall for your SMB.If you're not sure where to start, there are some key questions you should think about and have ready for discussion with your potential firewall vendor or integrator. Keep in mind, each environment is unique, and a quality integrator might have additional questions for you. Having been on the other end of the stick for many years, I encourage you to actively engage in any discussions a vendor initiates and answer any questions he or she has. The "please just quote me on XYZ" attitude can leave you with a product that might not meet all your needs. Take the time, do it the right way, and I can almost guarantee you'll be pleased with the results.

Bandwidth sizing One of the first considerations for a firewall or any device that sits at the WAN is the throughput. You'll need to know your current WAN bandwidth from your provider as well as any burstable limits. For example, you may have a 10mbps link with the capability to burst to 25mbps. Couple that information with any data you have on current usage and then identify potential bandwidth growths in the coming years. You should plan enough room for growth for however long you plan to have that box in place. Look at the stateful throughput and maximum connection numbers on firewalls you're considering. These numbers will help filter out a bulk of products and models from your potential list and narrow your field to two - three models per vendor.

Layered security The next key question will be whether you plan to add additional gateway security services to your firewall or unified threat management (UTM). Personally, I suggest doing so whenever possible. Most UTMs license security features per box instead of per user, so it's a great way to add a layer of security for a nominal fee. Common gateway security services are antivirus, anti-spyware, and IDS/IPS. Here's the important part: If you're adding gateway security to your firewall, it will affect the performance. Don't worry; that's not a bad thing unless you started with too small of a box. Revisit the first question and weed out any boxes that can't handle security services with the bandwidth you need. Remember to consider your future needs and size appropriately. Look at the UTM throughput numbers for products you're considering. At this point you'll have just one -- two models per vendor to consider.

Remote connections Here's where we get into considerations a lot of people overlook. Check out your current firewall configuration very carefully, and make sure you can identify all the functions it's currently performing. Of specific note are remote connections, including site-to-site VPNs and remote access VPNs for employees or partners. It's unlikely your VPN needs will dictate the size of the box, but you may need additional licenses, and in some cases, unique remote access needs require some unique products. If you're currently supporting remote access via IPsec VPN, you'll want to understand the impact firewall and VPN client software changes may have on your users. Sometimes it's more of a headache than you want, but proper planning can help mitigate the level of frustration.

Physical interfaces Although rarely an issue in smaller organizations, it's certainly advisable to be sure any firewalls you're considering support the appropriate physical connections you need. Most common are gigabit copper ports, but you may need a firewall that supports expansion or flex modules for SFP/fiber, T1, or ADSL connections.

Advanced features If your organization has some specific issues or needs to address, be sure and discuss those with your integrator or vendor. In certain product lines, many vendors offer advanced features that may be of interest to you -- such as layer 7 application firewalls to address peer-to-peer traffic and bandwidth-hogging applications. Others offer content filtering as an add-on or as part of a security bundle. Again, these add-ons can be much more cost-effective on a firewall since they're usually licensed per box and not per user; content filtering is a great example of that. You may need advanced archiving or logging options for your compliance needs. Other advanced features that may determine your firewall selection include single sign-on functions, options for redundancy and high availability, and dynamic routing protocols supported. For example, if you plan to use BGP for a private MetroE network, your options will be different than those for OSPF or RIP.

These are just a few of the considerations when selecting a firewall for an SMB. If you're in the market for a new firewall, think it through and dedicate the appropriate amount of time to selecting the right product for you. Replacing firewalls is not a task to take lightly and it's definitely not something you want to do more often than is absolutely necessary.

Jennifer Jabbusch is a CISO and infrastructure security specialist at Carolina Advanced Digital. By day she architects enterprise security solutions and by night, well, she does the same thing. For Dark Reading, she melds her enterprise experience and intimate knowledge of small business operations to deliver relevant security guidance for SMBs everywhere. Jennifer Minella is VP of Engineering and consulting CISO at Carolina Advanced Digital, and an author, speaker and consultant for infrastructure security for government, education and Fortune 100 and 500 corporations. View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/27/2020
The Problem with Artificial Intelligence in Security
Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11059
PUBLISHED: 2020-05-27
In AEgir greater than or equal to 21.7.0 and less than 21.10.1, aegir publish and aegir build may leak secrets from environment variables in the browser bundle published to npm. This has been fixed in 21.10.1.
CVE-2020-10936
PUBLISHED: 2020-05-27
Sympa before 6.2.56 allows privilege escalation.
CVE-2020-6774
PUBLISHED: 2020-05-27
Improper Access Control in the Kiosk Mode functionality of Bosch Recording Station allows a local unauthenticated attacker to escape from the Kiosk Mode and access the underlying operating system.
CVE-2020-13633
PUBLISHED: 2020-05-27
Fork before 5.8.3 allows XSS via navigation_title or title.
CVE-2020-10945
PUBLISHED: 2020-05-27
Centreon before 19.10.7 exposes Session IDs in server responses.