| # |
Category |
Description |
Value |
| 1 |
Price |
How much is this
thing? |
|
| 2 |
Availability |
Often you will see
product promoted on websites that either is not available in
your area, not available to anyone yet, or worse, is old
discontinued stock. Make sure you can get it or don't
waste your time researching it. |
|
| 3 |
Deep Packet Inspection |
All the but the
very cheapest firewalls will now provide SPI (Statefull Packet
Inspection) but newer, more expensive firewalls should provide
DPI, which means that they will open EVERY packet and inspect
not only the header but all content to make certain it is what
it claims to be. |
|
| 4 |
Content Filtering |
Many new >$500
firewalls offer annual subscription services which will filter
SMTP email traffic and web site content. |
|
| 5 |
VPN End Point |
All but the
cheapest firewalls will provide VPN pass through to your server
but that means your server has to be exposed on the internet;
not your best choice. Many firewalls now act as a VPN
Endpoint. This means that your VPN client connects to the
firewall prior to you connecting to your server. |
|
| 6 |
VPN Active Directory Tie In |
Do VPN accounts
get created on the firewall or do credentials come from your
Windows Server? It is very nice to have one password and
some mid range ($500ish) firewalls can perform an LDAP query
against your Windows Active Directory to validate credentials. |
|
| 7 |
SSL VPN |
Can VPN's be
created through your browser using SSL connections. This
is very nice for remote users because no client is required and
client configuration is minimal. |
|
| 8 |
Number of Concurrent VPN
Tunnels: |
How many remote
users can you have connected at the same time? Note that
many firewall manufactures will sell you more licences as you
need them and some are unlimited. |
|
| 9 |
VPN Client |
Some VPN's will
work with a Microsoft IPSec or PPTP software client built into
Windows while others require their own software client. I
actually prefer the proprietary client because it reduces the
number of people that are going to be able to easily attack your
VPN. |
|
| 10 |
VPN Policies |
can you set
policies for VPN clients, such a inactive timeouts, reconnection
attempt maximums, popup banner welcoming/warning them about your
VPN, time of day restrictions... |
|
| 11 |
Branch Office VPN |
Can you connect
one firewall to an identical unit in a remote office and have
the two create a hardware VPN? |
|
| 12 |
ISP Failover |
Does it support
multiple ISP connections and can it automatically flip between
them so that if one fails your office stays up? Most small
offices will not care about this option. |
|
| 13 |
ISP Aggregation |
Can multiple ISP
connections be seen inside your office as one link to increase
speed and reduce bottlenecks? Most small offices will not
care about this option. |
|
| 14 |
VoIP Support |
Voice Over
Internet Protocol support simply means that the firewall will
increase the priority of voice packets. This assumes you
are planning to use a VoIP phone solution in the near future. |
|
| 15 |
Wireless Access |
Everybody wants
wireless these days. Most sub $1000 firewalls will offer a
wireless option while most more expensive firewalls will require
a wireless access point to be a different piece of hardware. |
|
| 16 |
Guest Access |
Can you have users
connect to your wireless (or wired) network, receive an IP
address and surf but NOT see your office machines or servers ?
This is a great feature that is just now gaining popularity. |
|
| 17 |
A, B, G, N Wireless |
A (100Mbit?) is
great for corporate networks because it does not go through
walls
B (11Mbit) is the old standard everything supports
G (54MBit) is the new "B" which almost everything supports
N (110Mbit?) is a new standard expected to gain popularity by
the end of 2006 |
|
| 18 |
Wireless Accelerator |
Most wireless
Access Points will offer a proprietary software compression
which will double (or better) your connection speed. The
catch here is that you need to use a matching wireless network
card but nearly all laptops (for example) already have a good
quality network card. |
|
| 19 |
Wireless Range |
How far does the
wireless cover. Most <$500 Access Points will state the
official range for "G" of about 200' however, in most offices
you can could on about 70'. You can usually improve this
with different antennas if required. |
|
| 20 |
Wireless Security |
All Access Points
will support WEP but other than home use, it is inappropriate
because it is too easily cracked. WPA (Windows Protected
Access) and WPA2 are the new standards which are quite common.
Using a WPA-PSK (Pre-Shared Key) is most small office settings
provides and acceptable level of security. The catch here
is again to make certain that your clients (i.e. your laptop
network card) will support the standard |
|
| 21 |
Multi-Node Management
|
Can you manage
more than one firewall using a single piece of software?
Usually this is an add-on. This will only apply to larger
organizations. |
|
| 22 |
DMZ |
Demilitarized
Zones are handy if you have servers that need to be accessed
from the internet without restrictions. Almost all devices
will do this but if you have such a need, you must find out
about the port forwarding capabilities. |
|
| 23 |
Page Caching |
Does the firewall
store all the content on from websites your client have visited
for a set period of time? This is really a Proxy Server.
This will dramatically speed up performance of frequently
visited sites. Very few <$1000 firewalls will perform this
task. |
|
| 24 |
Free Telephone Support |
How long is free
telephone support provided. Oddly, the cheap firewalls
often provide lifetime free support but it is usually very low
quality support. Once you get past the $500 mark you are
likely going to pay for support after 90 days or after 1 year.
If only web-based / email support is available, you need to find
another product. |
|
| 25 |
Where is the Support |
You should make
sure that (at a minimum) second level support is handled in a
jurisdiction similar to your own. If you have a serious
problem and you need support for your company the last thing you
want to do is spend hours talking to overseas technical support
staff who really do not understand the problem. If you
live in Britain make sure you can get European support. If
you live in Canada make sure you can get North American support. |
|
| 26 |
Logging / Reporting |
Can you tell if
you are being attacked? Can you tell if your staff is
visiting questionable sites? Can you tell if your firewall
is failing? Can your firewall email you if there is a
problem detected? The email option is exceptionally rare
in <$500 firewalls. |
|
| 27 |
Enhanced Firmware |
Many >$500
firewall manufactures produce two sets of software for their
devices. The default set covers most features but you can
pay to get the enhanced software. When checking this list
with your manufacture make sure you ask if the options they are
telling you about require upgraded code. |
|
