Although every company should employ firewalls to keep its networks and data safe from bad guys, larger enterprises tend to have an even deeper need for breach-proof perimeters.
With multiple offices, thousands of employees and a wealth of electronic access points into their systems, these big enterprises must lock down a great deal of infrastructure to stay safe.
Thanks to vendors that are committed to providing the locks, CIOs can sleep a bit better. Although no firewall solution is perfect, several can do the job well and keep even the largest enterprises relatively secure. So, which are the best firewalls for big business?
Not surprisingly, most firewalls for big companies are produced by the market-leading companies in this space: Cisco, Check Point (Nasdaq: CHKP) and NetScreen (Nasdaq: NSCN). There are smaller contenders, such as Sidewinder from Secure Computing, but when it comes to overall firewall implementation, the top three are unchallenged at this point.
According to Michael Rasmussen, Giga Information Group research director, there is room for all three major players in the market because different firewalls have different functionalities.
“For centralized management, Check Point is very strong,” Rasmussen told the E-Commerce Times. “On speed, NetScreen wins hands down as the fastest firewall. And Cisco is Cisco.”
Which one is installed depends on an IT department’s preferences and areas of expertise. “It all depends on your architecture,” Rasmussen said. “Sometimes there’s a trade-off on speed for security.”
Richard Stiennon, Internet security research director at Gartner, told the E-Commerce Times that there are enough products on the market to fit most budgets. “They’re all on a similar enough platform that they’re manageable from a central console, too,” he said.
With its security certifications and reputation as a leader, Cisco is certainly one of the top dogs in the pack.
“We have a very broad portfolio,” Cisco product manager Mike Jones told the E-Commerce Times. “Basically, it’s based on different price/performance levels.”
The company’s overall product family is the Cisco PIX 500 series, with five firewalls available that offer increasing protection and cost. The lowest-priced appliance is the PIX 501, built for small office and telework customers.
Large enterprises should focus on the company’s higher-end solutions, such as the PIX 525 and, especially, the highly scalable PIX 535, Jones said.
The 535 provides 1 Gbps of firewall throughput and can handle up to 500,000 concurrent connections. Some models include integrated hardware acceleration for VPN (virtual private network) and have up to 95 Mbps of 3DES VPN and support for 2,000 IPsec tunnels. Pricing starts at US$29,995.
Although hardware flaws caused several Cisco firewalls to hang in 2001, the company seems to have worked out the kinks and has assuaged affected users by sending them rush replacements for the affected boxes.
Rival Check Point “has first-mover advantage,” Sweta Duseja, product marketing manager at the company, told the E-Commerce Times. “We definitely have an inherent lead, and it gives us great hold over the market in terms of brand recognition.”
The company’s flagship product is called Firewall-1. Although it is possible to buy this firewall on a per-seat basis, large enterprises likely will be more drawn toward a bundled arrangement.
Starting at $19,000, an enterprise can purchase a Firewall-1 Gateway Bundle, which includes an enforcement point protecting an unlimited number of IP addresses. The bundles utilize Check Point’s security management architecture, which provides one-click centralized policy distribution.
As Rasmussen mentioned, this centralized management ability is a strong quality for Check Point. The company also has worked to secure the application level as well as the network level.
Duseja noted that this is an important addition to any firewall, because hackers have been targeting applications with greater frequency in recent months and years. “You need to be able to protect anything that touches the corporate LAN,” she said.
As the most recent entrant in the field, NetScreen is holding its own against its larger competitors. As Rasmussen noted, “NetScreen has a hardware-based appliance and a very focused custom operating system that’s compelling.”
For a large enterprise, the company recommends a central site system like its NetScreen-5000 series, which features customized hardware configurations based on interface, power supply and performance needs.
The mightiest offering in this product line, the NetScreen-5400, is a 12 Gbps firewall with 1,000,000 sessions. It includes a 6 Gbps 3DES VPN with 25,000 IPsec tunnels. Although its pricing depends on customization options, the lower-end NetScreen-5200’s price tag of $99,000 should give enterprises a rough idea of how much its big brother might cost.
Larger distributed deployments are delivered through the NetScreen-Global PRO, which enables management of all firewall and VPN devices from a single interface.
Although Cisco, Check Point and NetScreen are the three firms that big enterprises turn to at present, the firewall world is one in which startups still can flourish, according to Stiennon.
“We see the firewall space as changing dramatically in the next few years,” he said. “There’s an opportunity for startups to challenge existing vendors to change their technology.”
Moreover, as large vendors work more diligently to keep networks and applications secure — and to stay ahead of the pack — big enterprises can only benefit from the race to make the best firewall.
Let’s be realistic, all the top 3 mentioned firewalls have all had serious vulnerabilities identified and in the press in the past 12 months. In the article the author notes that large enterprises have no choice in today’s threat-ladened environment but to implement the most secure firewall technology available. Although only mentioned as a "small contender", I really think that the author needs to address the facts that only Sidewinder, from Secure Computing, has never had a vulnerability posted against it (in over 10 years as a commercial product), and as of the latest release (appliance format with available enterprise wide-management capabilities) The Sidewinder G2 appliance family outperforms and maintains better security than the 3 "top contenders". And as of recent is the most highly-certified firewall available on the market.
When is the press going to realize that market share doesn’t always equate to good security, and that just because a company has a well-known name.. it doesn’t mean they sell good security?
Dave Papas, Secure Computing Corporation