7.2. Evaluate the Available ProductsWhen you know what you need to do, and what constraints you have, you can start looking at the products available to you. At this stage, people often ask "What's the best firewall?", to which the standard answer is "How long is a piece of string?" -- a sarcastic way of suggesting that the answer is, as always, "It depends". Here are some things to keep in mind as you go through the process of determining what's best for your situation.
7.2.1. ScalabilityAs your site gets larger, or your Internet usage gets larger, how are you going to grow the solution? Can you increase the capacity without changing anything fundamental (for instance, by adding more memory, more CPUs, a higher-speed interface, an additional interface)? Can you duplicate pieces of the configuration to get extra capacity, or will that require reconfiguring lots of client machines, or break functionality?
For instance, if you are using proxying, it may be difficult to add a second proxy host because clients will need to be reconfigured. If you are using stateful packet filtering, it may be impossible to add a second packet filter. Stateful packet filtering relies on having the packet filter see all the packets that make up a connection; if some packets go through one filter, but other packets don't, the two filters will have different state and make different decisions. Either the packet filters need to exchange state, or you need to scale up by making a single packet filter larger.
7.2.2. Reliability and RedundancyIn many situations, a firewall is a critical piece of the network; if it stops passing traffic, important parts of your organization may be unable to function. You need to decide how important the firewall you're designing is going to be, and if it requires high availability, you need to evaluate solutions on their ability to provide high reliability and/or redundancy. Can you duplicate parts? Can you use high-availability hardware?
7.2.3. AuditabilityHow are you going to tell whether the firewall is doing what you want? Is there a way to set up accurate logging? Can you see details of the configuration, or is your only access through a graphical user interface that gives only an overview? If you are putting multiple pieces in multiple places, can you see what's going on from a single centralized place?
7.2.4. PriceThe price of specialized components is the most visible part of a firewall's price, and often the most visible criterion in the entire evaluation. However appallingly high it may seem, it's not the entire price. Like any other computer system, a firewall has significant costs besides the initial purchase price:
7.2.5. Management and ConfigurationIn order for a firewall to be useful, you need to be able to configure it to meet your needs, change that configuration as your needs change, and do day-to-day management of it. Who is going to do the configuration? What sort of management and configuration tools are available? Do they interface well with your existing environment?
7.2.6. AdaptabilityYour needs will change over the lifetime of the firewall, and the firewall will need to change to meet them. What will happen when you need to add new protocols? What will happen if new attacks come out based on malformed packets? If the firewall can adapt, do you have the expertise to make the needed changes, or will you need assistance from the vendor or a consultant?
7.2.7. AppropriatenessOne size does not fit all; these days, even clothing manufacturers have revised the motto to "One size fits most". It's not clear that even that statement holds true for firewalls. The sort of solution that's appropriate for a small company that does minimal business over the Internet is not appropriate for a small company that does all of its business over the Internet, and neither of those solutions will be appropriate for a medium or large company. A university of any size will probably need a different solution from a company.
You are not looking for the perfect firewall; you are looking for the firewall that best solves your particular problem. (This is good, because there is no perfect firewall, so looking for it is apt to be unrewarding.) You should not pay attention to absolute statements like "Packet filtering doesn't provide enough security" or "Proxying doesn't provide enough performance". On a large network, the best solution will almost always involve a combination of technologies. On a small network, the best solution may well involve something that's said to be "insecure" or "low performance" or "unmaintainable" -- maybe you don't need that much security, or performance, or maintainability.
You can think of it two ways. Either there are no bad firewalls, only good firewalls used in silly ways, or there are no good firewalls, only bad firewalls used in places where their weaknesses are acceptable. Either way, the trick is to match the firewall to the need.
Copyright © 2002 O'Reilly & Associates. All rights reserved.