Defending your network with a firewall is something that, following the many security breaches of 2014, should be a common sense idea for most businesses. Actually picking that firewall, however, is much easier said than done as there are a plethora of firewall options that are available. There are many factors to consider, such as the amount of traffic the firewall will see as well as desired features that you might need.
Features are a big factor as to what makes a firewall today. Many advanced Next-Generation Firewall (NGFW) have features such as application control, intrusion prevention and content filtering which can dramatically improve the ability of an admin to control a network. However, these useful services also are usually tied to a subscription to use, and sometimes it doesn’t make sense to pay for these features if they won’t be used. Depending on the use-case for the firewall need for these advanced features might vary – if you are using a firewall in a home office where you are the sole user then content filtering might not be useful, for example. It is true that in the majority of cases there is a great benefit to be had from these features, but don’t be afraid to discuss your use-case with your provider to determine if you need the services or not. That said, almost all firewall manufacturers require subscriptions for anti-virus signature updates, so be sure that you are subscribing to those at a bare minimum.
Sizing a firewall is another element to consider, and this is a bit trickier than determining what features are truly needed, in addition, the basic job of a firewall. Firewall manufacturers usually size firewalls by either throughput or user count – in some cases both.
User Count – User count consists of the total number of devices (this includes BYOD devices) accessing a firewall at any given point in time – not average amount of users, which can provide some pretty interesting variances to what is actually needed. A common mistake made by businesses using firewalls to provide Wi-Fi services is to use employee count to determine the appropriate size of a firewall, when the intent is to provide services to customers. This can result in a woefully overloaded firewall intended for a handful of users being bombarded by hundreds, resulting in patchy performance at best and being completed overloaded at worst.
In a case where internet-facing servers are involved, concurrent user count would be the average number of users using an application or on a website – and if a company expects 100 average users and there is a point where their receive 1000, performance will suffer or completely fail due to inability to process the volume; for all intents and purposes this would be the same as a DDoS attack!
Throughput – Throughput is a factor as well when it comes to how fast traffic will go through a firewall. Many firewalls have ratings for speed listed in their technical specs – they can’t make your internet connection magically go faster, but they can act as a bottleneck. For example, if you have an internet connection rated at 100 Mbps, and you select a firewall rated for 25 Mbps throughput, then the firewall will slow down the internet significantly because it simply can’t go at 100 Mbps!
Let’s take an example in the real world. The Fortinet FortiGate-100D, for example, is rated for 300 Mbps of internet throughput when running proxy based Antivirus services, with a recommended user count of up to 150 users. If you have a 1 Gbps connection running through the FortiGate, it will be slowed to about 300 Mbps when Antivirus services are running because the services eat up some of the processing the firewall can do. Now, that same firewall can handle 1.5 Gbps of traffic with no services running, but that’s not the best of ideas since that means it isn’t protecting much either. On the other side of the coin, if the firewall has 200+ users accessing the network, speeds will drop as well because the firewall is being taxed into oblivion by sheer volume of traffic. What this all means is that there is a bit of a balancing game in selecting the right firewall that needs to be played just right when trying to get the ideal firewall for a business environment.
There is a lot more to actual administration of your firewall than what we have gone over today (NAT, VPN management, Rules, etc.) but this is a good place to start when looking at buying a new firewall or upgrading an existing one. Vault Networks can not only assist you with managing your firewall with the more advanced elements, but we can also help to procure the hardware as well, as we have key relationships with several firewall manufacturers. To learn more about implementing a firewall in your environment, or for questions about what you will need, reach out to us at (305) 735-8098 option 2 or by emailing email@example.com.