Although stateful packet inspection is a fully mature and stable concept in network security, the firewall market itself is not at all static. The steady evolution toward unified threat management (UTM) is producing products with increasingly broad feature sets, a trend which was very much in evidence in this test. Although still ostensibly network edge firewalls, most of these products included VPN, anti-virus, anti-spam, content filtering, intrusion detection and more.
This is an interesting shift, since even last year we saw a definite divide between enterprise-class firewalls and separate, best-of-breed content filtering. While many customers will still deploy their defenses in this way, some will prefer the UTM approach, and the firewall manufacturers have had to move quickly to keep abreast of this demand.
Application proxies have really come into their own in content protection, and are now very much a standard feature in firewalls. Malware protection and content policies can be applied to proxied web and email traffic, making the firewall an integral part of active security and compliance, rather than just a glorified router acting as a sieve.
We reviewed the firewalls by setting up a network mimicking a sample enterprise, then set up standard configurations to provide normal network services. We also tested VPN tunnels, detection and response to attacks (such as denial-of-service), and more advanced features such as quality of service restrictions, complex content filtering rules, and the product’s resilience to attacks directed against the firewall itself.
The firewalls were connected between our test network LAN and an external segment with nodes posing as branch office sites, remote workers and attackers. The internal network included a DMZ containing public web and mail servers and a LAN with workstations, including some posing as malicious insiders.
We looked for enterprise features such as VLAN support, quality of service (QoS) and VoIP, and were pleased to see that most of the devices being tested provide some sort of bandwidth limit or QoS support. With web-based applications and web services on the rise, and VoIP in more common use, we expect to see more edge devices offering fully capable traffic prioritization, class-based queues and bandwidth limits to ensure that business-critical traffic is not only filtered, but guaranteed at least a working minimum of operating bandwidth.
We didn’t only test how secure each product was against external attack. We probed them internally – attacking the configuration interfaces from within "trusted" segments – to see if a malicious insider could bypass security, either to avoid content filtering or to allow a full-blown network attack. The insider risk cannot be completely avoided (a suborned firewall administrator is a simple worst-case scenario), but it can be mitigated with role-based delegation and strong auditing, so we paid particular attention to these.
As well as delegated administration, we also investigated policy management across multiple devices. Large enterprises (or any with a network of branch offices) need to manage consistent policies across multiple-edge devices. This is an area where the all-pervasive web GUIs tend to fall down: most do not offer facilities to push policies out to other devices.
Although this test focused on core packet filtering and network protection, we did spend time on each product looking at how well-integrated the other features were. It is one thing to glue 10 different features together in a single chassis, but more difficult to provide a unified management interface that can consistently apply policies and definitions across the full suite, and provide integrated reporting and analysis.
Given the very active role that firewalls play in overall security, you would expect to see plenty of emphasis on reporting and event analysis out of the box, but there are two schools of thought. On the one hand, admins do need better correlation and reporting on any product they are managing. But full-scale analysis and reporting can be an intensive job which will only absorb resources that a heavily loaded device might not have to spare – you are probably better off logging to a remote server and performing offline analysis. So while some of these products lacked the more advanced log management features of others, it was not too much of a concern.
As for the high-availability features of the enterprise devices being tested, most offer at least failover capability which, in most cases, is easily configured. But beyond one-to-one failover, more powerful clustering and loadbalancing is still not pervasive, and few of these products offered much here.