Product Details
Product Rating
FortiGate 5020
Gateway Security 5440
Internet Security & Acceleration Server 2004 Enterprise Edition
Nokia IP380
Nortel Switched Firewall 6624
Pro 5060f
TSP3600
This was a very difficult group to judge. In choosing a solution, many of your criteria will relate to what fits with your current network. With that in mind, we have decided to give our Best Buy award to the Nokia IP380. It is not the fastest firewall in Nokia's range, but it is indicative of what you can expect from the firm: good performance and excellent management. We particularly like the way that the platform's management can be separated into hardware and software. This product shows how two companies can work together to create a product better than the sum of the parts. This month's Recommended award goes to Fortinet's FortiGate 5020. The excellent chassis is fault-tolerant and can house two firewall blades. With in-built AV, this comprehensive product offers more than just a firewall at no extra cost.
Enterprise firewalls (2005)
Enterprises have particular needs when it comes to firewalls, which meant doing a group test just for larger organizations. Christopher Moody wades through the product jungle to find the best around
As we discovered last month when we reviewed 16 SME firewalls, the role of these products has changed a lot, to the point that it is now common to expect anti-virus, intrusion detection and web content filtering as well as secure filtering.
But there is still one section of the market where this is not as important: the enterprise. In this sector, such additional protection will be catered for by third-party products, which can be distributed and scaled to fit.
For this reason, we have seven enterprise firewalls on review this month, and we are looking at different criteria. First, enterprise environments are large and can be difficult to manage. As well as having hundreds, even thousands, of firewalls to manage, there are additional problems to consider.
As well as the sheer volume of firewalls, there is also a need to delegate management among different administrators. This role-based administration can be by department or even by task. It is clear that web-based management, while good for a targeted, firewall-specific task, is not enough.
For that reason, we investigated all the products to see what additional, centralized management is available. Ideally, a flexible product is needed.
We examined the options to make sure that, as well as role-based administration, the management software supports simple policy distribution; it stands to reason that once a policy has been implemented, most firewalls on the network will need it without having to manually recreate it on each machine.
Good management software also provides a way of reusing network objects in multiple rules and storing policies in centrally. This makes it simple, for instance, to plug in a new firewall and get it secured in a matter of minutes. It is this kind of speed and efficiency that enterprise networks need.
Of course, where enterprise firewalls really come into their own is the performance they offer. Made to be installed on large networks, these firewalls have to cope with large amounts of traffic without noticeable slow-down. With Gigabit speeds, or faster, there is a clear need for high-performance appliances and software.
So for each firewall, we examined how many ports, and the type it comes with, and the quoted throughput. As well as the standard copper ports, featured in many mid-sized firewalls, we looked for fiber capability. Enterprise firewalls need to fit into existing infrastructures.
Speed without reliability is a danger, so we also focused on the high-availability features of each product. For starters, this meant examining the load balancing and failover options of each product. Load balancing helps to increase performance, while failover means that there is always a backup ready to take over.
Hardware should also be built to be resilient to faults. For the larger products, we examined how many power supplies it had. We also checked how many power inputs it had. Other reliability options have also been examined.
Ultimately, though, these products are firewalls first and foremost and the security they deliver is very important. To this end, we have reviewed them like we would any other product: examining installation, documentation and configuration. While centralized management might provide a simple way to flash over a security policy, it is still crucial that a firewall can be put on a network in a straightforward manner.
For each firewall, we examined how security is configured. In particular, we looked for flexible policy management. For example, firewalls that can easily configured to filter traffic based on source address, as well as port numbers, offer more flexibility, because they are less dependent on the physical layout of the network.
As with last month's group test, firewalls are notoriously difficult to test accurately, because the security is generally only as tight as the policies employed. To this end, we set up the same set of basic rules on each device and tested that this was enforced – in each case it was. But we also looked at the default policy, because this can often be insecure and, unless wiped, can cause conflicts and problems with rules you introduce.
Finally, while features such as antivirus and intrusion detection are less important at this level, because they will be provided by separate systems, we were still interested in each firewall's extra features. In most enterprises, there will be branch offices where a single box to provide all security is advantageous. For these situations, it is reassuring to know that the firewall you choose will integrate into your existing management structure and accept defined security policies.
